ComplianceAsCode · Mab879 · Jun 15, 2023 · May 30, 2023 · May 23, 2023 · May 25, 2023
diff --git a/components/chrony.yml b/components/chrony.yml
@@ -2,6 +2,7 @@ name: chrony
 packages:
 - chrony
 rules:
+- chronyd_configure_pool_and_server
 - chronyd_run_as_chrony_user
 - chronyd_server_directive
 - chronyd_specify_remote_server

diff --git a/components/firewalld.yml b/components/firewalld.yml
@@ -12,6 +12,7 @@ rules:
 - firewalld-backend
 - firewalld_loopback_traffic_restricted
 - firewalld_loopback_traffic_trusted
+- network_implement_access_control
 - package_firewalld_installed
 - package_firewalld_removed
 - service_firewalld_disabled

diff --git a/components/iptables.yml b/components/iptables.yml
@@ -11,6 +11,7 @@ rules:
 - package_iptables-persistent_installed
 - package_iptables-persistent_removed
 - package_iptables-services_installed
+- package_iptables-services_removed
 - package_iptables_installed
 - service_ip6tables_enabled
 - service_iptables_enabled
diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md
@@ -439,6 +439,8 @@ type: platform
 
 benchmark_root: "../../linux_os/guide"
 
+components_root: "../../components"
+
 profiles_root: "./profiles"
 
 pkg_manager: "yum"
@@ -1254,3 +1256,5 @@ YAML file keys:
 - `changelog` (list) - records substantial changes in the given component that affected rules and remediations (optional)
 
 Each rule in the benchmark in the `/linux_os/guide` directory must be a member of at least 1 component.
+
+Products specify a path to the directory with component files by the `components_root` key in the `product.yml`.
diff --git a/products/example/product.yml b/products/example/product.yml
@@ -4,6 +4,7 @@ type: platform
 
 benchmark_id: EXAMPLE
 benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
 
 profiles_root: "./profiles"
 

diff --git a/products/fedora/product.yml b/products/fedora/product.yml
@@ -4,6 +4,7 @@ type: platform
 
 benchmark_id: FEDORA
 benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
 
 profiles_root: "./profiles"
 

diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
@@ -4,6 +4,7 @@ type: platform
 
 benchmark_id: RHEL-7
 benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
 
 profiles_root: "./profiles"
 

diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
@@ -4,6 +4,7 @@ type: platform
 
 benchmark_id: RHEL-8
 benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
 
 profiles_root: "./profiles"
 

diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
@@ -4,6 +4,7 @@ type: platform
 
 benchmark_id: RHEL-9
 benchmark_root: "../../linux_os/guide"
+components_root: "../../components"
 
 profiles_root: "./profiles"
 

diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
@@ -2,6 +2,7 @@
 from __future__ import print_function
 
 from copy import deepcopy
+import collections
 import datetime
 import json
 import os
@@ -12,6 +13,7 @@
 
 
 import ssg.build_remediations
+import ssg.components
 from .build_cpe import CPEALLogicalTest, CPEALCheckFactRef, ProductCPEs
 from .constants import (XCCDF12_NS,
                         OSCAP_BENCHMARK,
@@ -657,6 +659,7 @@ class Rule(XCCDFEntity, Templatable):
         rationale=lambda: "",
         severity=lambda: "",
         references=lambda: dict(),
+        components=lambda: list(),
         identifiers=lambda: dict(),
         ocil_clause=lambda: None,
         ocil=lambda: None,
@@ -1331,13 +1334,45 @@ def __init__(
         self.stig_references = None
         if stig_reference_path:
             self.stig_references = ssg.build_stig.map_versions_to_rule_ids(stig_reference_path)
+        self.rule_to_components = self._load_components()
+
+    def _load_components(self):
+        if "components_root" not in self.env_yaml:
+            return None
+        product_dir = self.env_yaml["product_dir"]
+        components_root = self.env_yaml["components_root"]
+        components_dir = os.path.abspath(
+            os.path.join(product_dir, components_root))
+        components = ssg.components.load(components_dir)
+        rule_to_components = ssg.components.rule_component_mapping(
+            components)
+        return rule_to_components
 
     def _process_values(self):
         for value_yaml in self.value_files:
             value = Value.from_yaml(value_yaml, self.env_yaml)
             self.all_values[value.id_] = value
             self.loaded_group.add_value(value)
 
+    def _process_rule(self, rule):
+        if self.rule_to_components is not None and rule.id_ not in self.rule_to_components:
+            raise ValueError(
+                "The rule '%s' isn't mapped to any component! Insert the "
+                "rule ID at least once to the rule-component mapping." %
+                (rule.id_))
+        prodtypes = parse_prodtype(rule.prodtype)
+        if "all" not in prodtypes and self.product not in prodtypes:
+            return False
+        self.all_rules[rule.id_] = rule
+        self.loaded_group.add_rule(
+            rule, env_yaml=self.env_yaml, product_cpes=self.product_cpes)
+        rule.normalize(self.env_yaml["product"])
+        if self.stig_references:
+            rule.add_stig_references(self.stig_references)
+        if self.rule_to_components is not None:
+            rule.components = self.rule_to_components[rule.id_]
+        return True
+
     def _process_rules(self):
         for rule_yaml in self.rule_files:
             try:
@@ -1346,16 +1381,8 @@ def _process_rules(self):
             except DocumentationNotComplete:
                 # Happens on non-debug build when a rule is "documentation-incomplete"
                 continue
-            prodtypes = parse_prodtype(rule.prodtype)
-            if "all" not in prodtypes and self.product not in prodtypes:
+            if not self._process_rule(rule):
                 continue
-            self.all_rules[rule.id_] = rule
-            self.loaded_group.add_rule(
-                rule, env_yaml=self.env_yaml, product_cpes=self.product_cpes)
-
-            rule.normalize(self.env_yaml["product"])
-            if self.stig_references:
-                rule.add_stig_references(self.stig_references)
 
     def _get_new_loader(self):
         loader = BuildLoader(
@@ -1364,6 +1391,8 @@ def _get_new_loader(self):
         loader.sce_metadata = self.sce_metadata
         # Do it this way so we only have to parse the STIG references once.
         loader.stig_references = self.stig_references
+        # Do it this way so we only have to parse the component metadata once.
+        loader.rule_to_components = self.rule_to_components
         return loader
 
     def export_group_to_file(self, filename):

diff --git a/ssg/components.py b/ssg/components.py
@@ -0,0 +1,49 @@
+from __future__ import print_function
+
+from collections import defaultdict
+import os
+
+import ssg.yaml
+
+
+def load(components_dir):
+    components = {}
+    for component_filename in os.listdir(components_dir):
+        components_filepath = os.path.join(components_dir, component_filename)
+        component = Component(components_filepath)
+        components[component.name] = component
+    return components
+
+
+def __reverse_mapping(components, attribute):
+    mapping = defaultdict(list)
+    for component in components.values():
+        for item in getattr(component, attribute):
+            mapping[item].append(component.name)
+    return mapping
+
+
+def package_component_mapping(components):
+    return __reverse_mapping(components, "packages")
+
+
+def template_component_mapping(components):
+    return __reverse_mapping(components, "templates")
+
+
+def group_component_mapping(components):
+    return __reverse_mapping(components, "groups")
+
+
+def rule_component_mapping(components):
+    return __reverse_mapping(components, "rules")
+
+
+class Component:
+    def __init__(self, filepath):
+        yaml_data = ssg.yaml.open_raw(filepath)
+        self.name = yaml_data["name"]
+        self.rules = yaml_data["rules"]
+        self.packages = yaml_data["packages"]
+        self.templates = yaml_data.get("templates", [])
+        self.groups = yaml_data.get("groups", [])
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -361,8 +361,15 @@ if(PYTHON_VERSION_MAJOR GREATER 2)
     set_tests_properties("install-vm" PROPERTIES LABELS quick)
 endif()
 
+if(SSG_PRODUCT_RHEL9)
 add_test(
     NAME "automatus-sanity"
     COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/tests/automatus.py" "--help"
 )
 set_tests_properties("automatus-sanity" PROPERTIES LABELS quick)
+
+add_test(
+    NAME "components"
+    COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_components.py" --build-dir "${CMAKE_BINARY_DIR}" --source-dir "${CMAKE_SOURCE_DIR}" --product "rhel9"
+)
+endif()
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
@@ -6,6 +6,7 @@ basic_properties_derived: true
 benchmark_id: FEDORA
 benchmark_root: ../../linux_os/guide
 chrony_conf_path: /etc/chrony.conf
+components_root: ../../components
 cpes:
 - fedora_40:
     check_id: installed_OS_is_fedora

@@ -12,6 +12,7 @@ centos_major_version: '7'
 centos_pkg_release: 53a7ff4b
 centos_pkg_version: f4a80eb5
 chrony_conf_path: /etc/chrony.conf
+components_root: ../../components
 cpes:
 - rhel7:
     check_id: installed_OS_is_rhel7

@@ -12,6 +12,7 @@ centos_major_version: '8'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
 chrony_conf_path: /etc/chrony.conf
+components_root: ../../components
 cpes:
 - rhel8:
     check_id: installed_OS_is_rhel8

@@ -12,6 +12,7 @@ centos_major_version: '9'
 centos_pkg_release: 5ccc5b19
 centos_pkg_version: 8483c65d
 chrony_conf_path: /etc/chrony.conf
+components_root: ../../components
 cpes:
 - rhel9:
     check_id: installed_OS_is_rhel9