General
- TEMPLATE openshift_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.
- Parameters:
endpoint (str | list[str]) – The Kubernetes object path(s) to fetch
suppress (bool) – Whether to suppress the warning
openshift_cluster_setting(endpoint, suppress)
- TEMPLATE openshift_filtered_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).
- Parameters:
path_filter_pairs (dict[str, str]) – Kubernetes object path/filter directive pairs
varargs (list[dict[str, str]]) – A list of path_filter_pairs (in case repeated paths need to be used)
openshift_filtered_cluster_setting(path_filter_pairs)
- TEMPLATE openshift_filtered_cluster_setting_suppressed
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ). This macro will suppress any non-fatal failed to fetch api warnings.
- Parameters:
path_filter_pairs (list) – Kubernetes object path/filter directive pairs
varargs – A list of path_filter_pairs (in case repeated paths need to be used)
openshift_filtered_cluster_setting_suppressed(path_filter_pairs)
- TEMPLATE hide_rule
Macro which generates a unique identifier for Compliance Operator, this will hide the rule from ComplianceCheckResult
hide_rule()
- TEMPLATE suppressed_warning
Macro which generate a unique identifier for Compliance Operator, this will suppress the warning
suppressed_warning()
- TEMPLATE openshift_filtered_path
Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources
- Parameters:
path (str) – The Kubernetes object path to fetch
filter (str) – A filtering directive
openshift_filtered_path(path, filter)
- TEMPLATE sub_var_value
Calls
xccdf_value
macro under the hood. Deprecated: Usexccdf_value
.
- Parameters:
varname (str) – The name of the variable to reference
sub_var_value(varname)
- TEMPLATE xccdf_value
Create an XCCDF
<sub>
element
- Parameters:
varname (str) – The name of the variable to reference
xccdf_value(varname)
- TEMPLATE describe_iptables_block
Describe an iptables block
- Parameters:
proto (str) – protocol to block
port (int) – port to block
describe_iptables_block(proto, port)
- TEMPLATE describe_iptables_allow
Describe an iptables allow
- Parameters:
proto (str) – protocol to allow
port (int) – port to allow
describe_iptables_allow(proto, port)
- TEMPLATE describe_firewalld_prevent_service
Describe preventing access to service in firewalld.
- Parameters:
service (str) – The service to allow
describe_firewalld_prevent_service(service)
- TEMPLATE describe_firewalld_allow_port
Describe allowing access to a port in firewalld.
- Parameters:
port (int) – The port to allow
proto (str) – The protocol to allow
describe_firewalld_allow_port(port, proto)
- TEMPLATE describe_firewalld_allow_service
Describe allowing access to a service in firewalld.
- Parameters:
service (str) – The service to allow
describe_firewalld_allow_service(service)
- TEMPLATE describe_module_disable
Description for how to check for a disabled kernel module.
- Parameters:
module (str) – The module to disable.
describe_module_disable(module)
- TEMPLATE systemd_describe_socket_disable
Describe how to disable socket in systemd.
- Parameters:
socket (str) – The socket to check
systemd_describe_socket_disable(socket)
- TEMPLATE systemd_describe_socket_enable
Describe how to enable a socket in systemd.
- Parameters:
socket (str) – The socket to check
systemd_describe_socket_enable(socket)
- TEMPLATE describe_socket_enable
Inserts a rule description for a case when a socket should be enabled, substituting the correct init system.
- Parameters:
socket (str) – Name of socket
describe_socket_enable(socket)
- TEMPLATE describe_socket_disable
Inserts a rule description for a case when a socket should be disabled, substituting the correct init system.
- Parameters:
socket (str) – Name of socket
describe_socket_disable(socket)
- TEMPLATE systemd_describe_service_disable
Describe how to disable a service in systemd.
- Parameters:
service (str) – The service to check
systemd_describe_service_disable(service)
- TEMPLATE systemd_describe_service_enable
Describe how to enable a service in systemd.
- Parameters:
service (str) – The service to check
systemd_describe_service_enable(service)
- TEMPLATE describe_timer_enable
Inserts a rule description for a case when a timer should be enabled, substituting the correct init system.
- Parameters:
timer (str) – Name of timer
describe_timer_enable(timer)
- TEMPLATE describe_service_enable
Inserts a rule description for a case when a service should be enabled, substituting the correct init system.
- Parameters:
service (str) – Name of service
describe_service_enable(service)
- TEMPLATE describe_service_disable
Inserts a rule description for a case when a service should be disabled, substituting the correct init system.
- Parameters:
service (str) – Name of service
describe_service_disable(service)
- TEMPLATE describe_sebool_var
Describe how to set an SELinux boolean depending on a variable.
- Parameters:
sebool (str) – The SELinux boolean to disable
describe_sebool_var(sebool)
- TEMPLATE describe_sebool_disable
Describe how to disable an SELinux boolean.
- Parameters:
sebool (str) – The SELinux boolean to disable
describe_sebool_disable(sebool)
- TEMPLATE describe_sebool_enable
Describe how to enable an SELinux boolean.
- Parameters:
sebool (str) – The SELinux boolean to disable
describe_sebool_enable(sebool)
- TEMPLATE apt_get_package_install
Show how to install a package with apt-get.
Example output:
apt-get install package
- Parameters:
package (str) – Package to install
apt_get_package_install(package)
- TEMPLATE apt_get_package_remove
Show how to remove a package with apt-get.
Example output:
$ apt-get remove package
- Parameters:
package (str) – Package to remove
apt_get_package_remove(package)
- TEMPLATE dnf_package_install
Show how to install a package with dnf.
Example output:
$ sudo dnf install package
- Parameters:
package (str) – Package to install
dnf_package_install(package)
- TEMPLATE dnf_package_remove
Show how to remove a package with dnf.
Example output:
$ sudo dnf remove package
- Parameters:
package (str) – Package to remove
dnf_package_remove(package)
- TEMPLATE yum_package_install
Show how to install a package with yum.
Example output:
$ sudo yum install package
- Parameters:
package (str) – Package to install
yum_package_install(package)
- TEMPLATE yum_package_remove
Show how to remove a package with yum.
Example output:
$ sudo yum erase package
- Parameters:
package (str) – Package to remove
yum_package_remove(package)
- TEMPLATE zypper_package_install
Show how to install a package with zypper.
Example output:
$ sudo zypper install package
- Parameters:
package (str) – Package to install
zypper_package_install(package)
- TEMPLATE zypper_package_remove
Show how to remove a package with zypper.
Example output:
$ sudo zypper remove package
- Parameters:
package (str) – Package to remove
zypper_package_remove(package)
- TEMPLATE package_install
Outputs a command for installing a package, substituting the correct package management software.
- Parameters:
package (str) – Name of package
package_install(package)
- TEMPLATE describe_package_install
Inserts a rule description for a case when a package should be installed, substituting the correct package management software.
- Parameters:
package (str) – Name of package
describe_package_install(package)
- TEMPLATE package_remove
Outputs a command for removing a package, substituting the correct package management software.
package_remove(package)
- TEMPLATE describe_package_remove
Inserts a rule description for a case when a package should be removed, substituting the correct package management software.
- Parameters:
package (str) – Name of package
describe_package_remove(package)
- TEMPLATE describe_file_permissions
Describe how to set the permissions on a file.
- Parameters:
file (str) – File to change
perms (str) – The permissions for the file
describe_file_permissions(file, perms)
- TEMPLATE describe_file_owner
Describe how to set the file owner of a file.
- Parameters:
file (str) – File to change
owner (str) – the owner for the file
describe_file_owner(file, owner)
- TEMPLATE describe_file_group_owner
Describe how to set the file group owner of a file.
- Parameters:
file (str) – File to change
group (str) – The group owner for the file
describe_file_group_owner(file, group)
- TEMPLATE check_file_permissions
How to check a file for the correct permissions.
- Parameters:
file (str) – File to change
perms (str) – The permissions for the file
check_file_permissions(file, perms)
- TEMPLATE describe_mount
How add mount options to
/etc/fstab
- Parameters:
option (str) – The option to add to the partition
part (str) – The partition
describe_mount(option, part)
- TEMPLATE partition_description
Describe the separate partition is needed.
- Parameters:
part (str) – The partition
partition_description(part)
- TEMPLATE describe_sysctl_option_value
Describe how to set a sysctl kernel parameter.
- Parameters:
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
describe_sysctl_option_value(sysctl, value)
- TEMPLATE weblink
Creates an HTML
<a>
element for the given link and text. If no text is given the link will be the text
- Parameters:
link (str) – The url the link should have
text (str) – Optional, text for the link
weblink(link, text=none)
- TEMPLATE openssl_strong_entropy_config_file
An openssl config file with strong entropy.
openssl_strong_entropy_config_file()
A note about an item need be done for each
MachineConfigPool
.machineconfig_description_footer()
- TEMPLATE rule_notapplicable_when_ovirt_installed
Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.
rule_notapplicable_when_ovirt_installed()
- TEMPLATE describe_grub2_argument
Describe how to configure Grub2 to add an argument to the default kernel command line. The parameter should be in form parameter=value.
describe_grub2_argument(arg_name_value)
- TEMPLATE describe_kernel_build_config
Describe how to check a kernel compile parameter
- Parameters:
config (str) – The kernel config parameter
value (str) – The value for the given config
describe_kernel_build_config(config, value)
- TEMPLATE aide_string
Returns the AIDE strings based on the current product
aide_string()
- TEMPLATE aide_files
Lists the files need for the rule aide_check_audit_tools with the AIDE string
aide_files()
- TEMPLATE grub_command
Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) Part of the grub2_bootloader_argument(_absent) templates.
- Parameters:
action (str) – What to do with the argument, must be one of: “update”, “add”, “remove”.
arg_name_value (str) – If action is “add”, it’s kernel command line argument concatenated with the value of this argument using an equal sign, eg. “audit=1”. If action is “remove”, it’s only the kernel command line argument name, eg. “audit”.
grub_command(action, arg_name_value=None)
- TEMPLATE join_list
Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma.
- Parameters:
items (list[str]) – list of strings to join
join_list(items)