OVAL

TEMPLATE oval_check_config_file

High level macro which checks if a particular combination of parameter and value in a configuration file is set. This macro can take ten parameters:

param path

Path to the configuration file to be checked.

type path

str

param prefix_regex

Regular expression to be used in the beginning of the OVAL text file content check.

type prefix_regex

str

param parameter

The parameter to be checked in the configuration file.

type parameter

str

param value

The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

type value

str

param separator_regex

Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.

type separator_regex

str

param missing_parameter_pass

If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

type missing_parameter_pass

boolean

param application

The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

type application

str

param multi_value

If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

type multi_value

boolean

param missing_config_file_fail

If set, the check will fail if the configuration is not existent in the system.

type missing_config_file_fail

boolean

param section

If set, the parameter will be checked only within the given section defined by [section].

type section

str

param quotes

If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.

type quotes

str

oval_check_config_file(path=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=false, section=’’, quotes=’’)

TEMPLATE oval_line_in_file_criterion

Macro to define the criterion of the OVAL check (Criterion definition). This macro can take three parameters:

  • path (String): Path to the configuration file to be checked.

  • parameter (String): The parameter to be checked in the configuration file.

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

oval_line_in_file_criterion(path=’’, parameter=’’, missing_parameter_pass=false)

TEMPLATE oval_line_in_file_test

Macro to define the OVAL test to be constructed (Test definition). This macro can take three parameters:

  • path (String): Path to the configuration file to be checked.

  • parameter (String): The parameter to be checked in the configuration file.

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

oval_line_in_file_test(path=’’, parameter=’’, missing_parameter_pass=false)

TEMPLATE oval_line_in_file_object

Macro to check if a parameter in a configuration file is set (Object definition). This macro can take six parameters:

  • path (String): Path to the configuration file to be checked.

  • section (String): If set, the parameter will be checked only within the given section defined by [section].

  • prefix_regex (String): Regular expression to be used in the beginning of the OVAL text file content check.

  • parameter (String): The parameter to be checked in the configuration file.

  • separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

oval_line_in_file_object(path=’’, section=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, missing_parameter_pass=false, multi_value=false, filepath_regex=’’)

TEMPLATE oval_line_in_file_state

Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition). This macro can take two parameters:

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.

oval_line_in_file_state(value=’’, multi_value=’’, quotes=’’)

TEMPLATE oval_config_file_exists_criterion

Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition). This macro can take one parameter:

  • path (String): Path to the configuration file to be checked.

oval_config_file_exists_criterion(path=’’)

TEMPLATE oval_config_file_exists_test

Macro to define the OVAL test to check if the configuration file exists (Test definition). This macro can take one parameter:

  • path (String): Path to the configuration file to be checked.

oval_config_file_exists_test(path=’’)

TEMPLATE oval_file_absent_criterion

Macro to define the OVAL criterion that requires a file not to exist. Parameters:

  • filepath (String): Path to the file to be checked.

  • id of the test name - the test will be named test_<id>

oval_file_absent_criterion(filepath)

TEMPLATE oval_file_absent

Macro to define the OVAL test to check if the configuration file exists (Test definition). Parameters:

  • filepath (String): Path to the configuration file to be checked.

  • id of the test name - the test will be named test_<id>, the respective object object_<id> etc.

oval_file_absent(filepath)

TEMPLATE oval_config_file_exists_object

Macro to define the OVAL object to check if the configuration file exists (Object definition). This macro can take one parameter:

  • path (String): Path to the configuration file to be checked.

oval_config_file_exists_object(path=’’)

TEMPLATE oval_argument_value_in_line_criterion

Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition). Parameters:

  • filepath (String): Path to the file to be checked.

  • name (String): Argument name

  • value (String): Argument value (Optional)

  • application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • negate (Boolean): Whether to negate this criterion or not

oval_argument_value_in_line_criterion(filepath, name, value=’’, application=’’, negate=False)

TEMPLATE oval_argument_value_in_line_test

Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition). Parameters:

  • filepath (String): Path to the configuration file to be checked. The operation is “pattern match”

  • name (String): Argument name

  • value (String): Argument value (Optional)

  • line_prefix (String): The starting part of the line with the list of arguments, default is empty

  • line_suffix (String): The ending part of the line with the list of arguments, default is empty

  • is_regex (Boolean): Defines whether the given name or value is a regex

oval_argument_value_in_line_test(filepath, name, value, line_prefix=’’, line_suffix=’’, is_regex=False)

TEMPLATE oval_argument_value_in_line

Hight level macro to define the OVAL test to check if there is a line in file with a pair of argument=value. Parameters:

  • filepath (String): Path to the configuration file to be checked.

  • name (String): Argument name

  • value (String): Argument value

  • line_prefix (String): The starting part of the line with the list of arguments, default is empty

  • line_suffix (String): The ending part of the line with the list of arguments, default is empty

  • application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

oval_argument_value_in_line(filepath, name, value, line_prefix=’’, line_suffix=’’)

TEMPLATE oval_sshd_config

High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set. This macro can take five parameters:

  • parameter (String): The parameter to be checked in the configuration file.

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.

We specify a case insensitive comparison in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values).

oval_sshd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_check_shell_file

High level macro to check if a particular shell variable is set. This macro can take five parameters:

  • path (String): Path to the file.

  • parameter (String): The shell variable name.

  • value (String): The variable value WITHOUT QUOTES.

  • application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.

    If no_quotes is false, then one level of single or double quotes won’t be regarded as part of the value by the check.

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.

oval_check_shell_file(path, parameter=’’, value=’’, application=’’, no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_auditd_config

High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set. This function can take five parameters:

  • parameter (String): The parameter to be checked in the configuration file.

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.

oval_auditd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_coredump_config_set

High level macro to set a parameter in /etc/systemd/coredump.conf. This function can take five parameters:

  • parameter (String): The parameter to be checked in the configuration file.

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.

oval_coredump_config_set(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_grub_config

High level macro to check if a particular combination of parameter and value in the grub configuration file is set. This macro can take five parameters:

  • parameter (String): The parameter to be checked in the configuration file.

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.

oval_grub_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=true, missing_config_file_fail=false)

TEMPLATE application_not_required_or_requirement_unset

To be removed macro. Prevents regression on sshd configuration rules.

application_not_required_or_requirement_unset()

TEMPLATE application_required_or_requirement_unset

To be removed macro. Prevents regression on sshd configuration rules.

application_required_or_requirement_unset()

TEMPLATE oval_check_ini_file

High level macro which checks configuration in an INI file. This macro can take eight parameters:

  • path (String): Path to the configuration file to be checked.

  • section (String): The parameter will be checked only within the given section defined by [section].

  • parameter (String): The parameter to be checked in the configuration file.

  • value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.

oval_check_ini_file(path=’’, section=’’, parameter=’’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=true)

TEMPLATE oval_test_package_removed

Creates OVAL tests with given test_id which checks if package is not installed.

oval_test_package_removed(package=’’, test_id=’’)

TEMPLATE oval_test_package_installed

Creates OVAL tests with given test_id which checks if package is installed. Optionally, it can check if a package of a given version (EVR) or newer version is present.

oval_test_package_installed(package=’’, evr=’’, test_id=’’)

TEMPLATE oval_ocp_service_runtime_config

Macro which generates OVAL test for OpenShift Container Platform runtime process configuration. Parameters:

  • command - command that executes the OpenShift process

  • option - command line option of the command

  • value - value of the option

  • option_id - used to build the OVAL test ID

The OVAL test ID is test_ocp_runtime_<option_id>.

oval_ocp_service_runtime_config(command=’’, option=’’, value=’’, option_id=’’)

TEMPLATE oval_file_contents

Macro which generates OVAL definition, test and object that check for contents of the file. Parameters:

  • filepath - filepath of the file to check

  • contents - contents that should be in the file

oval_file_contents(filepath=’’, filepath_id=’’, contents=’’)

TEMPLATE oval_metadata

Macro which generates the OVAL metadata section

title: Optional, the associated rule title is used by default affected_platforms: Optional, list of unix platform strings (e.g. “Fedora”) to put under the affected element.

Uses the oval_affected macro by default under the hood.

oval_metadata(description, title=””, affected_platforms=None)