Available Templates
accounts_password
Checks if PAM enforces password quality requirements. Checks the configuration in
/etc/security/pwquality.conf
.Parameters:
variable - PAM
pam_pwquality
password quality requirement, eg.ucredit
,ocredit
operation - OVAL operation, eg.
less than or equal
zero_comparison_operation - (optional) OVAL operation, eg.
greater than
. When set, it will test if the variable value matches the OVAL operation when compared to zero.
Languages: Ansible, Bash, OVAL
auditd_lineinfile
Checks configuration options of the Audit Daemon in
/etc/audit/auditd.conf
.Parameters:
parameter - auditd configuration item
value - the value of configuration item specified by parameter
missing_parameter_pass - effective only in OVAL checks, if set to
"false"
and the parameter is not present in the configuration file, the OVAL check will return false (default value:"false"
).
Languages: Ansible, Bash, OVAL
audit_rules_dac_modification
Checks Audit Discretionary Access Control rules
Parameters:
attr - value of
-S
argument in Audit rule, eg.chmod
Languages: Ansible, Bash, OVAL, Kubernetes
audit_rules_file_deletion_events
Ensure auditd Collects file deletion events
Parameters:
name - value of
-S
argument in Audit rule, eg.unlink
Languages: Ansible, Bash, OVAL
audit_rules_login_events
Checks if there are Audit rules that record attempts to alter logon and logout events.
Parameters:
path - value of
-w
in the Audit rule, eg./var/run/faillock
Languages: Ansible, Bash, OVAL, Kubernetes
audit_rules_path_syscall
Check if there are Audit rules to record events that modify user/group information via a syscall on a specific file.
Parameters:
path - path of the protected file, eg
/etc/shadow
pos - position of argument, eg.
a2
syscall - name of the system call, eg.
openat
Languages: Ansible, Bash, OVAL
audit_rules_privileged_commands
Ensure Auditd collects information on the use of specified privileged command.
Parameters:
path - the path of the privileged command - eg.
/usr/bin/mount
Languages: Ansible, Bash, OVAL, Kubernetes
audit_rules_syscall_events
Ensure there is an audit rule to record for all uses of specified system call
Parameters:
attr - the name of the system call - eg.
unlinkat
Languages: Ansible, Bash, OVAL, Kubernetes
audit_file_contents
Ensure that audit
.rules
file specified by parameterfilepath
contains the contents specified in parametercontents
.Parameters:
filepath - path to audit rules file, e.g.:
/etc/audit/rules.d/10-base-config.rules
contents - expected contents of the file
Languages: Ansible, Bash, OVAL
audit_rules_unsuccessful_file_modification
Ensure there is an Audit rule to record unsuccessful attempts to access files
Parameters:
name - name of the unsuccessful system call, eg.
creat
Languages: Ansible, Bash, OVAL
audit_rules_unsuccessful_file_modification_o_creat
Ensure there is an Audit rule to record unsuccessful attempts to access files when O_CREAT flag is specified.
Parameters:
syscall - name of the unsuccessful system call, eg.
openat
pos - position of the O_CREAT argument in the syscall, as specified by
-F
audit rule argument, eg.a2
Languages: OVAL
audit_rules_unsuccessful_file_modification_o_trunc_write
Ensure there is an Audit rule to record unsuccessful attempts to access files when O_TRUNC_WRITE flag is specified.
Parameters:
syscall - name of the unsuccessful system call, eg.
openat
pos - position of the O_TRUNC_WRITE argument in the syscall, as specified by
-F
audit rule argument, eg.a2
Languages: OVAL
audit_rules_unsuccessful_file_modification_rule_order
Ensure that Audit rules for unauthorized attempts to use a specific system call are ordered correctly.
Parameters:
syscall - name of the unsuccessful system call, eg.
openat
pos - position of the flag parameter in the syscall, as specified by
-F
audit rule argument, eg.a2
Languages: OVAL
audit_rules_usergroup_modification
Check if Audit is configured to record events that modify account changes.
Parameters:
path - path that should be part of the audit rule as a value of
-w
argument, eg./etc/group
.
Languages: Ansible, Bash, OVAL
audit_rules_watch
Check if there are file system watches configured in audit rules for the given path.
Parameters:
path - path that should be part of the audit watch rule as a value of
-w
argument, eg./etc/group
.
Languages: Ansible, Bash, OVAL
argument_value_in_line
Checks that
argument=value
pair is present in (optionally) the line started with line_prefix (and, optionally, ending with line_suffix) in the file(s) defined by filepath.Parameters:
filepath - File(s) to be checked. The value would be treated as a regular expression pattern.
arg_name - Argument name, eg.
audit
arg_value - Argument value, eg.
'1'
line_prefix - The prefix of the line in which argument-value pair should be present, optional.
line_suffix - The suffix of the line in which argument-value pair should be present, optional.
Languages: OVAL
coreos_kernel_option
Checks that
argument=value
pair is present in the kernel arguments. Note that this applies to Red Hat CoreOS.Parameters:
arg_name - Argument name, eg.
audit
arg_value - Argument value, eg.
'1'
. This parameter is optional, and if omitted, this template will only use arg_name.arg_negate - negates the check, which then ensures that
argument=value
is not present in the kernel arguments.arg_is_regex - Specifies that the given
arg_name
andarg_value
are regexes.
Languages: OVAL, Kubernetes
dconf_ini_file
Checks for
dconf
configuration. Additionally checks if the configuration is locked so it cannot be overridden by the user. Thelocks
directory is always the path appended bylocks/
.Parameters:
path - dconf configuration files directory. All files within this directory will be check for the configuration presence. eg.
/etc/dconf/db/local.d/
.section - name of the
dconf
configuration section, eg."org/gnome/desktop/lockdown"
parameter - name of the
dconf
configuration option, eg.user-administration-disabled
value - value of the
dconf
configuration option specified by parameter, eg."true"
.
Languages: Ansible, Bash, OVAL
Example:
template: name: dconf_ini_file vars: path: /etc/dconf/db/local.d/ section: "org/gnome/desktop/lockdown" parameter: user-administration-disabled value: "true"
file_existence
Check if a file exists or doesn’t exist.
Parameters:
filepath - File path to be checked.
exists - If set to
true
the check will fail if the file doesn’t exist and vice versa forfalse
.fileuid - (optional) user ID (UID) of the file created by remediations
filemode - (optional) file permissions of the file created by remediations, use in a hexadecimal format, eg. =
'0640'
Languages: Ansible, Bash, OVAL
file_groupowner
Check group that owns the given file.
Parameters:
filepath - File path to be checked. If the file path ends with
/
it describes a directory. Can also be a list of paths. If file_regex is not specified, the rule will only check and remediate directories.filepath_is_regex - If set to
"true"
the OVAL will consider the value of filepath as a regular expression.missing_file_pass - If set to
"true"
the OVAL check will pass when file is absent. Default value is"false"
.file_regex - Regular expression that matches file names in a directory specified by filepath. Can be set only if filepath parameter specifies a directory. Note: Applies to base name of files, so if a file
/foo/bar/file.txt
is processed, onlyfile.txt
is tested against file_regex. Can be a list of regexes.recursive - If set to
"true"
the OVAL will consider the subdirectories under the directory specified by filepath. Default value is"false"
.gid_or_name - group ID (GID) or a group name. If the parameter is an integer, it is treated as group ID. If the parameter is not an integer, it is treated as a group name and it is converted to GID by reading /etc/group.
Languages: Ansible, Bash, OVAL
Note that the interaction between filepath and file_regex is as such: if filepath is a string, file_regex must also be a string; if filepath is a list and file_regex is a string, it gets extended to be the same regex for each path; if filepath and file_regex are both present and are lists, they must be of the same length.
file_owner
Check user that owns the given file.
Parameters:
filepath - File path to be checked. If the file path ends with
/
it describes a directory. Can also be a list of paths. If file_regex is not specified, the rule will only check and remediate directories.filepath_is_regex - If set to
"true"
the OVAL will consider the value of filepath as a regular expression.missing_file_pass - If set to
"true"
the OVAL check will pass when file is absent. Default value is"false"
.file_regex - Regular expression that matches file names in a directory specified by filepath. Can be set only if filepath parameter specifies a directory. Note: Applies to base name of files, so if a file
/foo/bar/file.txt
is processed, onlyfile.txt
is tested against file_regex. Can be a list of regexes.recursive - If set to
"true"
the OVAL will consider the subdirectories under the directory specified by filepath. Default value is"false"
.fileuid - user ID (UID)
Languages: Ansible, Bash, OVAL
Note that the interaction between filepath and file_regex is as such: if filepath is a string, file_regex must also be a string; if filepath is a list and file_regex is a string, it gets extended to be the same regex for each path; if filepath and file_regex are both present and are lists, they must be of the same length.
file_permissions
Checks permissions (mode) on a given file.
Parameters:
filepath - File path to be checked. If the file path ends with
/
it describes a directory. Can also be a list of paths. If file_regex is not specified, the rule will only check and remediate directories.filepath_is_regex - If set to
"true"
the OVAL will consider the value of filepath as a regular expression.missing_file_pass - If set to
"true"
the OVAL check will pass when file is absent. Default value is"false"
.file_regex - Regular expression that matches file names in a directory specified by filepath. Can be set only if filepath parameter specifies a directory. Note: Applies to base name of files, so if a file
/foo/bar/file.txt
is processed, onlyfile.txt
is tested against file_regex. Can be a list of regexes.recursive - If set to
"true"
the OVAL will consider the subdirectories under the directory specified by filepath. Default value is"false"
.filemode - File permissions in a hexadecimal format, eg.
'0640'
.allow_stricter_permissions - If set to
"true"
the OVAL will also consider permissions stricter than filemode as compliant. Default value is"true"
.excluded_files - A list with files to be excluded. The file could be also a pattern using the metacharacters
('*', '?', and '[ ]')
. For example:['*[bw]tmp', '*lastlog']
.
Languages: Ansible, Bash, OVAL
Note that the interaction between filepath and file_regex is as such: if filepath is a string, file_regex must also be a string; if filepath is a list and file_regex is a string, it gets extended to be the same regex for each path; if filepath and file_regex are both present and are lists, they must be of the same length.
firefox_lockpreference
Checks that a given Mozilla Firefox configuration item is locked and set.
Parameters
parameter - Name of Mozilla Firefox configuration item to be checked/set.
value - Literal value to be set in the Mozilla Firefox default configuration.
Languages: Bash, OVAL
grub2_bootloader_argument
Ensures that a kernel command line argument is present in GRUB 2 configuration.
Parameters:
arg_name - argument name, eg.
audit
arg_value - argument value, eg.
'1'
arg_variable - the variable used as the value for the argument, eg.
'var_slub_debug_options'
This parameter is mutually exclusive with arg_value.
Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
grub2_bootloader_argument_absent
Ensures that a kernel command line argument is absent in GRUB 2 configuration. The template can also remove arguments with a value assigned, eg. audit=1
Parameters:
arg_name - argument name, eg.
audit
,nosmep
Languages: Ansible, Bash, OVAL
Example:
template:
name: grub2_bootloader_argument_absent
vars:
arg_name: audit
kernel_build_config
This template checks the configuration used to build the kernel by checking the /boot/config-*
files.
The only way to remediate is to recompile and reinstall the kernel, so no remediation should be expected.
Parameters:
config - The kernel configuration to check
value - The value the configuration should have When value is
"n"
, the check will pass when the config is absent, commented out or has the valuen
in the/boot/config-*
files.variable - The variable to get the value from. This parameter is mutually exclusive with value.
Languages: OVAL
kernel_module_disabled
Checks if the given Linux kernel module is disabled. The default method is to check the
install
keyword. On OL and RHEL products theblacklist
keyword is also checked. The SLE products only check for theblacklist
keyword.Parameters:
kernmodule - name of the Linux kernel module, eg.
cramfs
Languages: Ansible, Bash, Kubernetes, OVAL
lineinfile
Checks that the given text is present in a file. This template doesn’t work with a concept of keys and values - it is meant only for simple statements.
Parameters:
escape_text - if set to true the given text is escaped to treat it as regex, when set to false the text is taken directly as it is.
path - path to the file to check.
text - the line that should be present in the file.
oval_extend_definitions - optional, list of additional OVAL definitions that have to pass along the generated check.
sed_path_separator - optional, default is
/
, sets the sed path separator. Set this to a character like#
if/
is in use in your text.
Languages: Ansible, Bash, OVAL
mount
Checks that a given mount point is located on a separate partition.
Parameters:
mountpoint - path to the mount point, eg.
/var/tmp
min_size - the minimum recommended partition size, in bytes
Languages: Anaconda, OVAL, Blueprint, Kickstart
mount_option
Checks if a given partition is mounted with a specific option such as “nosuid”. It is also possible to use options with arguments, such as “logdev=device”. Finally, for options which expect an argument, like “hidepid=2”, a variable can be informed for this argument.
Parameters:
mountpoint - mount point on the filesystem eg.
/dev/shm
mountoption - mount option, eg.
nosuid
,logdev=device
orhidepid
mountoption_arg_var - variable which holds the argument for mount option, eg.
var_mount_option_proc_hidepid
filesystem - filesystem in
/etc/fstab
, eg.tmpfs
. Used only in Bash remediation.type - filesystem type. Used only in Bash remediation.
mount_has_to_exist - Specifies if the mountpoint entry has to exist in
/etc/fstab
before the remediation is executed. If set totrue
and the mountpoint entry is not present in/etc/fstab
the Bash remediation terminates. If set tofalse
the mountpoint entry will be created in/etc/fstab
.
Languages: Anaconda, Ansible, Bash, OVAL
mount_option_remote_filesystems
Checks if all remote filesystems (NFS mounts in
/etc/fstab
) are mounted with a specific option.Parameters:
mountpoint - always set to
remote_filesystems
mountoption - mount option, eg.
nodev
filesystem - filesystem of new mount point (used when adding new entry in
/etc/fstab
), eg.tmpfs
. Used only in Bash remediation.mount_has_to_exist - Used only in Bash remediation. Specifies if the mountpoint entry has to exist in
/etc/fstab
before the remediation is executed. If set toyes
and the mountpoint entry is not present in/etc/fstab
the Bash remediation terminates. If set tono
the mountpoint entry will be created in/etc/fstab
.
Languages: Ansible, Bash, OVAL
mount_option_removable_partitions
Checks if all removable media mounts are mounted with a specific option. Unlike other mount option templates, this template doesn’t use the mount point, but the block device. The block device path (eg.
/dev/cdrom
) is always set tovar_removable_partition
. This is an XCCDF Value, defined in var_removable_partition.varParameters:
mountoption - mount option, eg.
nodev
Languages: Anaconda, Ansible, Bash, OVAL
package_installed
Checks if a given package is installed. Optionally, it can also check whether a specific version or newer is installed.
Parameters:
pkgname - name of the RPM or DEB package, eg.
tmux
evr - Optional parameter. It can be used to check if the package is of a specific version or newer. Provide epoch, version, release in
epoch:version-release
format, eg.0:2.17-55.0.4.el7_0.3
. Used only in OVAL checks. The OVAL state uses operation “greater than or equal” to compare the collected package version with the version in the OVAL state.
Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart
package_removed
Checks if the given package is not installed.
Parameters:
pkgname - name of the RPM or DEB package, eg.
tmux
Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Kickstart
key_value_pair_in_file
Checks if a given key and value are configured in a file.
The check passes if the file has multiple occurrences of key
as long as they all
have the same value value
. If multiple occurrences of key
have conflicting values,
the check will evaluate to fail.
When the remediation is applied duplicate occurrences of key
are removed.
Parameters:
path - path to the file to check.
prefix_regex - optional, default is
^\s*
. Regular expression describing characters allowed beforekey
.key - name of the key to check and remediate.
sep - optional, default is
=
. The separator betweenkey
andvalue
.sep_regex - optional, default is
\s*=\s*
. Set this if you setsep
. The regular expression should match the separatorsep
.value - the value the key should have in the specified path
app - optional. If not set the check will use the default text
The respective application or service
. If set, theapp
is used within sentences like: “application
is configured correctly and configuration file exists”
pam_options
Checks if the parameters or arguments of a given Linux-PAM (Pluggable Authentication Modules) module in a given PAM configuration file are correctly specified. This template is using regular expression to match the module parameters, and their respective values if any. A parameter can be added if absent, modified when it’s value doesn’t match the expected value, or removed when present. There are two ways to specify a PAM module parameter, either using XCCDF variable or argument value matching. Use XCCDF variable in a situation where the parameter value is expected to be configurable/selectable by the user. eg,
ucredit=<var_pam_password_ucredit.var>
. Otherwise, use argument value matching is advised.Parameters:
path - the complete path to the PAM configuration file, eg.
/etc/pam.d/common-password
type - (required) PAM type, eg.
password
control_flag - (required) PAM control flag, eg.
requisite
module - (required) PAM module, eg.
pam_cracklib.so
arguments - (optional) parameters or arguments for the PAM module. These are optional. A PAM module can have multiple arguments, specified as a list of dictionaries. Following are acceptable parameters for each argument.
variable - (optional) PAM module argument/parameter name, eg.
ucredit
,ocredit
. Use this parameter in a situation where the PAM module argument is configurable/selectable by the user.var_password_pam_<variable name>.var
XCCDF variable must be defined when using this parameter. This parameter must be used in conjunction with the operation parameter. Also, this parameter is mutually exclusive with the argument parameter.operation - (optional) OVAL operation, eg.
less than or equal
. This parameter must be used in conjunction with the variable parameter.argument - (optional) the name of the PAM module argument, eg.
dcredit
. It is mutually exclusive with the variable parameter. Therefore, it must be absent when variable is present.argument_match - (optional) the regular expression to match the argument value. It is optional when the argument has no value, or when the argument is to be removed. In these cases the parameter is not required and will be ignored if present. It is required when a value argument needs to be added or modified.
argument_value - (optional) the expected argument value for a value argument to be added or modified, when the argument_match regular expression failed to yield a match. The argument’s existing value will be replaced by argument_value. When the argument has no value, or when the argument is to be removed, this parameter is not required and will be ignored. It is required when a value argument needs to be added or modified.
new_argument - (optional) the argument to be added if not already present, eg,
dcredit=-1
. It is required when the argument is not already present and needs to be added.remove_argument - (optional) the argument will be removed, if the argument is present. This parameter must not be specified when the argument is being added or modified.
Language: Ansible, OVAL
sebool
Checks values of SELinux booleans.
Parameters:
seboolid - name of SELinux boolean, eg.
cron_userdomain_transition
sebool_bool - the value of the SELinux Boolean. Can be either
"true"
or"false"
. If this parameter is not specified, the rule will use XCCDF Valuevar_<seboolid>
. These XCCDF Values are usually defined in the same directory where therule.yml
that describes the rule is located. The seboolid will be replaced by a SELinux boolean, for example:selinuxuser_execheap
and in the profile you can usevar_selinuxuser_execheap
to turn on or off the SELinux boolean.
Languages: Ansible, Bash, OVAL
service_disabled
Checks if a service is disabled. Uses either systemd or SysV init based on the product configuration in
product.yml
.Parameters:
servicename - name of the service.
packagename - name of the package that provides this service. This argument is optional. If packagename is not specified it means the name of the package is the same as the name of service.
daemonname - name of the daemon. This argument is optional. If daemonname is not specified it means the name of the daemon is the same as the name of service.
Languages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint, Kickstart
service_enabled
Checks if a system service is enabled. Uses either systemd or SysV init based on the product configuration in
product.yml
.Parameters:
servicename - name of the service.
packagename - name of the package that provides this service. This argument is optional. If packagename is not specified it means the name of the package is the same as the name of service.
daemonname - name of the daemon. This argument is optional. If daemonname is not specified it means the name of the daemon is the same as the name of service.
Languages: Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart
shell_lineinfile
Checks shell variable assignments in files. Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered. The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
Parameters:
path - What file to check.
parameter - name of the shell variable, eg.
SHELL
.value - value of the SSH configuration option specified by parameter, eg.
"/bin/bash"
. Don’t pass extra shell quoting - that will be handled on the lower level.no_quotes - If set to
"true"
, the assigned value has to be without quotes during the check and remediation doesn’t quote assignments either.missing_parameter_pass - effective only in OVAL checks, if set to
"false"
and the parameter is not present in the configuration file, the OVAL check will return false (default value:"false"
).
Languages: Ansible, Bash, OVAL
Example: A template invocation specifying that parameter
HISTSIZE
should be set to value500
in/etc/profile
will produce a check that passes if any of the following lines are present in/etc/profile
:HISTSIZE=500
HISTSIZE="500"
HISTSIZE='500'
The remediation would insert one of the quoted forms if the line was not present.
If the
no_quotes
would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
socket_disabled
Ensures that a Systemd socket is masked.
parameters:
socketname - name of the socket without the “.socket” extension
packagename - name of the package providing the socket file; if no package name is provided, socketname is used. Currently, the package name is used when running Automatus test scenarios.
languages: Ansible, Bash, OVAL
sshd_lineinfile
Checks SSH server configuration items in
/etc/ssh/sshd_config
or/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
in case of Fedora or RHEL9 and newer.Parameters:
parameter - name of the SSH configuration option, eg.
KerberosAuthentication
value - value of the SSH configuration option specified by parameter, eg.
"no"
. This cannot be specified together with the xccdf_variable parameter.xccdf_variable - specifies an XCCDF variable to use as a value for the specified parameter. This parameter conflicts with the value parameter.
datatype - specifies the datatype of the value or xccdf_variable. Possible options are int or string. The datatype is utilized for creation of correct templated test scenarios.
missing_parameter_pass - effective only in OVAL checks, if set to
"false"
and the parameter is not present in the configuration file, the OVAL check will return false (default value:"false"
).is_default_value - effective only in Ansible and Bash remediation, if set to
"true"
, settings will be remediated into a file called (in case of Fedora or RHEL9 and newer):/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
Languages: Ansible, Bash, OVAL, Kubernetes
sudo_defaults_option
This template ensures a sudo Defaults
options is enabled in /etc/sudoers
or in /etc/sudoers.d/*
.
The template can check for options with and without parameters.
The remediations add the Defaults
option to /etc/sudoers
file.
Parameters:
option - name of sudo
Defaults
option to enable.option_regex_suffix - suffix to the pattern-match to use after option; defaults to
=(\w+)\b
.parameter_variable - name of the XCCDF variable to get the value for the option parameter.
(optional, if not set the check and remediation won’t use parameters)default_is_enabled - set to
"true"
if the option is enabled by default for the product. In this case, the check will pass even if the options is not explicitly set.
If parameter_variable is used this is forced to"false"
. As the Value selector can be changed by tailoring at scan-time the default value needs to be defined at compile-time, and this is not supported at the moment.
(optional, default value is"false"
. )
Languages: Ansible, Bash, OVAL
Examples:
template:
name: sudo_defaults_option
vars:
option: noexec
This will generate:
A check that asserts
Defaults noexec
is present in/etc/sudoers
or/etc/sudoers.d/
.
Defaults
with multiple options are also accepted, i.e.:Defaults ignore_dot,noexec,use_pty
.A remediation that adds
Defaults noexec
to/etc/sudoers
.
template:
name: sudo_defaults_option
vars:
option: umask
variable_name: var_sudo_umask
The default selected value of var_sudo_umask
is "0022"
. Hence, the template key will generate:
A check that asserts
Defaults umask=0022
is present in/etc/sudoers
or/etc/sudoers.d/
.
Defaults
with multiple options are also accepted, i.e.:Defaults ignore_dot,umask=0022,use_pty
.A remediation that adds
Defaults umask=0022
to/etc/sudoers
.
The selected value can be changed in the profile (consult the actual variable for valid selectors). E.g.:
- var_sudo_umask=0027
sysctl
Checks sysctl parameters. The OVAL definition checks both static configuration and runtime settings and require both of them to be set to the desired value to return true.
The following file and directories are checked for static sysctl configurations:
/etc/sysctl.conf
/etc/sysctl.d/*.conf
/run/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf (does not apply to RHEL and OL)
A sysctl option is allowed to be defined in more than one file within the scanned directories as long as those values are compliant.
Parameters:
sysctlvar - name of the sysctl value, eg.
net.ipv4.conf.all.secure_redirects
.datatype - data type of the sysctl value, eg.
int
.sysctlval - value of the sysctl value. This can be either not specified, or an atomic value, eg.
'1'
, or a list of values, eg.['1','2']
.If this parameter is not specified, an XCCDF Value is used instead in OVAL check and remediations. The XCCDF Value should have a file name in the form
"sysctl_" + $escaped_sysctlvar + "_value.var"
, where theescaped_sysctlvar
is a value of the sysctlvar parameter in which all characters that don’t match the\w
regular expression are replaced by an underscore (_
).If this parameter is set to an atomic value, this atomic value will be used in OVAL check and remediations.
If this parameter is set to a list of values, the list will be used in the OVAL check, but won’t be used in the remediations. All remediations will use an XCCDF value instead.
wrong_sysctlval_for_testing - the value that is always wrong. This will be used in templated test scenarios when sysctlval is a list.
missing_parameter_pass - if set to
true
the check will pass if the setting for the given sysctlvar is not present in sysctl configuration files. In other words, the check will pass if the system default isn’t overriden by configuration. Default value:false
.operation - operation used for comparison of collected object with sysctlval. Default value:
equals
.sysctlval_regex - if operation is
pattern match
, this parameter is used instead of sysctlval.check_runtime - whether to generate checks for runtime configuration. Default value:
true
.
In case the sysctl_remediate_drop_in_file property is set to true in the product file, the remediation scripts will set the variable with correct value to a drop-in file in
/etc/sysctl.d/var_name.conf
file.Languages: Ansible, Bash, OVAL
systemd_dropin_configuration
checks if a Systemd-style configuration exists either in the main file or in any file within specified dropin directory. The remediation tries to modify already existing configuration. If the correct section is found and the parameter exists, its value is changed to match the desired one. If the section is found but the parameter does not exist, it is added to this section. If none of inspected files contains the desired section a new file called complianceascode_hardening.conf within the dropin directory is created.
parameters:
master_cfg_file - the main configuration file to check, e.g. /etc/systemd/journald.conf
dropin_dir - the respective dropin directory, e.g. the /etc/systemd/journald.conf.d directory when keeping to the example mentioned above
section - the section of the Systemd file
param - the parameter to be configured
value - the value of the parameter
no_quotes - if set to “true”, the value will not be enclosed in quotes
missing_parameter_pass - effective only in OVAL checks, if set to
"false"
and the parameter is not present in the configuration file, the OVAL check will return false (default value:"false"
).
Languages: Ansible, Bash, OVAL
systemd_mount_enabled
Checks if a
systemd
mount unit is enabledParameters:
mountname - name of the systemd mount unit, without the
.mount
suffix, eg.tmp
Languages: Anaconda, Ansible, Bash, OVAL
timer_enabled
Checks if a SystemD timer unit is enabled.
Parameters:
timername - name of the SystemD timer unit, without the
timer
suffix, eg.dnf-automatic
.packagename - name of the RPM package which provides the SystemD timer unit. This parameter is optional, if it is not provided it is assumed that the name of the RPM package is the same as the name of the SystemD timer unit.
Languages: Ansible, Bash, OVAL
yamlfile_value
Check if value(s) of certain type is (are) present in a YAML (or JSON) file at a given path.
Parameters:
ocp_data - if set to
"true"
then the filepath would be treated as a part of the dump of OCP configuration with theocp_data_root
prefix; optional.filepath - full path to the file to check
filepath_suffix - suffix to the
filepath
; optional.yamlpath - OVAL’s YAML Path expression.
entity_check (CheckEnumeration) - entity_check value for state’s value, optional. If omitted, entity_check attribute would not be set and will be treated by OVAL as all. Possible options are
all
,at least one
,none satisfy
andonly one
.check_existence (ExistenceEnumeration) -
check_existence
value for theyamlfilecontent_test
, optional. If omitted, check_existence attribute will default to only_one_exists. Possible options areall_exist
,any_exist
,at_least_one_exists
,none_exist
,only_one_exists
.xccdf_variable - XCCDF variable selector. Use this field if the comparison involves checking for a value selected by a XCCDF variable.
embedded_data - if set to
"true"
and used combined withxccdf_variable
, the data retrieved byyamlpath
is considered as a blob and the fieldvalue
has to contain a capture regex.regex_data - if set to
"true"
and combined withxccdf_variable
, it will use the value ofxccdf_variable
as a regex and does pattern match operation instead of equal operation.check_existence_yamlpath - optional YAML Path that could be set to ensure that the target sequence from
yamlpath
has all required sub-elements. It is helpful when theyamlpath
is targeting a map inside a sequence, and the document could be missing a key in that map (i.e.$.seq[:].obj.item.key_that_might_be_missing
). Whencheck_existence_yamlpath
is set to a path like$.seq[:].obj.item.key_that_always_exists
(or$.seq[:].obj.key_that_always_exists
) the template will create a check, that will count elements in both paths and would fail if amounts are not equal.This check has a limitation: both
check_existence_yamlpath
andyamlpath
have to point to a scalar value for it to work correctly (that is, the path$.seq[:].obj.item
won’t work).values - a list of dictionaries with values to check, where:
key - the yaml key to check, optional. Used when the yamlpath expression yields a map.
value - the value to check. If used in combination with
xccdf_variable
andembedded_data
, this field must have a regex with a capture group. The value captured by the regex will be compared with value of variable referenced byxccdf_variable
.type (SimpleDatatypeEnumeration) - datatype for state’s field (child of value), optional. If omitted, datatype would be treated as OVAL’s default string. Most common datatypes are
string
andint
. For complete list check reference link.operation (OperationEnumeration) - operation value for state’s field (child of value), optional. If omitted, operation attribute would not be set. OVAL’s default operation is equals. Most common operations are
equals
,not equal
,pattern match
,greater than or equal
andless than or equal
. For complete list of operations check the reference link.entity_check (CheckEnumeration) - entity_check value for state’s field (child of value), optional. If omitted, entity_check attribute would not be set and will be treated by OVAL as all. Possible options are
all
,at least one
,none satisfy
andonly one
.
Languages: OVAL
Creating Templates
The offer of currently available templates can be extended by developing a new template.
Create a new subdirectory within the shared/templates directory. The name of the new subdirectory will become the template name.
For each language supported by this template, create a corresponding file within the template directory. File names should have format of
LANG.template
, where LANG should be the language identifier in lower case, e.g.oval.template
,bash.template
etc.Use the Jinja syntax we use elsewhere in the project; refer to the earlier section on Jinja macros for more information. The parameters should be named using uppercase letters, because the keys from
rule.yml
are converted to uppercase by the code that substitutes the parameters to the template.Notice that OVAL should be written in shorthand format. This is an example of an OVAL template file called
oval.template
within thepackage_installed
directory:<def-group> <definition class="compliance" id="package_{{{ PKGNAME }}}_installed" version="1"> <metadata> <title>Package {{{ PKGNAME }}} Installed</title> <affected family="unix"> <platform>multi_platform_all</platform> </affected> <description>The {{{ pkg_system|upper }}} package {{{ PKGNAME }}} should be installed.</description> </metadata> <criteria> <criterion comment="package {{{ PKGNAME }}} is installed" test_ref="test_package_{{{ PKGNAME }}}_installed" /> </criteria> </definition> {{{ oval_test_package_installed(package=PKGNAME, evr=EVR, test_id="test_package_"+PKGNAME+"_installed") }}} </def-group>
And here is the Ansible template file called
ansible.template
within thepackage_installed
directory:# platform = multi_platform_all # reboot = false # strategy = enable # complexity = low # disruption = low - name: Ensure {{{ PKGNAME }}} is installed package: name: "{{{ PKGNAME }}}" state: present
Create a file called
template.yml
within the template directory. This file stores template metadata. Currently, it stores list of supported languages. Note that each language listed in this file must have associated implementation file with the .template extension, see above.An example can look like this:
supported_languages:
ansible
bash
ignition
kubernetes
oval
puppet
If needed, implement a preprocessing function which will process the parameters before passing them to the Jinja engine. For example, this function can provide default values, escape characters, check if parameters are correct, or perform any other processing of the parameters specific for the template.
The function should be called preprocess and should be located in the file
template.py
within the template directory.The function must have 2 parameters:
data
- dictionary which contains the contents ofvars:
dictionary fromrule.yml
lang
- string, describes language, can be one of:"anaconda"
,"ansible"
,"bash"
,"oval"
,"puppet"
,"ignition"
,"kubernetes"
The function is executed for every supported language, so it can process the data differently for each language.
The function must always return the (modified)
data
dictionary.The following example shows the file
template.py
for the templatemount_option
. The code takes thedata
argument which is a dictionary with template parameters fromrule.yml
and based onlang
it modifies the template parameters and returns the modified dictionary.import re def preprocess(data, lang): if lang == "oval": data["pointid"] = re.sub(r"[-\./]", "_", data["mountpoint"]).lstrip("_") else: data["mountoption"] = re.sub(" ", ",", data["mountoption"]) return data
Filters
You can use Jinja macros and Jinja filters in the template code. ComplianceAsCode support all built-in Jinja filters.
There are also some custom filters useful for content authoring defined in the project:
banner_anchor_wrap
Wrap banner text as regex, no quoting.
banner_regexify
Wrap banner text in such way that space (’ ‘) is replaced with
[\\s\\n]
and newline (‘\n’) with(?:[\\n]+|(?:\\\\n)+)
.
escape_id
Replaces all non-word (regex \W) characters with underscore. Useful for sanitizing ID strings as it is compatible with OVAL IDs
oval:[A-Za-z0-9_\-\.]+:ste:[1-9][0-9]*
.
escape_regex
Escapes characters in the string for it to be usable as a part of some regular expression, behaves similar to the Python 3’s re.escape.
escape_yaml_key
Escape uppercase letters and
^
with additional^
and convert letters to lovercase. This is because of OVAL’s name argument limitations.
quote
Escape string to be used as POSIX shell value. Like Ansible
quote
.
sha256
Get SHA-256 hexdigest of value.