OVAL¶
- TEMPLATE oval_check_config_file¶
High level macro which checks if a particular combination of parameter and value in a configuration file is set. This macro can take ten parameters:
- param path
Path to the configuration file to be checked.
- type path
str
- param prefix_regex
Regular expression to be used in the beginning of the OVAL text file content check.
- type prefix_regex
str
- param parameter
The parameter to be checked in the configuration file.
- type parameter
str
- param value
The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- type value
str
- param separator_regex
Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
- type separator_regex
str
- param missing_parameter_pass
If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- type missing_parameter_pass
boolean
- param application
The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- type application
str
- param multi_value
If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- type multi_value
boolean
- param missing_config_file_fail
If set, the check will fail if the configuration is not existent in the system.
- type missing_config_file_fail
boolean
- param section
If set, the parameter will be checked only within the given section defined by [section].
- type section
str
- param quotes
If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
- type quotes
str
oval_check_config_file(path=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=false, section=’’, quotes=’’)
- TEMPLATE oval_line_in_file_criterion¶
Macro to define the criterion of the OVAL check (Criterion definition). This macro can take three parameters:
path (String): Path to the configuration file to be checked.
parameter (String): The parameter to be checked in the configuration file.
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
oval_line_in_file_criterion(path=’’, parameter=’’, missing_parameter_pass=false)
- TEMPLATE oval_line_in_file_test¶
Macro to define the OVAL test to be constructed (Test definition). This macro can take three parameters:
path (String): Path to the configuration file to be checked.
parameter (String): The parameter to be checked in the configuration file.
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
oval_line_in_file_test(path=’’, parameter=’’, missing_parameter_pass=false)
- TEMPLATE oval_line_in_file_object¶
Macro to check if a parameter in a configuration file is set (Object definition). This macro can take six parameters:
path (String): Path to the configuration file to be checked.
section (String): If set, the parameter will be checked only within the given section defined by [section].
prefix_regex (String): Regular expression to be used in the beginning of the OVAL text file content check.
parameter (String): The parameter to be checked in the configuration file.
separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
oval_line_in_file_object(path=’’, section=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, missing_parameter_pass=false, multi_value=false, filepath_regex=’’)
- TEMPLATE oval_line_in_file_state¶
Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition). This macro can take two parameters:
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.
oval_line_in_file_state(value=’’, multi_value=’’, quotes=’’)
- TEMPLATE oval_config_file_exists_criterion¶
Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition). This macro can take one parameter:
path (String): Path to the configuration file to be checked.
oval_config_file_exists_criterion(path=’’)
- TEMPLATE oval_config_file_exists_test¶
Macro to define the OVAL test to check if the configuration file exists (Test definition). This macro can take one parameter:
path (String): Path to the configuration file to be checked.
oval_config_file_exists_test(path=’’)
- TEMPLATE oval_file_absent_criterion¶
Macro to define the OVAL criterion that requires a file not to exist. Parameters:
filepath (String): Path to the file to be checked.
id of the test name - the test will be named test_<id>
oval_file_absent_criterion(filepath)
- TEMPLATE oval_file_absent¶
Macro to define the OVAL test to check if the configuration file exists (Test definition). Parameters:
filepath (String): Path to the configuration file to be checked.
id of the test name - the test will be named test_<id>, the respective object object_<id> etc.
oval_file_absent(filepath)
- TEMPLATE oval_config_file_exists_object¶
Macro to define the OVAL object to check if the configuration file exists (Object definition). This macro can take one parameter:
path (String): Path to the configuration file to be checked.
oval_config_file_exists_object(path=’’)
- TEMPLATE oval_argument_value_in_line_criterion¶
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition). Parameters:
filepath (String): Path to the file to be checked.
name (String): Argument name
value (String): Argument value (Optional)
application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
negate (Boolean): Whether to negate this criterion or not
oval_argument_value_in_line_criterion(filepath, name, value=’’, application=’’, negate=False)
- TEMPLATE oval_argument_value_in_line_test¶
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition). Parameters:
filepath (String): Path to the configuration file to be checked. The operation is “pattern match”
name (String): Argument name
value (String): Argument value (Optional)
line_prefix (String): The starting part of the line with the list of arguments, default is empty
line_suffix (String): The ending part of the line with the list of arguments, default is empty
is_regex (Boolean): Defines whether the given name or value is a regex
oval_argument_value_in_line_test(filepath, name, value, line_prefix=’’, line_suffix=’’, is_regex=False)
- TEMPLATE oval_argument_value_in_line¶
Hight level macro to define the OVAL test to check if there is a line in file with a pair of argument=value. Parameters:
filepath (String): Path to the configuration file to be checked.
name (String): Argument name
value (String): Argument value
line_prefix (String): The starting part of the line with the list of arguments, default is empty
line_suffix (String): The ending part of the line with the list of arguments, default is empty
application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
oval_argument_value_in_line(filepath, name, value, line_prefix=’’, line_suffix=’’)
- TEMPLATE oval_sshd_config¶
High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set. This macro can take five parameters:
parameter (String): The parameter to be checked in the configuration file.
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.
We specify a case insensitive comparison in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values).
oval_sshd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_check_shell_file¶
High level macro to check if a particular shell variable is set. This macro can take five parameters:
path (String): Path to the file.
parameter (String): The shell variable name.
value (String): The variable value WITHOUT QUOTES.
application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
If no_quotes is false, then one level of single or double quotes won’t be regarded as part of the value by the check.
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.
oval_check_shell_file(path, parameter=’’, value=’’, application=’’, no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_auditd_config¶
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set. This function can take five parameters:
parameter (String): The parameter to be checked in the configuration file.
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn’t exist in the system.
oval_auditd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_coredump_config_set¶
High level macro to set a parameter in /etc/systemd/coredump.conf. This function can take five parameters:
parameter (String): The parameter to be checked in the configuration file.
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
oval_coredump_config_set(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_grub_config¶
High level macro to check if a particular combination of parameter and value in the grub configuration file is set. This macro can take five parameters:
parameter (String): The parameter to be checked in the configuration file.
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
oval_grub_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=true, missing_config_file_fail=false)
- TEMPLATE application_not_required_or_requirement_unset¶
To be removed macro. Prevents regression on sshd configuration rules.
application_not_required_or_requirement_unset()
- TEMPLATE application_required_or_requirement_unset¶
To be removed macro. Prevents regression on sshd configuration rules.
application_required_or_requirement_unset()
- TEMPLATE oval_check_ini_file¶
High level macro which checks configuration in an INI file. This macro can take eight parameters:
path (String): Path to the configuration file to be checked.
section (String): The parameter will be checked only within the given section defined by [section].
parameter (String): The parameter to be checked in the configuration file.
value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
oval_check_ini_file(path=’’, section=’’, parameter=’’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=true)
- TEMPLATE oval_test_package_removed¶
Creates OVAL tests with given test_id which checks if package is not installed.
oval_test_package_removed(package=’’, test_id=’’)
- TEMPLATE oval_test_package_installed¶
Creates OVAL tests with given test_id which checks if package is installed. Optionally, it can check if a package of a given version (EVR) or newer version is present.
oval_test_package_installed(package=’’, evr=’’, test_id=’’)
- TEMPLATE oval_ocp_service_runtime_config¶
Macro which generates OVAL test for OpenShift Container Platform runtime process configuration. Parameters:
command - command that executes the OpenShift process
option - command line option of the command
value - value of the option
option_id - used to build the OVAL test ID
The OVAL test ID is test_ocp_runtime_<option_id>.
oval_ocp_service_runtime_config(command=’’, option=’’, value=’’, option_id=’’)
- TEMPLATE oval_file_contents¶
Macro which generates OVAL definition, test and object that check for contents of the file. Parameters:
filepath - filepath of the file to check
contents - contents that should be in the file
oval_file_contents(filepath=’’, filepath_id=’’, contents=’’)
- TEMPLATE oval_metadata¶
Macro which generates the OVAL metadata section
title: Optional, the associated rule title is used by default affected_platforms: Optional, list of unix platform strings (e.g. “Fedora”) to put under the affected element.
Uses the oval_affected macro by default under the hood.
oval_metadata(description, title=””, affected_platforms=None)