General

TEMPLATE openshift_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.

Parameters:
  • endpoint (str | list[str]) – The Kubernetes object path(s) to fetch

  • suppress (bool) – Whether to suppress the warning

openshift_cluster_setting(endpoint, suppress)

TEMPLATE openshift_filtered_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).

Parameters:
  • path_filter_pairs (dict[str, str]) – Kubernetes object path/filter directive pairs

  • varargs (list[dict[str, str]]) – A list of path_filter_pairs (in case repeated paths need to be used)

openshift_filtered_cluster_setting(path_filter_pairs)

TEMPLATE openshift_filtered_cluster_setting_suppressed

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ). This macro will suppress any non-fatal failed to fetch api warnings.

Parameters:
  • path_filter_pairs (list) – Kubernetes object path/filter directive pairs

  • varargs – A list of path_filter_pairs (in case repeated paths need to be used)

openshift_filtered_cluster_setting_suppressed(path_filter_pairs)

TEMPLATE hide_rule

Macro which generates a unique identifier for Compliance Operator, this will hide the rule from ComplianceCheckResult

hide_rule()

TEMPLATE suppressed_warning

Macro which generate a unique identifier for Compliance Operator, this will suppress the warning

suppressed_warning()

TEMPLATE openshift_filtered_path

Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources

Parameters:
  • path (str) – The Kubernetes object path to fetch

  • filter (str) – A filtering directive

openshift_filtered_path(path, filter)

TEMPLATE sub_var_value

Calls xccdf_value macro under the hood. Deprecated: Use xccdf_value.

Parameters:
  • varname (str) – The name of the variable to reference

sub_var_value(varname)

TEMPLATE xccdf_value

Create an XCCDF <sub> element

Parameters:
  • varname (str) – The name of the variable to reference

xccdf_value(varname)

TEMPLATE describe_iptables_block

Describe an iptables block

Parameters:
  • proto (str) – protocol to block

  • port (int) – port to block

describe_iptables_block(proto, port)

TEMPLATE describe_iptables_allow

Describe an iptables allow

Parameters:
  • proto (str) – protocol to allow

  • port (int) – port to allow

describe_iptables_allow(proto, port)

TEMPLATE describe_firewalld_prevent_service

Describe preventing access to service in firewalld.

Parameters:
  • service (str) – The service to allow

describe_firewalld_prevent_service(service)

TEMPLATE describe_firewalld_allow_port

Describe allowing access to a port in firewalld.

Parameters:
  • port (int) – The port to allow

  • proto (str) – The protocol to allow

describe_firewalld_allow_port(port, proto)

TEMPLATE describe_firewalld_allow_service

Describe allowing access to a service in firewalld.

Parameters:
  • service (str) – The service to allow

describe_firewalld_allow_service(service)

TEMPLATE describe_module_disable

Description for how to check for a disabled kernel module.

Parameters:
  • module (str) – The module to disable.

describe_module_disable(module)

TEMPLATE systemd_describe_socket_disable

Describe how to disable socket in systemd.

Parameters:
  • socket (str) – The socket to check

systemd_describe_socket_disable(socket)

TEMPLATE systemd_describe_socket_enable

Describe how to enable a socket in systemd.

Parameters:
  • socket (str) – The socket to check

systemd_describe_socket_enable(socket)

TEMPLATE describe_socket_enable

Inserts a rule description for a case when a socket should be enabled, substituting the correct init system.

Parameters:
  • socket (str) – Name of socket

describe_socket_enable(socket)

TEMPLATE describe_socket_disable

Inserts a rule description for a case when a socket should be disabled, substituting the correct init system.

Parameters:
  • socket (str) – Name of socket

describe_socket_disable(socket)

TEMPLATE systemd_describe_service_disable

Describe how to disable a service in systemd.

Parameters:
  • service (str) – The service to check

systemd_describe_service_disable(service)

TEMPLATE systemd_describe_service_enable

Describe how to enable a service in systemd.

Parameters:
  • service (str) – The service to check

systemd_describe_service_enable(service)

TEMPLATE describe_timer_enable

Inserts a rule description for a case when a timer should be enabled, substituting the correct init system.

Parameters:
  • timer (str) – Name of timer

describe_timer_enable(timer)

TEMPLATE describe_service_enable

Inserts a rule description for a case when a service should be enabled, substituting the correct init system.

Parameters:
  • service (str) – Name of service

describe_service_enable(service)

TEMPLATE describe_service_disable

Inserts a rule description for a case when a service should be disabled, substituting the correct init system.

Parameters:
  • service (str) – Name of service

describe_service_disable(service)

TEMPLATE describe_sebool_var

Describe how to set an SELinux boolean depending on a variable.

Parameters:
  • sebool (str) – The SELinux boolean to disable

describe_sebool_var(sebool)

TEMPLATE describe_sebool_disable

Describe how to disable an SELinux boolean.

Parameters:
  • sebool (str) – The SELinux boolean to disable

describe_sebool_disable(sebool)

TEMPLATE describe_sebool_enable

Describe how to enable an SELinux boolean.

Parameters:
  • sebool (str) – The SELinux boolean to disable

describe_sebool_enable(sebool)

TEMPLATE apt_get_package_install

Show how to install a package with apt-get.

Example output:

apt-get install package
Parameters:
  • package (str) – Package to install

apt_get_package_install(package)

TEMPLATE apt_get_package_remove

Show how to remove a package with apt-get.

Example output:

$ apt-get remove package
Parameters:
  • package (str) – Package to remove

apt_get_package_remove(package)

TEMPLATE dnf_package_install

Show how to install a package with dnf.

Example output:

$ sudo dnf install package
Parameters:
  • package (str) – Package to install

dnf_package_install(package)

TEMPLATE dnf_package_remove

Show how to remove a package with dnf.

Example output:

$ sudo dnf remove package
Parameters:
  • package (str) – Package to remove

dnf_package_remove(package)

TEMPLATE yum_package_install

Show how to install a package with yum.

Example output:

$ sudo yum install package
Parameters:
  • package (str) – Package to install

yum_package_install(package)

TEMPLATE yum_package_remove

Show how to remove a package with yum.

Example output:

$ sudo yum erase package
Parameters:
  • package (str) – Package to remove

yum_package_remove(package)

TEMPLATE zypper_package_install

Show how to install a package with zypper.

Example output:

$ sudo zypper install package
Parameters:
  • package (str) – Package to install

zypper_package_install(package)

TEMPLATE zypper_package_remove

Show how to remove a package with zypper.

Example output:

$ sudo zypper remove package
Parameters:
  • package (str) – Package to remove

zypper_package_remove(package)

TEMPLATE package_install

Outputs a command for installing a package, substituting the correct package management software.

Parameters:
  • package (str) – Name of package

package_install(package)

TEMPLATE describe_package_install

Inserts a rule description for a case when a package should be installed, substituting the correct package management software.

Parameters:
  • package (str) – Name of package

describe_package_install(package)

TEMPLATE package_remove

Outputs a command for removing a package, substituting the correct package management software.

package_remove(package)

TEMPLATE describe_package_remove

Inserts a rule description for a case when a package should be removed, substituting the correct package management software.

Parameters:
  • package (str) – Name of package

describe_package_remove(package)

TEMPLATE describe_file_permissions

Describe how to set the permissions on a file.

Parameters:
  • file (str) – File to change

  • perms (str) – The permissions for the file

describe_file_permissions(file, perms)

TEMPLATE describe_file_owner

Describe how to set the file owner of a file.

Parameters:
  • file (str) – File to change

  • owner (str) – the owner for the file

describe_file_owner(file, owner)

TEMPLATE describe_file_group_owner

Describe how to set the file group owner of a file.

Parameters:
  • file (str) – File to change

  • group (str) – The group owner for the file

describe_file_group_owner(file, group)

TEMPLATE check_file_permissions

How to check a file for the correct permissions.

Parameters:
  • file (str) – File to change

  • perms (str) – The permissions for the file

check_file_permissions(file, perms)

TEMPLATE describe_mount

How add mount options to /etc/fstab

Parameters:
  • option (str) – The option to add to the partition

  • part (str) – The partition

describe_mount(option, part)

TEMPLATE partition_description

Describe the separate partition is needed.

Parameters:
  • part (str) – The partition

partition_description(part)

TEMPLATE describe_sysctl_option_value

Describe how to set a sysctl kernel parameter.

Parameters:
  • sysctl (str) – The kernel parameter to change

  • value (str) – The value to be set

describe_sysctl_option_value(sysctl, value)

Creates an HTML <a> element for the given link and text. If no text is given the link will be the text

Parameters:
  • link (str) – The url the link should have

  • text (str) – Optional, text for the link

weblink(link, text=none)

TEMPLATE openssl_strong_entropy_config_file

An openssl config file with strong entropy.

openssl_strong_entropy_config_file()

A note about an item need be done for each MachineConfigPool.

machineconfig_description_footer()

TEMPLATE rule_notapplicable_when_ovirt_installed

Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.

rule_notapplicable_when_ovirt_installed()

TEMPLATE describe_grub2_argument

Describe how to configure Grub2 to add an argument to the default kernel command line. The parameter should be in form parameter=value.

describe_grub2_argument(arg_name_value)

TEMPLATE describe_kernel_build_config

Describe how to check a kernel compile parameter

Parameters:
  • config (str) – The kernel config parameter

  • value (str) – The value for the given config

describe_kernel_build_config(config, value)

TEMPLATE aide_string

Returns the AIDE strings based on the current product

aide_string()

TEMPLATE aide_files

Lists the files need for the rule aide_check_audit_tools with the AIDE string

aide_files()

TEMPLATE grub_command

Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) Part of the grub2_bootloader_argument(_absent) templates.

Parameters:
  • action (str) – What to do with the argument, must be one of: “update”, “add”, “remove”.

  • arg_name_value (str) – If action is “add”, it’s kernel command line argument concatenated with the value of this argument using an equal sign, eg. “audit=1”. If action is “remove”, it’s only the kernel command line argument name, eg. “audit”.

grub_command(action, arg_name_value=None)

TEMPLATE join_list

Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma.

Parameters:
  • items (list[str]) – list of strings to join

join_list(items)