OCIL

TEMPLATE rhcos_node_login_instructions

How to log in to a Red Hat CoreOS Node

rhcos_node_login_instructions()

TEMPLATE complete_ocil_entry_audit_privileged_commands

OCIL and OCIL clause for ensuring that a privileged command is audited.

Parameters:

  • cmd (str) – The command to audit

  • path_prefix (str) – The directory the command is in

complete_ocil_entry_audit_privileged_commands(cmd, path_prefix, key)

TEMPLATE ocil_audit_syscall

OCIL for adding a syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

ocil_audit_syscall(syscall)

TEMPLATE ocil_clause_entry_audit_syscall

OCIL clause for adding a syscall to audit logs

ocil_clause_entry_audit_syscall()

TEMPLATE complete_ocil_entry_audit_syscall

OCIL and OCIL clause for adding a syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

complete_ocil_entry_audit_syscall(syscall)

TEMPLATE ocil_audit_successful_syscall

OCIL for adding a successful syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

ocil_audit_successful_syscall(syscall)

TEMPLATE ocil_audit_unsuccessful_syscall

OCIL for adding a unsuccessful syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

ocil_audit_unsuccessful_syscall(syscall)

TEMPLATE complete_ocil_entry_audit_successful_syscall

OCIL and OCIL clause for adding a successful syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

complete_ocil_entry_audit_successful_syscall(syscall)

TEMPLATE complete_ocil_entry_audit_unsuccessful_syscall

OCIL and OCIL clause for adding a unsuccessful syscall to audit logs

Parameters:

  • syscall (str) – The syscall to audit

complete_ocil_entry_audit_unsuccessful_syscall(syscall)

TEMPLATE dpkg_ocil_package

Describe how to check if a package is installed with dpkg.

Parameters:

  • package (str) – The package to check

dpkg_ocil_package(package)

TEMPLATE ocil_package

Insert general ocil clause to check if a package is installed, substituting the correct package management software.

Parameters:

  • package (str) – Name of package

ocil_package(package)

TEMPLATE rpm_complete_ocil_entry_package

OCIL and OCIL clause how to check if a package is installed with rpm.

Parameters:

  • package (str) – The package to check

rpm_complete_ocil_entry_package(package)

TEMPLATE dpkg_complete_ocil_entry_package

OCIL and OCIL clause how to check if a package is installed with dpkg.

Parameters:

  • package (str) – The package to check

dpkg_complete_ocil_entry_package(package)

TEMPLATE complete_ocil_entry_package

Insert a complete OCIL block for a case when a package should be removed, substituting the correct package management software.

Parameters:

  • package (str) – Name of package

complete_ocil_entry_package(package)

TEMPLATE ocil_service_enabled

Inserts an OCIL for a case when a service should be enabled, substituting the correct init system.

Parameters:

  • service (str) – Name of service

ocil_service_enabled(service)

TEMPLATE ocil_clause_service_enabled

Inserts an OCIL Clause for a case when a service should be enabled.

Parameters:

  • service (str) – Name of service

ocil_clause_service_enabled(service)

TEMPLATE ocil_service_disabled

Inserts an OCIL for a case when a service should be disabled, substituting the correct init system.

Parameters:

  • service (str) – Name of service

ocil_service_disabled(service)

TEMPLATE ocil_clause_service_disabled

Inserts an OCIL Clause for a case when a service should be disabled.

Parameters:

  • service (str) – Name of service

ocil_clause_service_disabled(service)

TEMPLATE socket_disabled_check_with_systemd

Describe how to check if socket is disabled with systemd.

Parameters:

  • socket (str) – The socket to check

socket_disabled_check_with_systemd(socket)

TEMPLATE systemd_complete_ocil_entry_socket_and_service_disabled

OCIL and OCIL clause for ensure socket is disabled in systemd and xinetd.

Parameters:

  • name (str) – The socket to check

systemd_complete_ocil_entry_socket_and_service_disabled(name)

TEMPLATE complete_ocil_entry_socket_and_service_disabled

Inserts an OCIL for a case when a service and a corresponding socket should be disabled, substituting the correct init system.

Parameters:

  • service (str) – Name of service

complete_ocil_entry_socket_and_service_disabled(service)

TEMPLATE ocil_sshd_option

OCIL for an sshd option.

Example usage:

ocil_sshd_option(default="no", option="Banner", value="/etc/issue")
Parameters:

  • default (str) – If set to yes the default value is accepted

  • option (str) – The sshd option to configure

  • value (str) – The value for the given option

ocil_sshd_option(default, option, value)

TEMPLATE complete_ocil_entry_sshd_option

OCIL and OCIL clause for and sshd option.

Example usage:

complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue")
Parameters:

  • default (str) – If set to yes the default value is accepted

  • option (str) – The sshd option to configure

  • value (str) – The value for the given option

complete_ocil_entry_sshd_option(default, option, value)

TEMPLATE ocil_clause_entry_mount_option

The OCIL clause for mount options.

Parameters:

  • point (str) – The mount point to check

  • option (str) – The options the mount point should have

ocil_clause_entry_mount_option(point, option)

TEMPLATE complete_ocil_entry_mount_option

The OCIL and OCIL clause for mount options.

Parameters:

  • point (str) – The mount point to check

  • option (str) – The options the mount point should have

complete_ocil_entry_mount_option(point, option)

TEMPLATE complete_ocil_entry_separate_partition

OCIL for how to check if given path is on its own partition or logical volume and the correct OCIL clause.

Parameters:

  • part (str) – Path to check

complete_ocil_entry_separate_partition(part)

TEMPLATE _firewalld_check

Firewalld macros

_firewalld_check(access_action, port, proto, service)

TEMPLATE ocil_firewalld_allow_access

OCIL for allowing a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters:

  • port (str) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

ocil_firewalld_allow_access(port=none, proto=none, service=none)

TEMPLATE ocil_firewalld_prevent_access

OCIL for preventing access a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters:

  • port (int) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

ocil_firewalld_prevent_access(port=none, proto=none, service=none)

TEMPLATE complete_ocil_entry_module_disable

OCIL and OCIL clause for disabling a kernel module.

Parameters:

  • module (str) – The module to disable.

complete_ocil_entry_module_disable(module)

TEMPLATE describe_sebool_check_var

Describe how to check if given SELinux boolean is set depending on a variable.

Parameters:

  • sebool (str) – The SELinux boolean to check

describe_sebool_check_var(sebool)

TEMPLATE complete_ocil_entry_sebool_disabled

OCIL and OCIL clause for how to check if given SELinux boolean is disabled.

Parameters:

  • sebool (str) – The SELinux boolean to check

complete_ocil_entry_sebool_disabled(sebool)

TEMPLATE describe_sebool_check_enabled

Describe how to check if given SELinux boolean is enabled.

Parameters:

  • sebool (str) – The SELinux boolean to check

describe_sebool_check_enabled(sebool)

TEMPLATE complete_ocil_entry_sebool_enabled

OCIL and OCIL clause for how to check if given SELinux boolean is enabled.

Parameters:

  • sebool (str) – The SELinux boolean to check

complete_ocil_entry_sebool_enabled(sebool)

TEMPLATE ocil_timer_enabled

Inserts an OCIL for a case when a timer should be enabled, substituting the correct init system.

Parameters:

  • timer (str) – Name of timer

ocil_timer_enabled(timer)

TEMPLATE ocil_directory_permissions

OCIL how to check permissions a directory

Parameters:

  • directory (str) – Directory path

  • perms (str) – the permissions of the given directory

ocil_directory_permissions(directory, perms)

TEMPLATE ocil_files_in_directory_permissions

OCIL how to check file permissions of files in a directory

Parameters:

  • directory (str) – Directory path

  • perms (str) – the permissions for the files in the given directory

ocil_files_in_directory_permissions(directory, perms)

TEMPLATE ocil_clause_file_permissions

OCIL clause for file permissions

Parameters:

  • file (str) – File to change

  • perms (str) – the permissions for the file

ocil_clause_file_permissions(file, perms)

TEMPLATE ocil_clause_directory_permissions

OCIL clause for directory permissions

Parameters:

  • directory (str) – Directory path

  • perms (str) – the permissions for the files

ocil_clause_directory_permissions(directory, perms)

TEMPLATE ocil_clause_files_in_directory_permissions

OCIL clause for file permissions of files in a directory

Parameters:

  • directory (str) – Directory path

  • perms (str) – the permissions for the files

ocil_clause_files_in_directory_permissions(directory, perms)

TEMPLATE ocil_file_owner

OCIL how to check the file owner of a file.

Parameters:

  • file (str) – File to change

  • owner (str) – The owner for the file

ocil_file_owner(file, owner)

TEMPLATE ocil_directory_owner

OCIL how to check owner a directory

Parameters:

  • directory (str) – Directory path

  • owner (str) – the owner of the given directory

ocil_directory_owner(directory, owner)

TEMPLATE ocil_files_in_directory_owner

OCIL how to check file owner of files in a directory

Parameters:

  • directory (str) – Directory path

  • owner (str) – the owner for the files in the given directory

ocil_files_in_directory_owner(directory, owner)

TEMPLATE ocil_clause_file_owner

OCIL clause for file owner

Parameters:

  • file (str) – File to change

  • owner (str) – the owner for the file

ocil_clause_file_owner(file, owner)

TEMPLATE ocil_clause_directory_owner

OCIL clause for directory owner

Parameters:

  • directory (str) – Directory path

  • owner (str) – the owner for the files

ocil_clause_directory_owner(directory, owner)

TEMPLATE ocil_clause_files_in_directory_owner

OCIL clause for file owner of files in a directory

Parameters:

  • directory (str) – Directory path

  • owner (str) – the owner for the files

ocil_clause_files_in_directory_owner(directory, owner)

TEMPLATE ocil_file_group_owner

OCIL how to check the file group owner of a file.

Parameters:

  • file (str) – File to change

  • group (str) – the group owner for the file

ocil_file_group_owner(file, group)

TEMPLATE ocil_directory_group_owner

OCIL how to check file group owner a directory

Parameters:

  • directory (str) – Directory path

  • group (str) – the group owner of the given directory

ocil_directory_group_owner(directory, group)

TEMPLATE ocil_files_in_directory_group_owner

OCIL how to check file group owner of files in a directory

Parameters:

  • directory (str) – Directory path

  • group (str) – the group owner for the files in the given directory

ocil_files_in_directory_group_owner(directory, group)

TEMPLATE ocil_clause_file_group_owner

OCIL clause for file group owner

Parameters:

  • file (str) – File to change

  • group (str) – the group owner for the file

ocil_clause_file_group_owner(file, group)

TEMPLATE ocil_clause_directory_group_owner

OCIL clause for directory group owner of a directory

Parameters:

  • directory (str) – Directory path

  • group (str) – the group owner for the files

ocil_clause_directory_group_owner(directory, group)

TEMPLATE ocil_clause_files_in_directory_group_owner

OCIL clause for file group owner of files in a directory

Parameters:

  • directory (str) – Directory path

  • group (str) – the group owner for the files

ocil_clause_files_in_directory_group_owner(directory, group)

TEMPLATE complete_ocil_entry_sysctl_option_value

OCIL and OCIL clause for a sysctl option

Parameters:

  • sysctl (str) – The kernel parameter to change

  • value (str) – The value to be set

complete_ocil_entry_sysctl_option_value(sysctl, value)

TEMPLATE ocil_audit_rules_unsuccessful_file_modification_o_creat

Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_creat template

Parameters:

  • syscall (str) – system call

  • position (str) – the position of the system call O_CREAT argument, eg. a2

ocil_audit_rules_unsuccessful_file_modification_o_creat(syscall, position)

TEMPLATE ocil_audit_rules_unsuccessful_file_modification_o_trunc_write

Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_trunc_write template

Parameters:

  • syscall (str) – system call

  • position (str) – the position of the system call O_TRUNC_WRITE argument, eg. a2

ocil_audit_rules_unsuccessful_file_modification_o_trunc_write(syscall, position)

TEMPLATE ocil_audit_rules_unsuccessful_file_modification_rule_order

Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_rule_order template

Parameters:

  • syscall (str) – system call

  • position (str) – the position of the system call O_TRUNC_WRITE and O_CREAT arguments, eg. a2

ocil_audit_rules_unsuccessful_file_modification_rule_order(syscall, position)

TEMPLATE ocil_cis_banner

OCIL macro to check CIS requirements on command line warning banners. The macro provides both check and clause.

Parameters:

  • filepath (str) – filepath to be checked

ocil_cis_banner(filepath)