Fix Text

TEMPLATE fixtext_audit_file_watch_rule

How to fix an audit rule that watches a file.

Parameters:

  • path (str) – Full path of file to watch

  • key (str) – Auditd key for the system

  • rule_path (str) – Full path to where the rule wil

fixtext_audit_file_watch_rule(path, key, rule_path)

TEMPLATE fixtext_audit_rules_file_deletion_events

Generate a fixtext for audit rules for file deletion events

Parameters:

  • syscall (str) – syscall name

fixtext_audit_rules_file_deletion_events(syscall)

TEMPLATE fixtext_audit_rules_dac_modification_chmod

Generate a fixtext for audit rules for dac modification events - chmod

Parameters:

  • syscall (str) – syscall name

fixtext_audit_rules_dac_modification_chmod(syscall)

TEMPLATE fixtext_audit_rules_dac_modification_chown

Generate a fixtext for audit rules for dac modification events - chown

Parameters:

  • syscall (str) – syscall name

fixtext_audit_rules_dac_modification_chown(syscall)

TEMPLATE fixtext_audit_rules_dac_modification_attr

Generate a fixtext for audit rules for dac modification events - attr

Parameters:

  • syscall (str) – syscall name

fixtext_audit_rules_dac_modification_attr(syscall)

TEMPLATE fixtext_audit_rules_unsuccessful_file_modification

Generate a fixtext for audit rules for unsuccessful file modification Used in rules using template audit_rules_unsuccessful_file_modification

Parameters:

  • syscall (str) – syscall name

  • syscall_grouping (list[str]) – A list of other syscalls that can be audited with the same audit rules.

fixtext_audit_rules_unsuccessful_file_modification(syscall, syscall_grouping)

TEMPLATE fixtext_audit_rules_unsuccessful_file_modification_o_creat

Generate a fixtext for audit rules for unsuccessful file modification when O_CREAT flag is specified. Used in rules using template audit_rules_unsuccessful_file_modification_o_creat

Parameters:

  • syscall (str) – syscall name

  • pos (str) – position of the O_CREAT argument in the syscall parameters

fixtext_audit_rules_unsuccessful_file_modification_o_creat(syscall, pos)

TEMPLATE fixtext_audit_rules_unsuccessful_file_modification_o_trunc_write

Generate a fixtext for audit rules for unsuccessful file modification when O_TRUNC_WRITE flag is specified. Used in rules using template audit_rules_unsuccessful_file_modification_o_trunc_write

Parameters:

  • syscall (str) – syscall name

  • pos (str) – position of the O_CREAT argument in the syscall parameters

fixtext_audit_rules_unsuccessful_file_modification_o_trunc_write(syscall, pos)

TEMPLATE fixtext_audit_rules_unsuccessful_file_modification_rule_order

Generate a fixtext for ordering of audit rules for unsuccessful file modification. Used in rules using template audit_rules_unsuccessful_file_modification_rule_order.

Parameters:

  • syscall (str) – syscall name

fixtext_audit_rules_unsuccessful_file_modification_rule_order(syscall)

TEMPLATE fixtext_dconf_ini_file

Human readable text for how to fix ini files

Parameters:

  • section (str) – Section on the value to be set

  • parameter (str) – parameter to be change

  • value (str) – value to be set

fixtext_dconf_ini_file(section, parameter, value)

TEMPLATE fixtext_dconf_lock_settings

Human readable text for how to lock dconf settings

Parameters:

  • section (str) – Section on the value to be locked

fixtext_dconf_lock_settings(section)

TEMPLATE fixtext_sshd_lineinfile

Describe how to fix an ssh configure

Parameters:

  • parameter (str) – parameter to set

  • value (str) – Value to set

  • config_is_distributed (bool) – Should the value go in 00-complianceascode-hardening.conf vs the main sshd config file

fixtext_sshd_lineinfile(parameter, value, config_is_distributed)

TEMPLATE fixtext_service_enabled

Describe how to enable a service

Parameters:

  • service (str) – service to enable

fixtext_service_enabled(service)

TEMPLATE fixtext_service_disabled

Describe how to disable a service

Parameters:

  • service (str) – service to be disabled

fixtext_service_disabled(service)

TEMPLATE fixtext_socket_disabled

Describe how to disable a socket

Parameters:

  • socket (str) – socket to be disabled

fixtext_socket_disabled(socket)

TEMPLATE fixtext_sysctl

Macro describing fix for sysctl rules.

Parameters:

  • sysctl (str) – The kernel parameter to be changed.

  • value (str) – The value of the kernel parameter.

fixtext_sysctl(sysctl, value)

TEMPLATE fixtext_grub2_bootloader_argument

Describe fix for GRUB 2 bootloader kernel argument This can be used for rules that use grub2_bootloader_argument template or have macro grub2_bootloader_argument_remediation in their remediation.

Parameters:

  • argument (str) – Kernel argument

  • value (str) – The argument’s value

fixtext_grub2_bootloader_argument(argument, value)

TEMPLATE fixtext_grub2_bootloader_argument_absent

Describe fix for removal of a GRUB 2 bootloader kernel argument This can be used for rules that use grub2_bootloader_argument_absent template or have macro grub2_bootloader_argument_remediation in their remediation.

Parameters:

  • argument (str) – Kernel argument

fixtext_grub2_bootloader_argument_absent(argument)

TEMPLATE fixtext_audit_configuration

Macro describing fix for audit configuration.

Parameters:

  • param (str) – The audit configuration to be changed.

  • value (str) – The value of the audit configuration.

fixtext_audit_configuration(param, value)

TEMPLATE fixtext_mount_option

Fixtext macro describing configuration of mount option, for rules using the mount_option template.

Parameters:

  • mountpoint (str) – mount point on the filesystem eg. /dev/shm

  • mountoption (str) – mount option, eg. nosuid, logdev=device or hidepid

fixtext_mount_option(mountpoint, mountoption)

TEMPLATE fixtext_audit_rules_privileged_commands

Fixtext for ensuring that a privileged command is audited.

Parameters:

  • cmd (str) – The command to audit

  • path_prefix (str) – The directory the command is in

fixtext_audit_rules_privileged_commands(cmd, path_prefix, key)

TEMPLATE fixtext_package_removed

Fixtext for removing a package

Parameters:

  • package (str) – The package to remove

fixtext_package_removed(package)

TEMPLATE fixtext_package_installed

Fixtext for installing a package

Parameters:

  • package (str) – The package to install

fixtext_package_installed(package)

TEMPLATE fixtext_kernel_module_disabled

Fixtext for disabling a kernel module

Parameters:

  • module (str) – module to disable

fixtext_kernel_module_disabled(module)

TEMPLATE fixtext_file_owner

Fixtext for setting the owner on a file.

Parameters:

  • file (str) – The file to set the owner on

  • owner (str) – The owner to be set

fixtext_file_owner(file, owner)

TEMPLATE fixtext_file_group_owner

Fixtext for setting the group owner on a file.

Parameters:

  • file (str) – The file to set the group owner on

  • group (str) – The group to be set

fixtext_file_group_owner(file, group)

TEMPLATE fixtext_directory_owner

Fixtext for setting the owner on a directory.

Parameters:

  • file (str) – The directory to set the owner on

  • owner (str) – The owner to be set

fixtext_directory_owner(file, owner)

TEMPLATE fixtext_directory_group_owner

Fixtext for setting the group owner on a directory.

Parameters:

  • file (str) – The directory to set the group owner on

  • group (str) – The group to be set

fixtext_directory_group_owner(file, group)

TEMPLATE fixtext_directory_permissions

Fixtext for setting the permissions on a directory.

Parameters:

  • file (str) – The directory to set the permissions on

  • mode (str) – The permissions to be set

fixtext_directory_permissions(file, mode)

TEMPLATE fixtext_file_permissions

Fixtext for setting the permissions on a file.

Parameters:

  • file (str) – The file to set the permissions on

  • mode (str) – The permissions to be set

fixtext_file_permissions(file, mode)

TEMPLATE fixtext_separate_partition

Fixtext for having a mount point on another partition

Parameters:

  • part (str) – The mount point

fixtext_separate_partition(part)

TEMPLATE fix_openshift_logging_rbac

Fixtext for how to restrict RBAC permissions for cluster logging

Parameters:

  • verb (str) – The RBAC verb to restrict

fix_openshift_logging_rbac(verb)

TEMPLATE fix_openshift_rbac_least_privilege

Fixtext for how to restrict RBAC permissions for cluster logging

Parameters:

  • verb – The RBAC verb to restrict

fix_openshift_rbac_least_privilege()