General

TEMPLATE openshift_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.

Parameters:

endpoint (str | list[str]) – The Kubernetes object path(s) to fetch

suppress (bool) – Whether to suppress the warning

openshift_cluster_setting(endpoint, suppress)

TEMPLATE openshift_filtered_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).

Parameters:

path_filter_pairs (dict[str, str]) – Kubernetes object path/filter directive pairs

varargs (list[dict[str, str]]) – A list of path_filter_pairs (in case repeated paths need to be used)

openshift_filtered_cluster_setting(path_filter_pairs)

TEMPLATE openshift_filtered_cluster_setting_suppressed

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ). This macro will suppress any non-fatal failed to fetch api warnings.

Parameters:

path_filter_pairs (list) – Kubernetes object path/filter directive pairs

varargs – A list of path_filter_pairs (in case repeated paths need to be used)

openshift_filtered_cluster_setting_suppressed(path_filter_pairs)

TEMPLATE hide_rule

Macro which generates a unique identifier for Compliance Operator, this will hide the rule from ComplianceCheckResult

hide_rule()

TEMPLATE suppressed_warning

Macro which generate a unique identifier for Compliance Operator, this will suppress the warning

suppressed_warning()

TEMPLATE openshift_filtered_path

Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources

Parameters:

path (str) – The Kubernetes object path to fetch

filter (str) – A filtering directive

openshift_filtered_path(path, filter)

TEMPLATE sub_var_value

Calls xccdf_value macro under the hood. Deprecated: Use xccdf_value.

Parameters:

varname (str) – The name of the variable to reference

sub_var_value(varname)

TEMPLATE xccdf_value

Create an XCCDF <sub> element

Parameters:

varname (str) – The name of the variable to reference

xccdf_value(varname)

TEMPLATE describe_iptables_block

Describe an iptables block

Parameters:

proto (str) – protocol to block

port (int) – port to block

describe_iptables_block(proto, port)

TEMPLATE describe_iptables_allow

Describe an iptables allow

Parameters:

proto (str) – protocol to allow

port (int) – port to allow

describe_iptables_allow(proto, port)

TEMPLATE describe_firewalld_prevent_service

Describe preventing access to service in firewalld.

Parameters:

service (str) – The service to allow

describe_firewalld_prevent_service(service)

TEMPLATE describe_firewalld_allow_port

Describe allowing access to a port in firewalld.

Parameters:

port (int) – The port to allow

proto (str) – The protocol to allow

describe_firewalld_allow_port(port, proto)

TEMPLATE describe_firewalld_allow_service

Describe allowing access to a service in firewalld.

Parameters:

service (str) – The service to allow

describe_firewalld_allow_service(service)

TEMPLATE describe_module_disable

Description for how to check for a disabled kernel module.

Parameters:

module (str) – The module to disable.

describe_module_disable(module)

TEMPLATE systemd_describe_socket_disable

Describe how to disable socket in systemd.

Parameters:

socket (str) – The socket to check

systemd_describe_socket_disable(socket)

TEMPLATE systemd_describe_socket_enable

Describe how to enable a socket in systemd.

Parameters:

socket (str) – The socket to check

systemd_describe_socket_enable(socket)

TEMPLATE describe_socket_enable

Inserts a rule description for a case when a socket should be enabled, substituting the correct init system.

Parameters:

socket (str) – Name of socket

describe_socket_enable(socket)

TEMPLATE describe_socket_disable

Inserts a rule description for a case when a socket should be disabled, substituting the correct init system.

Parameters:

socket (str) – Name of socket

describe_socket_disable(socket)

TEMPLATE systemd_describe_service_disable

Describe how to disable a service in systemd.

Parameters:

service (str) – The service to check

systemd_describe_service_disable(service)

TEMPLATE systemd_describe_service_enable

Describe how to enable a service in systemd.

Parameters:

service (str) – The service to check

systemd_describe_service_enable(service)

TEMPLATE describe_timer_enable

Inserts a rule description for a case when a timer should be enabled, substituting the correct init system.

Parameters:

timer (str) – Name of timer

describe_timer_enable(timer)

TEMPLATE describe_service_enable

Inserts a rule description for a case when a service should be enabled, substituting the correct init system.

Parameters:

service (str) – Name of service

describe_service_enable(service)

TEMPLATE describe_service_disable

Inserts a rule description for a case when a service should be disabled, substituting the correct init system.

Parameters:

service (str) – Name of service

describe_service_disable(service)

TEMPLATE describe_sebool_var

Describe how to set an SELinux boolean depending on a variable.

Parameters:

sebool (str) – The SELinux boolean to disable

describe_sebool_var(sebool)

TEMPLATE describe_sebool_disable

Describe how to disable an SELinux boolean.

Parameters:

sebool (str) – The SELinux boolean to disable

describe_sebool_disable(sebool)

TEMPLATE describe_sebool_enable

Describe how to enable an SELinux boolean.

Parameters:

sebool (str) – The SELinux boolean to disable

describe_sebool_enable(sebool)
TEMPLATE apt_get_package_install
Show how to install a package with apt-get.

Example output:
apt-get install package
Parameters:

package (str) – Package to install

apt_get_package_install(package)
TEMPLATE apt_get_package_remove
Show how to remove a package with apt-get.

Example output:
$ apt-get remove package
Parameters:

package (str) – Package to remove

apt_get_package_remove(package)
TEMPLATE dnf_package_install
Show how to install a package with dnf.

Example output:
$ sudo dnf install package
Parameters:

package (str) – Package to install

dnf_package_install(package)
TEMPLATE dnf_package_remove
Show how to remove a package with dnf.

Example output:
$ sudo dnf erase remove package
Parameters:

package (str) – Package to remove

dnf_package_remove(package)
TEMPLATE yum_package_install
Show how to install a package with yum.

Example output:
$ sudo yum install package
Parameters:

package (str) – Package to install

yum_package_install(package)
TEMPLATE yum_package_remove
Show how to remove a package with yum.

Example output:
$ sudo yum erase package
Parameters:

package (str) – Package to remove

yum_package_remove(package)
TEMPLATE zypper_package_install
Show how to install a package with zypper.

Example output:
$ sudo zypper install package
Parameters:

package (str) – Package to install

zypper_package_install(package)
TEMPLATE zypper_package_remove
Show how to remove a package with zypper.

Example output:
$ sudo zypper remove package
Parameters:

package (str) – Package to remove

zypper_package_remove(package)
TEMPLATE package_install

Outputs a command for installing a package, substituting the correct package management software.

Parameters:

package (str) – Name of package

package_install(package)

TEMPLATE describe_package_install

Inserts a rule description for a case when a package should be installed, substituting the correct package management software.

Parameters:

package (str) – Name of package

describe_package_install(package)

TEMPLATE package_remove

Outputs a command for removing a package, substituting the correct package management software.

package_remove(package)

TEMPLATE describe_package_remove

Inserts a rule description for a case when a package should be removed, substituting the correct package management software.

Parameters:

package (str) – Name of package

describe_package_remove(package)

TEMPLATE describe_file_permissions

Describe how to set the permissions on a file.

Parameters:

file (str) – File to change

perms (str) – The permissions for the file

describe_file_permissions(file, perms)

TEMPLATE describe_file_owner

Describe how to set the file owner of a file.

Parameters:

file (str) – File to change

owner (str) – the owner for the file

describe_file_owner(file, owner)

TEMPLATE describe_file_group_owner

Describe how to set the file group owner of a file.

Parameters:

file (str) – File to change

group (str) – The group owner for the file

describe_file_group_owner(file, group)

TEMPLATE check_file_permissions

How to check a file for the correct permissions.

Parameters:

file (str) – File to change

perms (str) – The permissions for the file

check_file_permissions(file, perms)

TEMPLATE describe_mount

How add mount options to /etc/fstab

Parameters:

option (str) – The option to add to the partition

part (str) – The partition

describe_mount(option, part)

TEMPLATE partition_description

Describe the separate partition is needed.

Parameters:

part (str) – The partition

partition_description(part)

TEMPLATE describe_sysctl_option_value

Describe how to set a sysctl kernel parameter.

Parameters:

sysctl (str) – The kernel parameter to change

value (str) – The value to be set

describe_sysctl_option_value(sysctl, value)

TEMPLATE weblink

Creates an HTML <a> element for the given link and text. If no text is given the link will be the text

Parameters:

link (str) – The url the link should have

text (str) – Optional, text for the link

weblink(link, text=none)

TEMPLATE openssl_strong_entropy_config_file

An openssl config file with strong entropy.

openssl_strong_entropy_config_file()

TEMPLATE machineconfig_description_footer

A note about an item need be done for each MachineConfigPool.

machineconfig_description_footer()

TEMPLATE rule_notapplicable_when_ovirt_installed

Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.

rule_notapplicable_when_ovirt_installed()

TEMPLATE describe_grub2_argument

Describe how to configure Grub2 to add an argument to the default kernel command line. The parameter should be in form parameter=value.

describe_grub2_argument(arg_name_value)

TEMPLATE describe_kernel_build_config

Describe how to check a kernel compile parameter

Parameters:

config (str) – The kernel config parameter

value (str) – The value for the given config

describe_kernel_build_config(config, value)

TEMPLATE aide_string

Returns the AIDE strings based on the current product

aide_string()

TEMPLATE aide_files

Lists the files need for the rule aide_check_audit_tools with the AIDE string

aide_files()

TEMPLATE grub_command

Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) Part of the grub2_bootloader_argument(_absent) templates.

Parameters:

action (str) – What to do with the argument, must be one of: “update”, “add”, “remove”.

arg_name_value (str) – If action is “add”, it’s kernel command line argument concatenated with the value of this argument using an equal sign, eg. “audit=1”. If action is “remove”, it’s only the kernel command line argument name, eg. “audit”.

grub_command(action, arg_name_value=None)

TEMPLATE join_list

Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma.

Parameters:

items (list[str]) – list of strings to join

join_list(items)