Bash

TEMPLATE bash_instantiate_variables
Pass strings that correspond to XCCDF value names as arguments to this macro:
bash_instantiate_variables("varname1", "varname2")
Then, assume that variables of that names are defined and contain the correct value, e.g.:
echo "Setting=$varname1" >> config_file
bash_instantiate_variables()
TEMPLATE bash_ensure_pam_module_options

Make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg

Parameters:

pamFile (str) – PAM config file

type (str) – PAM module interface

control (str) – PAM control flags

module (str) – PAM module name

option (str) – PAM module option

valueRegexArg (str) – PAM module option argument regex pattern

defaultValueArg (str) – PAM module option argument default value

bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)

TEMPLATE bash_provide_pam_module_options

Make sure that we have a line with given type, control and module has the given option in pamFile (additional options are left as-is): type control module option=valueRegexArg

Parameters:

pamFile (str) – PAM config file

type (str) – PAM module interface

control (str) – PAM control flags

module (str) – PAM module name

option (str) – PAM module option

valueRegexArg (str) – PAM module option argument regex pattern

defaultValueArg (str) – PAM module option argument default value

bash_provide_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)

TEMPLATE bash_shell_file_set

Set a parameter

Parameters:

path (str) – Path to file

parameter (str) – Parameter to set

value (str) – Value to set

no_quotes (bool) – If true the value is not quoted. Default is false.

bash_shell_file_set(path, parameter, value, no_quotes=false)

TEMPLATE bash_sshd_config_set

Set set a parameter in /etc/sshd_config

Parameters:

parameter (str) – Parameter to set

value (str) – The value to set

bash_sshd_config_set(parameter, value)

TEMPLATE bash_sshd_remediation

Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/

Parameters:

parameter (str) – Parameter to set

value (str) – The value to set

config_is_distributed (str) – If true, will ok look in /etc/ssh/sshd_config.d

config_basename (str) – Filename of configuration file when using distributed configuration

bash_sshd_remediation(parameter, value, config_is_distributed=”false”, config_basename=”00-complianceascode-hardening.conf”)

TEMPLATE bash_create_audit_remediation_unsuccessful_file_modification_detailed

Macro that copies the audit rules into a file. The purpose is to create exactly the same content in the file specified by filename argument as in https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules

Parameters:

filename (str) – Name of the file to print the information to; written do directory specified by the filename

bash_create_audit_remediation_unsuccessful_file_modification_detailed(filename)

TEMPLATE bash_auditd_config_set

Set parameter in /etc/audit/auditd.conf

Parameters:

parameter (str) – Parameter to set

value (str) – The value to set

bash_auditd_config_set(parameter, value)

TEMPLATE bash_coredump_config_set

Set parameter in /etc/systemd/coredump.conf. For SLE platforms put remediation in drop-in configuration file /etc/systemd/coredump.conf.d/oscap-autoremedy.conf.

Parameters:

parameter (str) – Parameter to set

value (str) – The value to set

bash_coredump_config_set(parameter, value)

TEMPLATE bash_selinux_config_set

Set parameter in /etc/selinux/config

Parameters:

parameter (str) – Parameter to set

value (str) – The value to set

bash_selinux_config_set(parameter, value)
TEMPLATE bash_fix_audit_watch_rule
Macro to fix audit file system object watch rule for given path:

if rule exists, also verifies the -w bits match the requirements

if rule doesn’t exist yet, appends expected rule form to $files_to_inspect audit rules file, depending on the tool which was used to load audit rules

Example macro invocation:
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}
Parameters:

tool (str) – tool used to load audit rules, either ‘auditctl’, or ‘augenrules’

path (str) – value of -w audit rule’s argument

required_access_bits (str) – value of -p audit rule’s argument

key (str) – value of -k audit rule’s argument

bash_fix_audit_watch_rule(tool, path, required_access_bits, key)
TEMPLATE bash_package_install

Install a package

Uses the right command based on pkg_manager property defined in product.yml.

Parameters:

package (str) – name of the package

bash_package_install(package)

TEMPLATE bash_package_remove

Remove a package

Uses the right command based on pkg_manager property defined in product.yml. When used in a test scenario, the macro will remove even protected packages.

Parameters:

package (str) – name of the package

bash_package_remove(package)
TEMPLATE bash_perform_audit_adjtimex_settimeofday_stime_remediation
Macro to perform remediation for the ‘adjtimex’, ‘settimeofday’, and ‘stime’ audit system calls on RHEL, Fedora or OL systems. Remediation performed for both possible tools: ‘auditctl’ and ‘augenrules’.

Note: ‘stime’ system call isn’t known at 64-bit arch (see “$ ausyscall x86_64 stime” ‘s output) therefore excluded from the list of time group system calls to be audited on this arch

Example macro invocation:
{{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}}
bash_perform_audit_adjtimex_settimeofday_stime_remediation()
TEMPLATE bash_disable_prelink

Disable prelinking in sysconfig

bash_disable_prelink()

TEMPLATE bash_dconf_settings

Macro to configure DConf settings for RHEL and Fedora systems.

If files contain ibus or distro, ignore them.

bash_dconf_settings(path, key, value, db, setting_file)

TEMPLATE bash_dconf_lock

Macro to configure DConf locks for RHEL and Fedora systems.

bash_dconf_lock(key, setting, db, lock_file)
TEMPLATE bash_service_command
Macro to enable or disable a particular service.
Examples:
bash_service_command("enable", "bluetooth")
bash_service_command("disable", "bluetooth.service")
bash_service_command("disable", "rsh.socket", xinetd="rsh")
Parameters:

service_state (str) – Desired state of the service

service (str) – The service to change

xinetd (str) – Set the xinetd for the service. Defaults to empty string.

bash_service_command(service_state, service, xinetd=””)
TEMPLATE bash_ensure_there_are_servers_in_ntp_compatible_config_file

Macro to ensure that the ntp/chrony config file contains valid server entries.

Parameters:

config_file (str) – Path to the ntp/chrony config file

servers_list (str) – Comma-separated list of servers

bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list)

TEMPLATE bash_apply_authselect_changes

Macro used to apply changes on authselect profiles. The command automatically creates a backup of the current settings before applying the changes. It is possible to inform a custom backup name through the “backup_name” parameter. If the “backup_name” parameter is not defined, the authselect default name is used. The default name is formed by the current date and time suffixed by 6 random alphanumeric characters. The authselect backups are stored in sub-folders inside the “/var/lib/authselect/backups” folder, identified by their respective backup names. Note: An existing backup can be overwritten if the same backup name is informed. If this is not desired, avoid defining a backup name.

Parameters:

backup_name (str) – Changes the default backup name used by authselect.

bash_apply_authselect_changes(backup_name=’’)

TEMPLATE bash_disable_authselect_feature

Disable authselect feature if the authselect current profile is intact or inform that its integrity check failed.

bash_disable_authselect_feature(feature)

TEMPLATE bash_enable_authselect_feature

Enable authselect feature if the authselect current profile is intact or inform that its integrity check failed.

bash_enable_authselect_feature(feature)

TEMPLATE bash_enable_pam_faillock_with_authselect

Enable pam_faillock.so PAM module using authselect. If an authselect profile is not selected or the selected profile is not intact, the operation is aborted. If the operation is aborted, an informative message is shown in the remediation report.

bash_enable_pam_faillock_with_authselect()

TEMPLATE bash_enable_pam_faillock_directly_in_pam_files

Enable pam_faillock.so PAM module by directly editing PAM files. This option is only recommended when authselect tool is not available for the system.

bash_enable_pam_faillock_directly_in_pam_files()

TEMPLATE bash_pam_pwquality_enable

Enable pam_pwquality.so PAM module by using pam-auth-update. This option is only recommended when pam-auth-update tool is available for the system.

bash_pam_pwquality_enable()

TEMPLATE bash_pam_unix_enable

Enable pam_unix.so PAM module by using pam-auth-update. This option is only recommended when pam-auth-update tool is available for the system.

bash_pam_unix_enable()

TEMPLATE bash_ensure_pam_variables_and_authselect_profile

Validate an authselect custom profile integrity and ensures the correct file path is defined in the “PAM_FILE_PATH” variable. The macros which change PAM files are the same regardless of using authselect or not. The only change is the file path. However, this file path can change depending on the custom profile name used in the system. So, based on the informed PAM file, the macro will properly locate the correct profile and file to be edited in the authselect context. This sequence of commands is used in multiple PAM related macros.

Parameters:

pam_file (str) – PAM config file.

bash_ensure_pam_variables_and_authselect_profile(pam_file)

TEMPLATE bash_pam_lastlog_enable_showfailed

Ensure pam_lastlog.so PAM module shows the failed logins according to the system capabilities. If authselect is present and the “with-silent-lastlog” feature is available, the feature will be disabled. If authselect is present but the “with-silent-lastlog” feature is not yet available, a custom profile will be used. If authselect is not present, PAM files will be directly edited.

Parameters:

pam_file (str) – PAM config file.

control (str) – PAM control flags.

after_match (str) – Regex used as reference to append a line, if necessary. Optional parameter. Note: For this macro, there is a special value used to include a line at the beginning of the file: “BOF”

bash_pam_lastlog_enable_showfailed(pam_file, control, after_match=’’)

TEMPLATE bash_pam_pwhistory_enable

Enable pam_pwhistory.so PAM module according to the system capabilities. If authselect is present and the “with-pwhistory” feature is available, the feature will be enabled. If authselect is present but the “with-pwhistory” feature is not yet available, a custom profile will be used. If authselect is not present, PAM files will be directly edited.

Parameters:

pam_file (str) – PAM config file.

control (str) – PAM control flags.

after_match (str) – Regex used as reference to append a line, if necessary. Optional parameter. Note: For this macro, there is a special value used to include a line at the beginning of the file: “BOF”

bash_pam_pwhistory_enable(pam_file, control, after_match=’’)

TEMPLATE bash_pam_pwhistory_parameter_value

Set pam_pwhistory.so PAM module options and values. In case the file /etc/security/pwhistory.conf is present in the system, the option is ensured there and removed from pam files to avoid conflicts or confusion.

Parameters:

pam_file (str) – PAM config file.

option (str) – pwhistory option e.g.: remember, retry, debug

value (str) – value of option

bash_pam_pwhistory_parameter_value(pam_file, option, value=’’)

TEMPLATE bash_pam_faillock_parameter_value

Sets PAM faillock module options and values. In case the file /etc/security/faillock.conf is present in the system, the option is removed from pam files since it is not needed there in that case. It also adds pam_faillock.so as required module for account.

Parameters:

option (str) – faillock option eg. deny, unlock_time, fail_interval

value (str) – value of option

authfail (bool) – check the pam_faillock.so conf line with authfail

bash_pam_faillock_parameter_value(option, value=’’, authfail=True)

TEMPLATE bash_pam_pwquality_parameter_value

Sets PAM pwquality module options and values. The module argument is not removed from pam files since it is not inserted there in Ubuntu case. It also assume pam_pwquality.so is added as required module for account.

Parameters:

option (str) – pwquality option eg. retry, minlen, dcredit

value (str) – value of option

bash_pam_pwquality_parameter_value(option, value=’’)

TEMPLATE die

Print a message to stderr and exit the shell

Parameters:

message (str) – The message to print.

rc (int) – The error code (optional, default is 1)

action (str) – What to do (optional, default is ‘exit’, can be also ‘return’ or anything else)

die(message, rc=1, action=”exit”)

TEMPLATE set_config_file

Add an entry to a text configuration file

Parameters:

path (str) – path of the configuration file

parameter (str) – the parameter to be set in the configuration file

value (str) – the value of the parameter to be set in the configuration file

create (bool) – whether create the file specified by path if the file does not exits

insert_after (str) – inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file

insert_before (str) – inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file

insensitive (bool) – ignore case

separator (str) – separates parameter from the value (literal)

separator_regex (str) – regular expression that describes the separator and surrounding whitespace

prefix_regex (str) – regular expression describing allowed leading characters at each line

sed_path_separator (char)

set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=” “, separator_regex=”s+”, prefix_regex=”^s*”, sed_path_separator=”/”)

TEMPLATE bash_file_contents

Generates bash script code that puts ‘contents’ into a file at ‘filepath’

Parameters:

filepath (str) – Filepath of the file to check

contents (str) – Contents that should be in the file

bash_file_contents(filepath=’’, contents=’’)

TEMPLATE bash_deregexify_banner_anchors

Strips anchors regex around the banner text

bash_deregexify_banner_anchors(banner_var_name)

TEMPLATE bash_deregexify_multiple_banners

Strips multibanner regex and keeps only the first banner

bash_deregexify_multiple_banners(banner_var_name)

TEMPLATE bash_deregexify_banner_space

Strips whitespace or newline regex

bash_deregexify_banner_space(banner_var_name)

TEMPLATE bash_deregexify_banner_newline

Strips newline or newline escape sequence regex

bash_deregexify_banner_newline(banner_var_name, newline)

TEMPLATE bash_deregexify_banner_newline_token

Strips newline token for a newline escape sequence regex

bash_deregexify_banner_newline_token(banner_var_name)

TEMPLATE bash_deregexify_banner_backslash

Strips backslash regex

bash_deregexify_banner_backslash(banner_var_name)

TEMPLATE bash_package_installed

Check whether or not a package is installed.

bash_package_installed(pkgname)

TEMPLATE set_cce_value

Set rule CCE value

This macro gets the var cce_identifiers from the environment created by the build scripts. The cce_identifiers is a dictionary that contains either the ‘cce’:’CCENUM’ record for the product this remediation is being built for, or it is empty.

set_cce_value()

TEMPLATE bash_ensure_nl_at_eof

Ensure file ends with newline

Do not modify file at all if there already is newline. Always follows symlinks.

Parameters:

file (str) – file to check

bash_ensure_nl_at_eof(file)
TEMPLATE bash_comment_config_line
Macro to replace configuration setting in config file or add the configuration setting if it does not exist.

Example Calls:
With default format of ‘key = value’:
{{{ bash_replace_or_append('/etc/sysctl.conf', '^kernel.randomize_va_space', '2') }}}
With custom key/value format:
{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', 'disabled', '%s=%s') }}}
With a variable:
{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}}
Parameters:

config_file (str) – Configuration file that will be modified

key (str) – Configuration option to change

value (str) – Value of the configuration option to change

format (str) – Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =)

bash_comment_config_line(config_file, key)
TEMPLATE bash_restrict_permissions_home_directories

Macro to restrict permissions in home directories of interactive users.

bash_restrict_permissions_home_directories(recursive=false)

TEMPLATE bash_ensure_mount_option_for_vfstype

To see how args corresponds to an /etc/fstab entry, see bash_ensure_mount_option_for_vfstype documentation

Parameters:

vfstype (str) – type of filesystem

mount_opt (str) – mount point option which we are checking

fs_spec (str) – identification of the filesystem to be mounted (LABEL, UUID, device name etc.)

type (str) – mount type of new mount point (used when adding new entry in fstab)

bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, fs_spec, type)
TEMPLATE bash_ensure_mount_option_in_fstab
Ensures that given mount point is in /etc/fstab.
If we look at an example invocation of this macro:
{{{ bash_ensure_mount_option_in_fstab("/home", "auto_da_alloc", "LABEL=t-home2", "ext4") }}}}
The resulting /etc/fstab entry could look like this:
LABEL=t-home2   /home      ext4    defaults,auto_da_alloc      0  2
Parameters:

mount_point (str) – mount point

mount_opt (str) – mount point option whose presence in /etc/fstab we are ensuring

fs_spec (str) – identification of the filesystem to be mounted (LABEL, UUID, device name etc.)

type (str) – mount type of mount point (used when adding new entry in fstab)

bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type)
TEMPLATE bash_assert_mount_point_in_fstab

Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not

bash_assert_mount_point_in_fstab(mount_point)

TEMPLATE bash_ensure_partition_is_mounted

Ensure that partition is mounted at mount_point with correct options, but only if the partition is already mounted.

bash_ensure_partition_is_mounted(mount_point)

TEMPLATE bash_fix_audit_syscall_rule

Based on example audit syscall rule definitions as outlined in /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit package. It will combine multiple system calls belonging to the same syscall group into one audit rule (rather than to create audit rule per different system call) to avoid audit infrastructure performance penalty in the case of ‘one-audit-rule-definition-per-one-system-call’. See:

https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html

for further details.

Notes:

The 2-nd up to 4-th arguments are used to determine how many existing audit rules will be inspected for resemblance with the new audit rule the macro is going to add.

The macro’s similarity check uses the 5-th argument to optimize audit rules definitions (merge syscalls of the same group into one rule) to avoid the “single-syscall-per-audit-rule” performance penalty.

The key argument (7-th argument) is not used when the syscall is grouped to an existing audit rule. The audit rule will retain the key it already had.

Parameters:

tool (str) – tool used to load audit rules, either ‘auditctl’, or ‘augenrules

action_arch_filters (str) – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”

other_filters (str) – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”

auid_filters (str) – The auid filters of the rule. For example, “-F auid>=” ~ uid_min ~ “ -F auid!=unset”

syscall (str) – The syscall to ensure presense among audit rules. For example, “chown”

syscall_groupings (str) – Other syscalls that can be grouped with ‘syscall’ as a space separated list. For example, “fchown lchown fchownat”

key (str) – The key to use when appending a new rule

bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key)

TEMPLATE update_etc_default_grub_manually

Ensures that /etc/default/grub file contains the arg_name_value.

Parameters:

arg_name (str) – name of the grub parameter, e.g.: “audit”

arg_name_value (str) – parameter together with the value to ensure, e.g.: “audit=1”

update_etc_default_grub_manually(arg_name, arg_name_value)

TEMPLATE grub2_bootloader_argument_remediation

Macro for Bash remediation for adding a kernel command line argument to the GRUB 2 bootloader. Part of the grub2_bootloader_argument template.

Parameters:

arg_name (str) – Kernel command line argument

arg_name_value (str) – Kernel command line argument concatenated with the value of this argument using an equal sign, eg. “noexec=off”.

grub2_bootloader_argument_remediation(arg_name, arg_name_value)

TEMPLATE update_etc_default_grub_manually_absent

Ensures that /etc/default/grub file does not contain the arg_name_value.

Parameters:

arg_name (str) – name of the grub parameter, e.g.: “audit”

update_etc_default_grub_manually_absent(arg_name)

TEMPLATE grub2_bootloader_argument_absent_remediation

Macro for Bash remediation for removing a kernel command line argument from the GRUB 2 bootloader. Part of the grub2_bootloader_argument_absent template.

Parameters:

arg_name (str) – Name of the kernel command line argument that will be removed from GRUB 2 configuration.

grub2_bootloader_argument_absent_remediation(arg_name)

TEMPLATE bash_pkg_conditional

This macro creates a bash conditional which is used to determine if a remediation is applicable. The macro takes package as an argument and chooses appropriate package manager. If the package is installed and satisfies the optional version restricion, the Bash remediation will be applied. The macro respects platform_package_overrides variable.

Parameters:

package (str) – package name

op (str) – version comparison operator (optional argument, “<”, “<=”, “==”, “!=”, “>”, “>=”)

ver (str) – package version (optional argument, use together with “op”)

bash_pkg_conditional(package, op=None, ver=None)

TEMPLATE bash_get_rpm_package_version

This macro generates code that gets version of an installed RPM package.

Parameters:

package (str) – package name

bash_get_rpm_package_version(package)

TEMPLATE bash_pkg_conditional_compare

This macro creates a Bash conditional that compares version of the package with a given version.

Description of the algorithm:

Get the actual version of the given package and store it in real.

Store the expected version in ver.

Perform the comparison and return the result. Comparison method is different based on the comparison operator. The method code is chosen at the build time during Jinja expansion. Therefore, the algorithm doesn’t use the operator at all. Based on the operator, these operations are performed:

“<”: real != ver && is_sorted([real, ver])

“<=”: is_sorted([real, ver])

“==”: real == ver

“!=”: real != ver

“>=” real != ver && is_sorted([ver, real])

“>” is_sorted([ver, real])

where is_sorted returns true if the given list parameter is a sorted list of version numbers.

The implementation uses the GNU sort version ordering, which is described at: https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-ordering

Parameters:

real (str) – real package version

op (str) – version comparison operator (“<”, “<=”, “==”, “!=”, “>”, “>=”)

expected (str) – expected package version

bash_pkg_conditional_compare(real, op, expected)

TEMPLATE bash_compare_version

This macro generates comparison code based on the operator.

Assumptions:

Version arguments are either literal, or they expand to versions (e.g. the argument is a deferenced variable)

Either all versions have epoch, or none of them has.

Violation of this results in undefined behavior.

If one has epoch e.g. 0, and the other one has no epoch, they will not be treated as equal.

Parameters:

real (str) – real package version

op (str) – version comparison operator (“<”, “<=”, “==”, “!=”, “>”, “>=”)

expected (str) – expected package version

bash_compare_version(real, op, expected)

TEMPLATE bash_pkg_conditional_rpm

This macro creates a Bash conditional which uses rpm to check if a package passed as a parameter is installed.

Parameters:

package (str) – package name

op (str) – version comparison operator (“<”, “<=”, “==”, “!=”, “>”, “>=”)

ver (str) – package version (optional argument, use together with “op”) The version always needs to contain epoch. If the package has no epoch, please prepend “0:”.

bash_pkg_conditional_rpm(package, op=None, ver=None)

TEMPLATE bash_get_dpkg_package_version

This macro generates code that gets version of an installed DEB package.

Parameters:

package (str) – package name

bash_get_dpkg_package_version(package)

TEMPLATE bash_compare_version_dpkg

This macro creates a Bash conditional that compares version of the DEB package with a given version.

Parameters:

package (str) – package name

op (str) – version comparison operator (“<”, “<=”, “==”, “!=”, “>”, “>=”)

ver (str) – package version (optional argument, use together with “op”)

bash_compare_version_dpkg(package, op, ver)

TEMPLATE bash_pkg_conditional_dpkg

This macro creates a Bash conditional which uses dpkg to check if a package passed as a parameter is installed.

Parameters:

package (str) – package name

op (str) – version comparison operator (optional argument, “<”, “<=”, “==”, “!=”, “>”, “>=”)

ver (str) – package version (optional argument, use together with “op”)

bash_pkg_conditional_dpkg(package, op=None, ver=None)
TEMPLATE bash_chromium_pol_setting
Macro to replace configuration setting(s) in the Chromium stig policy (.json) file or add the preference if it does not exist.

Example macro invocation:
{{{ bash_chromium_pol_setting("chrome_stig_policy.json", "/etc/chromium/policies/managed/", "ExtensionInstallBlacklist", "\[\"*\"\]") }}}
Parameters:

chrome_pol_file (str) – Policy file to that will be modified

chrome_pol_dir (str) – Directory where the policy file is located

pol_setting (str) – The setting that will be modified

pol_setting_val (str) – Value of the setting to replace the current value with

pol_setting_val_edit (str) – Value of the setting to be inserted if setting and value not present

bash_chromium_pol_setting(chrome_pol_file, chrome_pol_dir, pol_setting, pol_setting_val, pol_setting_val_edit=None)
TEMPLATE iterate_over_find_output

Macro that lets you define the body of a loop that iterates over the output of the find command Use with the call block syntax {{% call iterate_over_find_output(“fname”, “mydir -name *.conf”) %}} …

iterate_over_find_output(varname, find_args=””)

TEMPLATE iterate_over_command_output

Macro that lets you define the body of a loop that iterates over the output of any command Use with the call block syntax {{% call iterate_over_find_output(“fname”, “awk … myfile”) %}} …

iterate_over_command_output(varname, command_and_its_args)
TEMPLATE bash_ensure_ini_config
Ensure key is set to correct value under a correct section in an .ini style config file

Example macro invocation(s):
{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1") }}}
{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") }}}
Parameters:

files (str) – list of space-separated files to add key = value to (may contain wildcards) if none contain section, create and append to FIRST file

section (str) – section to add key = value under

key (str) – key

value (str) – value

bash_ensure_ini_config(files, section, key, value, no_quotes=true)
TEMPLATE bash_ensure_pam_module_line

Make sure that a line with a specific PAM module is present with the correct control. If the line is not present, it will be included after the regex informed in the “after_match” parameter. If the “after_match” parameter is empty, the line will be included at the end of the file informed in the “pam_file” parameter.

If the line was already present, but with a different control, the control will be updated. Note: If there are multiple lines matching the “group” + “module”, no lines will be updated. Instead, a new line will be included after the regex informed in “after_match” or at the end of file if “after_match” parameter is empty or there is no match.

This is a conservative safeguard for improper use of this macro in rare cases of modules configured by multiple lines, like pam_sss.so, pam_faillock.so and pam_lastlog.so. In some situations, these special modules may have similar lines sharing the same “group” and “module”. For these specific cases, this macro is not recommened without careful tests to make sure the PAM module is working as expected. Otherwise, a custom remediation should be considered.

Parameters:

pam_file (str) – PAM config file.

group (str) – PAM management group: auth, account, password or session. Also known as “type”.

control (str) – PAM control flags.

module (str) – PAM module name.

after_match (str) – Regex used as reference to append a line, if necessary. Optional parameter. Note: For this macro, there is a special value used to include a line at the beginning of the file: “BOF”

bash_ensure_pam_module_line(pam_file, group, control, module, after_match=’’)

TEMPLATE bash_ensure_pam_module_option

Make sure that an existing PAM module line is properly configured with an option.

Parameters:

pam_file (str) – PAM config file.

group (str) – PAM management group: auth, account, password or session. Also known as “type”.

control (str) – PAM control flags.

module (str) – PAM module name.

option (str) – PAM module option.

value (str) – PAM module option argument, if is case. Optional parameter.

after_match (str) – Regex used as reference to include the PAM line below, if necessary. Optional parameter.

bash_ensure_pam_module_option(pam_file, group, control, module, option, value=’’, after_match=’’)

TEMPLATE bash_remove_pam_module_option

Remove a PAM module option if present in a PAM module line.

Parameters:

pam_file (str) – PAM config file.

group (str) – PAM management group: auth, account, password or session. Also known as “type”.

control (str) – PAM control flags. Optional parameter, but recommended to be informed whenever possible.

module (str) – PAM module name.

option (str) – PAM module option.

bash_remove_pam_module_option(pam_file, group, control, module, option)

TEMPLATE bash_check_authselect_integrity

Macro used to check if authselect files are intact. When used, it will exit the respective script if any authselect file was modified without proper use of authselect tool and respective profiles.

bash_check_authselect_integrity()

TEMPLATE bash_ensure_authselect_custom_profile

Macro used to ensure a custom authselect profile is in use before changing any PAM file. This macro is useful in cases where an authselect profile doesn’t provide a feature to enable the desired PAM module or option. In these cases, a custom authselect profile is necessary. If the system already uses a custom authselect profile, no action is necessary. Otherwise, a new custom profile will be created based on the current profile and preserving the already enabled features. Custom profiles are only recommeded if an authselect feature for the same purpose is not available. In any case, this macro will also set the “CURRENT_PROFILE” variable which is also used in the “bash_ensure_pam_variables_and_authselect_profile” macro.

bash_ensure_authselect_custom_profile()

TEMPLATE bash_ensure_pam_module_configuration

Make sure that an existing PAM module line is properly configured, in aligment to the current system configuration. This macro is compatible with custom authselect profiles if the system relies on authselect. Otherwise, the PAM files will be directly edited.

Parameters:

pam_file (str) – PAM config file.

group (str) – PAM management group: auth, account, password or session. Also known as “type”.

control (str) – PAM control flags.

module (str) – PAM module name.

option (str) – PAM module option. Optional parameter.

value (str) – PAM module option argument, if is case. Optional parameter.

after_match (str) – Regex used as reference to include the PAM line below, if necessary. Optional parameter.

bash_ensure_pam_module_configuration(pam_file, group, control, module, option=’’, value=’’, after_match=’’)

TEMPLATE bash_remove_pam_module_option_configuration

Remove a PAM module option from an existing PAM module line. This macro is compatible with custom authselect profiles if the system relies on authselect. Otherwise, the PAM files will be directly edited.

Parameters:

pam_file (str) – PAM config file.

group (str) – PAM management group: auth, account, password or session. Also known as “type”.

control (str) – PAM control flags. Optional parameter, but recommended to be informed whenever possible.

module (str) – PAM module name.

option (str) – PAM module option.

bash_remove_pam_module_option_configuration(pam_file, group, control, module, option)

TEMPLATE find_python

Macro to insert script to find a Python interpreter on the target system.

find_python()

TEMPLATE find_firefox

Macro to insert script to find Mozilla Firefox location on the target system.

find_firefox()

TEMPLATE bash_os_linux_conditional

This macro creates a Bash conditional which is used to determine if a remediation is applicable. The condition compares the actual version of the operating system with the expected version using the given operator. The macro takes the operating system name ID as an argument. If the operating system conforms and satisfies the optional version restricion, the Bash remediation will be applied.

Parameters:

os_id (str) – OS name, value of the ID variable in /etc/os-release

expected_ver (str) – expected OS version, value of the VERSION_ID variable in /etc/os-release (optional argument, use together with “op”)

op (str) – version comparison operator (optional argument, “<”, “<=”, “==”, “!=”, “>”, “>=”)

os_release_path (str) – path to the os-release file, default: “/etc/os-release”

bash_os_linux_conditional(os_id, expected_ver=None, op=None, os_release_path=”/etc/os-release”)

TEMPLATE bash_compare_version_os_linux

This macro generates bash condition that compares the actual version of the operating system with the expected version using the given operator.

Parameters:

expected (str) – expected OS version, value of the VERSION_ID variable in /etc/os-release

op (str) – version comparison operator (“<”, “<=”, “==”, “!=”, “>”, “>=”)

os_release_path (str) – path to the os-release file, default: “/etc/os-release”

bash_compare_version_os_linux(expected, op, os_release_path=”/etc/os-release”)

TEMPLATE bash_get_version_os_linux

This macro generates code that retrieves the operating system version from /etc/os-release from VERSION_ID variable.

Parameters:

os_release_path (str) – path to the os-release file, default: “/etc/os-release”

bash_get_version_os_linux(os_release_path=”/etc/os-release”)

TEMPLATE bash_remove_interactive_users_from_passwd_by_uid

Remove all interactive users (UID >= uid_min) from /etc/passwd bash_remove_interactive_users_from_passwd_by_uid()

TEMPLATE bash_enable_dconf_user_profile

Macro for enabling dconf user profile in /etc/dconf/profile/<PROFILE>

The macro adds the following lines to the profile: — user-db:user system-db:<DATABASE> — If the profile exists but does not contain the above lines, the lines will be inserted at the beginning of the profile.

Parameters:

profile (str) – name of dconf profile (e.g. user, gdm)

database (str) – name of dconf database (e.g. local, gdm)

bash_enable_dconf_user_profile(profile, database)

TEMPLATE bash_bootc_build

This macro defines a conditional expression that is evaluated as true if the remediation is performed during a build of a bootable container image. bash_bootc_build()

TEMPLATE bash_not_bootc_build

This macro defines a conditional expression that is evaluated as true if the remediation is not performed during a build of a bootable container image. bash_not_bootc_build()

TEMPLATE bash_arch_conditional

This macro creates a Bash conditional which checks the system architecture in /proc/sys/kernel/{osrelease,arch}

param arch:

system architecture (x86_64, aarch64, s90x, ppc64le, …)

type arch:

str

bash_arch_conditional(arch)