Remove Support for OVAL 5.10

.github/workflows/gate.yaml

@@ -148,17 +148,6 @@ jobs:
           CC_TEST_REPORTER_ID: e67e068471d32b63f8e9561dba8f6a3f84dcc76b05ebfd98e44ced1a91cff854
         with:
           coverageLocations: build/tests/coverage.xml:coverage.py
-      - name: Build 5.10 (sanity only)
-        run: |-
-          ./build_product \
-              -d \
-              --oval '5.10' \
-              rhel7 \
-              rhel8 \
-              rhel9
-      - name: Validate OVAL Build 5.10
-        working-directory: ./build
-        run: ctest -j2 -R validate-ssg-rhel[0-9]+-oval.xml --output-on-failure -E unique-stigids
       - name: Validate gitmailmap
         run: egrep "\S" .mailmap | egrep -v '^#' | git check-mailmap --stdin
 

.github/workflows/release.yaml

@@ -28,17 +28,6 @@ jobs:
       - name: Build Package Source
         run: make -j2 package_source
         working-directory: ./build
-      - name: Create Build Dir (OVAL 5.10)
-        run: mkdir -p build-oval510
-      - name: Configure (OVAL 5.10)
-        run: cmake -DSSG_TARGET_OVAL_MINOR_VERSION:STRING=10 ..
-        working-directory: ./build-oval510
-      - name: Build All (OVAL 5.10)
-        run: make -j2 all
-        working-directory: ./build-oval510
-      - name: Build ZIP (OVAL 5.10)
-        run: make -j2 zipfile
-        working-directory: ./build-oval510
       - name: Set Version
         id: set_version
         run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//} && echo ::set-output name=ver::${GITHUB_REF/refs\/tags\/v/}
@@ -63,7 +52,5 @@ jobs:
             build/scap-security-guide-*.tar.bz2.sha512
             build/zipfile/scap-security-guide-*.zip
             build/zipfile/scap-security-guide-*.zip.sha512
-            build-oval510/zipfile/scap-security-guide-*.zip
-            build-oval510/zipfile/scap-security-guide-*.zip.sha512
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stabilize.yaml

@@ -40,26 +40,3 @@ jobs:
         # Performs linkcheck across all build tables and html guides to ensure there are no broken references.
         run: ctest -j2 -R linkchecker --output-on-failure
         working-directory: ./build
-
-  stabilize-fedora-scapval-12:
-    name: Build and Run SCAPVal on SCAP 1.2 Content (Container)
-    runs-on: ubuntu-latest
-    container:
-      image: fedora:latest
-    steps:
-      - name: Install Deps
-        run: dnf install -y cmake ninja-build openscap-utils python3-pyyaml python3-jinja2 python3-pytest ansible expat libxslt python3-ansible-lint linkchecker java-1.8.0-openjdk unar wget python-unversioned-command
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Configure (OVAL 5.10)
-        run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DSSG_TARGET_OVAL_MINOR_VERSION:STRING=10 ..
-        working-directory: ./build
-      - name: Build All (OVAL 5.10)
-        run: make -j2 all
-        working-directory: ./build
-      - name: Get SCAPVAL
-        run: wget $SCAPVAL_URL/$SCAPVAL_FILENAME.zip
-      - name: Unpack SCAPVAL
-        run: mkdir -p /opt/scapval/ && unar $SCAPVAL_FILENAME.zip -o /opt/scapval/
-      - name: Run SCAP Validation (1.2)
-        run: $GITHUB_WORKSPACE/tests/run_scapval.py --scap-version 1.2 --scapval-path /opt/scapval/$SCAPVAL_FILENAME/$SCAPVAL_JAR --build-dir $GITHUB_WORKSPACE/build

CMakeLists.txt

@@ -38,7 +38,7 @@ set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}"
 set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.")
 
 set(SSG_TARGET_OVAL_MAJOR_VERSION "5" CACHE STRING "Which major version of OVAL are we targetting. Only 5 is supported at the moment.")
-set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Possible choices are 10 or 11.")
+set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Only 11 is supported at the moment.")
 
 set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
 
@@ -145,11 +145,12 @@ cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage
 find_package(OpenSCAP REQUIRED)
 
 if (SSG_TARGET_OVAL_MAJOR_VERSION EQUAL "5" AND SSG_TARGET_OVAL_VERSION_MINOR EQUAL "11" AND NOT "${OSCAP_V_OUTPUT}" MATCHES "OVAL Version: 5.11")
-    message(FATAL_ERROR "Your version of OpenSCAP does not support OVAL 5.11, please switch the OVAL target version to 5.10 or lower. $ cmake -DSSG_TARGET_OVAL_MINOR_VERSION=10 ../")
+    message(FATAL_ERROR "Your version of OpenSCAP does not support OVAL 5.11, please upgrade to a newer version of OpenSCAP.")
 endif()
 
-if (NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.10" AND NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    message(WARNING "You are targetting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.10 and 5.11 only!")
+if (NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
+    message(WARNING "You are targetting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
+
 endif()
 
 # OCP4 requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support
@@ -304,11 +305,7 @@ add_subdirectory("tests")
 
 # Targets 'stats', 'profile-stats' and 'zipfile' need to be added
 # before any product because they will receive dependencies from products added
-if(SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}")
-else()
-    ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}-oval-${SSG_TARGET_OVAL_VERSION}")
-endif()
+ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}")
 
 add_custom_target(stats)
 add_custom_target(profile-stats)
@@ -408,11 +405,8 @@ endif()
 
 # ZIP only contains source datastreams and kickstarts, people who
 # want sources to build from should get the tarball instead.
-if(SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
-    ssg_build_zipfile("scap-security-guide-${SSG_VERSION}")
-else()
-    ssg_build_zipfile("scap-security-guide-${SSG_VERSION}-oval-${SSG_TARGET_OVAL_VERSION}")
-endif()
+ssg_build_zipfile("scap-security-guide-${SSG_VERSION}")
+
 
 ssg_define_guide_and_table_tests()
 

linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml

@@ -1,6 +1,3 @@
-{{%- if target_oval_version == [5, 10] -%}}
-{{# there is no good alternative for symlink_test for OVAL 5.10 #}}
-{{%- else -%}}
 <def-group>
   <definition class="compliance" id="xwindows_runlevel_target" version="1">
     {{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
@@ -20,5 +17,3 @@
     <unix:canonical_path operation="pattern match">^(/usr)?/lib/systemd/system/multi-user.target$</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{%- endif -%}}
-

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml

@@ -1,6 +1,3 @@
-{{%- if target_oval_version == [5, 10] -%}}
-{{# there is no good alternative for symlink_test for OVAL 5.10 #}}
-{{%- else -%}}
 <def-group>
   <definition class="compliance" id="disable_ctrlaltdel_reboot" version="1">
     {{{ oval_metadata("By default, the system will reboot when the
@@ -21,4 +18,4 @@
     <unix:canonical_path>/dev/null</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{%- endif -%}}
+

linux_os/guide/system/accounts/enable_authselect/oval/shared.xml

@@ -5,7 +5,6 @@
     "smartcard": "smartcard-auth",
     "system": "system-auth",
 } -%}}
-{{% if target_oval_version >= [5, 11] %}}
 <def-group>
 	<definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Check that authselect is enabled") }}}
@@ -34,4 +33,3 @@
   </unix:symlink_state>
   {{% endfor %}}
 </def-group>
-{{% endif %}}

linux_os/guide/system/logging/ensure_rtc_utc_configuration/oval/shared.xml

@@ -1,4 +1,3 @@
-{{% if target_oval_version >= [5, 11] %}}
 <def-group oval_version="5.11">
   <definition class="compliance" id="ensure_rtc_utc_configuration" version="1">
    {{{ oval_metadata("Ensure RTC is using UTC as its time base") }}}
@@ -20,4 +19,3 @@
     <unix:canonical_path operation="pattern match">^(/usr)?/share/zoneinfo(/Etc)?/(GMT|UTC)$</unix:canonical_path>
   </unix:symlink_state>
 </def-group>
-{{% endif %}}

linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml

@@ -50,10 +50,7 @@
         <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
                    test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
       </criteria>
-
-{{% if target_oval_version >= [5, 11] %}}
       <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
-{{% endif %}}
     </criteria>
   </definition>
 

linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml

@@ -1,6 +1,3 @@
-{{%- if target_oval_version == [5, 11] -%}}
-{{# there is no good alternative for symlink_object for OVAL 5.10 #}}
-{{% set backend_krb5_config = "/etc/crypto-policies/back-ends/krb5.config" %}}
 <def-group>
   <definition class="compliance" id="configure_kerberos_crypto_policy" version="2">
     {{{ oval_metadata("Kerberos should be configured to use the system-wide crypto policy setting.") }}}
@@ -49,4 +46,3 @@
   </local_variable>
 
 </def-group>
-{{%- endif -%}}

linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/ubuntu.xml

@@ -1,4 +1,3 @@
-{{%- if target_oval_version == [5, 11] -%}}
 <def-group>
   <definition class="compliance" id="aide_periodic_cron_checking" version="3">
     {{{ oval_metadata("By default, AIDE does not install itself for periodic
@@ -75,4 +74,3 @@
     <linux:state state_ref="ste_aide_is_active" />
   </linux:systemdunitproperty_test>
 </def-group>
-{{% endif %}}