General
- TEMPLATE ocil_clause_entry_sshd_option
An OCIL clause for an sshd option
ocil_clause_entry_sshd_option()
- TEMPLATE openshift_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.
- Parameters
endpoint (str/list) – The Kubernetes object path(s) to fetch
openshift_cluster_setting(endpoint)
- TEMPLATE openshift_filtered_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).
- Parameters
path_filter_pairs (list) – Kubernetes object path/filter directive pairs
varargs – A list of path_filter_pairs (in case repeated paths need to be used)
openshift_filtered_cluster_setting(path_filter_pairs)
- TEMPLATE openshift_filtered_path
Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources
- Parameters
path (str) – The Kubernetes object path to fetch
filter (str) – A filtering directive
openshift_filtered_path(path, filter)
- TEMPLATE ocil_oc_pipe_jq_filter
Macro that creates a check from
oc
outputocil_oc_pipe_jq_filter(object, jqfilter, namespace=none, all_namespaces=false)
- TEMPLATE ocil_sshd_option
OCIL for an sshd option.
Example usage:
ocil_sshd_option(default="no", option="Banner", value="/etc/issue")
- Parameters
default (str) – If set to yes the default value is accepted
option (str) – The sshd option to configure
value (str) – The value for the given option
ocil_sshd_option(default, option, value)
- TEMPLATE complete_ocil_entry_sshd_option
OCIL and OCIL clause for and sshd option.
Example usage:
complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue")
- Parameters
default (str) – If set to yes the default value is accepted
option (str) – The sshd option to configure
value (str) – The value for the given option
complete_ocil_entry_sshd_option(default, option, value)
- TEMPLATE ocil_mount_option
The OCIL text for mount options.
- Parameters
point (str) – The mount point to check
option (str) – The options the mount point should have
ocil_mount_option(point, option)
- TEMPLATE ocil_clause_entry_mount_option
The OCIL clause for mount options.
- Parameters
point (str) – The mount point to check
option (str) – The options the mount point should have
ocil_clause_entry_mount_option(point, option)
- TEMPLATE sub_var_value
Calls
xccdf_value
macro under the hood
- Parameters
varname (str) – The name of the variable to reference
sub_var_value(varname)
- TEMPLATE xccdf_value
Create an XCCDF
<sub>
element
- Parameters
varname (str) – The name of the variable to reference
xccdf_value(varname)
- TEMPLATE complete_ocil_entry_mount_option
The OCIL and OCIL clause for mount options.
- Parameters
point (str) – The mount point to check
option (str) – The options the mount point should have
complete_ocil_entry_mount_option(point, option)
- TEMPLATE describe_iptables_block
Describe an iptables block
- Parameters
proto (str) – protocol to block
port (int) – port to block
describe_iptables_block(proto, port)
- TEMPLATE describe_iptables_allow
Describe an iptables allow
- Parameters
proto (str) – protocol to allow
port (int) – port to allow
describe_iptables_allow(proto, port)
- TEMPLATE partition_check
Describe how to check if given path is on its own partition or logical volume.
- Parameters
part (str) – Path to check
partition_check(part)
- TEMPLATE complete_ocil_entry_separate_partition
OCIL for how to check if given path is on its own partition or logical volume and the correct OCIL clause.
- Parameters
part (str) – Path to check
complete_ocil_entry_separate_partition(part)
- TEMPLATE ocil_audit_syscall
OCIL for adding a syscall to audit logs
- Parameters
syscall (str) – The syscall to audit
ocil_audit_syscall(syscall)
- TEMPLATE ocil_clause_entry_audit_syscall
OCIL clause for adding a syscall to audit logs
ocil_clause_entry_audit_syscall()
- TEMPLATE complete_ocil_entry_audit_syscall
OCIL and OCIL clause for adding a syscall to audit logs
- Parameters
syscall (str) – The syscall to audit
complete_ocil_entry_audit_syscall(syscall)
- TEMPLATE ocil_audit_successful_syscall
OCIL for adding a successful syscall to audit logs
- Parameters
syscall (str) – The syscall to audit
ocil_audit_successful_syscall(syscall)
- TEMPLATE complete_ocil_entry_audit_successful_syscall
OCIL and OCIL clause for adding a successful syscall to audit logs
- Parameters
syscall (str) – The syscall to audit
complete_ocil_entry_audit_successful_syscall(syscall)
- TEMPLATE ocil_firewalld_allow_access
OCIL for allowing a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
ocil_firewalld_allow_access(port, proto, service)
- TEMPLATE ocil_firewalld_prevent_access
OCIL for preventing access a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
ocil_firewalld_prevent_access(port, proto, service)
- TEMPLATE describe_firewalld_prevent
Describe preventing access a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
describe_firewalld_prevent(port, proto, service)
- TEMPLATE describe_firewalld_allow
Describe allowing access a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
describe_firewalld_allow(port, proto, service)
- TEMPLATE ocil_auditctl_syscall
OCIL to see if the system is configured to audit calls to given syscall.
- Parameters
syscall (str) – The syscall to audit
ocil_auditctl_syscall(syscall)
- TEMPLATE ocil_module_disable
OCIL for disabling a kernel module.
- Parameters
module (str) – The module to disable.
ocil_module_disable(module)
- TEMPLATE complete_ocil_entry_module_disable
OCIL and OCIL clause for disabling a kernel module.
- Parameters
module (str) – The module to disable.
complete_ocil_entry_module_disable(module)
- TEMPLATE describe_module_disable
Description for how to check for a disabled kernel module.
- Parameters
module (str) – The module to disable.
describe_module_disable(module)
- TEMPLATE xinetd_disabled_check_with_systemd
Describe how to check if service is disabled in system boot configuration with xinetd.
- Parameters
service (str) – service to disable
xinetd_disabled_check_with_systemd(service)
- TEMPLATE socket_disabled_check_with_systemd
Describe how to check if socket is disabled with systemd.
- Parameters
socket (str) – The socket to check
socket_disabled_check_with_systemd(socket)
- TEMPLATE systemd_complete_ocil_entry_socket_and_service_disabled
OCIL and OCIL clause for ensure socket is disabled in systemd and xinetd.
- Parameters
name (str) – The socket to check
systemd_complete_ocil_entry_socket_and_service_disabled(name)
- TEMPLATE upstart_complete_ocil_entry_socket_and_service_disabled
OCIL and OCIL clause for ensure socket is disabled in systemd.
- Parameters
name (str) – The socket to check
upstart_complete_ocil_entry_socket_and_service_disabled(name)
- TEMPLATE rpm_ocil_package
Describe how to check if a package is installed with rpm.
- Parameters
package (str) – The package to check
rpm_ocil_package(package)
- TEMPLATE dpkg_ocil_package
Describe how to check if a package is installed with dpkg.
- Parameters
package (str) – The package to check
dpkg_ocil_package(package)
- TEMPLATE rpm_complete_ocil_entry_package
OCIL and OCIL clause how to check if a package is installed with rpm.
- Parameters
package (str) – The package to check
rpm_complete_ocil_entry_package(package)
- TEMPLATE dpkg_complete_ocil_entry_package
OCIL and OCIL clause how to check if a package is installed with dpkg.
- Parameters
package (str) – The package to check
dpkg_complete_ocil_entry_package(package)
- TEMPLATE ocil_xinetd_service_disabled
Describe how to check if a service is disabled via chkconfig.
- Parameters
service (str) – The service to check
ocil_xinetd_service_disabled(service)
- TEMPLATE systemd_ocil_service_disabled
Describe how to check if a service is disabled via systemd.
- Parameters
service (str) – The service to check
systemd_ocil_service_disabled(service)
- TEMPLATE systemd_ocil_service_enabled
Describe how to check if a service is enabled via systemd.
- Parameters
service (str) – The service to check
systemd_ocil_service_enabled(service)
- TEMPLATE upstart_ocil_service_disabled
Describe how to check if a service is disabled via upstart.
- Parameters
service (str) – The service to check
upstart_ocil_service_disabled(service)
- TEMPLATE upstart_ocil_service_enabled
Describe how to check if a service is enabled via upstart.
- Parameters
service (str) – The service to check
upstart_ocil_service_enabled(service)
- TEMPLATE systemd_describe_socket_disable
Describe how to disable socket in systemd.
- Parameters
socket (str) – The socket to check
systemd_describe_socket_disable(socket)
- TEMPLATE systemd_describe_socket_enable
Describe how to enable a socket in systemd.
- Parameters
socket (str) – The socket to check
systemd_describe_socket_enable(socket)
- TEMPLATE systemd_describe_service_disable
Describe how to disable a service in systemd.
- Parameters
service (str) – The service to check
systemd_describe_service_disable(service)
- TEMPLATE systemd_describe_service_enable
Describe how to enable a service in systemd.
- Parameters
service (str) – The service to check
systemd_describe_service_enable(service)
- TEMPLATE upstart_describe_service_disable
Describe how to disable a service in upstart.
- Parameters
service (str) – The service to check
upstart_describe_service_disable(service)
- TEMPLATE upstart_describe_service_enable
Describe how to enable a service in upstart.
- Parameters
service (str) – The service to check
upstart_describe_service_enable(service)
- TEMPLATE systemd_ocil_timer_enabled
Describe how to check if timer is enabled in upstart.
- Parameters
service (str) – The service to check
systemd_ocil_timer_enabled(timer)
- TEMPLATE describe_sebool_check_disabled
Describe how to check if given SELinux boolean is disabled.
- Parameters
sebool (str) – The SELinux boolean to check
describe_sebool_check_disabled(sebool)
- TEMPLATE complete_ocil_entry_sebool_disabled
OCIL and OCIL clause for how to check if given SELinux boolean is disabled.
- Parameters
sebool (str) – The SELinux boolean to check
complete_ocil_entry_sebool_disabled(sebool)
- TEMPLATE describe_sebool_check_enabled
Describe how to check if given SELinux boolean is enabled.
- Parameters
sebool (str) – The SELinux boolean to check
describe_sebool_check_enabled(sebool)
- TEMPLATE complete_ocil_entry_sebool_enabled
OCIL and OCIL clause for how to check if given SELinux boolean is enabled.
- Parameters
sebool (str) – The SELinux boolean to check
complete_ocil_entry_sebool_enabled(sebool)
- TEMPLATE describe_sebool_disable
Describe how to disable an SELinux boolean.
- Parameters
sebool (str) – The SELinux boolean to disable
describe_sebool_disable(sebool)
- TEMPLATE describe_sebool_enable
Describe how to enable an SELinux boolean.
- Parameters
sebool (str) – The SELinux boolean to disable
describe_sebool_enable(sebool)
- TEMPLATE apt_get_package_install
Show how to install a package with apt-get.
Example output:
apt-get install package
- Parameters
package (str) – Package to install
apt_get_package_install(package)
- TEMPLATE apt_get_package_remove
Show how to remove a package with apt-get.
Example output:
$ apt-get remove package
- Parameters
package (str) – Package to remove
apt_get_package_remove(package)
- TEMPLATE dnf_package_install
Show how to install a package with dnf.
Example output:
$ sudo dnf install package
- Parameters
package (str) – Package to install
dnf_package_install(package)
- TEMPLATE dnf_package_remove
Show how to remove a package with dnf.
Example output:
$ sudo dnf erase remove package
- Parameters
package (str) – Package to remove
dnf_package_remove(package)
- TEMPLATE yum_package_install
Show how to install a package with yum.
Example output:
$ sudo yum install package
- Parameters
package (str) – Package to install
yum_package_install(package)
- TEMPLATE yum_package_remove
Show how to remove a package with yum.
Example output:
$ sudo yum erase package
- Parameters
package (str) – Package to remove
yum_package_remove(package)
- TEMPLATE zypper_package_install
Show how to install a package with zypper.
Example output:
$ sudo zypper install package
- Parameters
package (str) – Package to install
zypper_package_install(package)
- TEMPLATE zypper_package_remove
Show how to remove a package with zypper.
Example output:
$ sudo zypper remove package
- Parameters
package (str) – Package to remove
zypper_package_remove(package)
- TEMPLATE describe_file_permissions
Describe how to set the permissions on a file.
- Parameters
file (str) – File to change
perms (str) – The permissions for the file
describe_file_permissions(file, perms)
- TEMPLATE describe_file_owner
Describe how to set the file owner of a file.
- Parameters
file (str) – File to change
owner (str) – the owner for the file
describe_file_owner(file, owner)
- TEMPLATE describe_file_group_owner
Describe how to set the file group owner of a file.
- Parameters
file (str) – File to change
group (str) – The group owner for the file
describe_file_group_owner(file, group)
- TEMPLATE ocil_file_permissions
OCIL for how to check the permissions on a file.
- Parameters
file (str) – File to change
perms (str) – The permissions for the file
ocil_file_permissions(file, perms)
- TEMPLATE ocil_file_owner
OCIL how to check the file owner of a file.
- Parameters
file (str) – File to change
owner (str) – The owner for the file
ocil_file_owner(file, owner)
- TEMPLATE ocil_file_group_owner
OCIL how to check the file group owner of a file.
- Parameters
file (str) – File to change
group (str) – the group owner for the file
ocil_file_group_owner(file, group)
- TEMPLATE ocil_clause_file_permissions
OCIL clause for file permissions
- Parameters
file (str) – File to change
perms (str) – the permissions for the file
ocil_clause_file_permissions(file, perms)
- TEMPLATE ocil_clause_file_owner
OCIL clause for file owner
- Parameters
file (str) – File to change
owner (str) – the owner for the file
ocil_clause_file_owner(file, owner)
- TEMPLATE ocil_clause_file_group_owner
OCIL clause for file group owner
- Parameters
file (str) – File to change
owner (str) – the group owner for the file
ocil_clause_file_group_owner(file, group)
- TEMPLATE check_file_permissions
How to check a file for the correct permissions.
- Parameters
file (str) – File to change
perms (str) – The permissions for the file
check_file_permissions(file, perms)
- TEMPLATE describe_mount
How add mount options to
/etc/fstab
- Parameters
option (str) – The option to add to the partition
part (str) – The partition
describe_mount(option, part)
- TEMPLATE partition_description
Describe the separate partition is needed.
- Parameters
part (str) – The partition
partition_description(part)
- TEMPLATE ocil_sysctl_option_value
OCIL for a sysctl option
- Parameters
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
ocil_sysctl_option_value(sysctl, value)
- TEMPLATE complete_ocil_entry_sysctl_option_value
OCIL and OCIL clause for a sysctl option
- Parameters
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
complete_ocil_entry_sysctl_option_value(sysctl, value)
- TEMPLATE describe_sysctl_option_value
Describe how to set a sysctl kernel parameter.
- Parameters
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
describe_sysctl_option_value(sysctl, value)
- TEMPLATE weblink
Creates an HTML
<a>
element for the given link and text. If no text is given the link will be the text
- Parameters
link (str) – The url the link should have
text (str) – Optional, text for the link
weblink(link, text=none)
- TEMPLATE body_of_warning_about_dependent_rule
A warning about rule depending on another.
- Parameters
rule_id (str) – Rule id of the rule that must be selected.
why (str) – The reasoning for the dependency. Should fit into this part of the sentence “make sure that rule with ID is selected as well:”.
body_of_warning_about_dependent_rule(rule_id, why)
- TEMPLATE openssl_strong_entropy_config_file
An openssl config file with strong entropy.
openssl_strong_entropy_config_file()
A note about an item need be done for each
MachineConfigPool
.machineconfig_description_footer()
- TEMPLATE rhcos_node_login_instructions
How to log in to a Red Hat CoreOS Node
rhcos_node_login_instructions()
- TEMPLATE fix_audit_file_watch_rule
How to fix an audit rule that watches a file.
- Parameters
path (str) – Full path of file to watch
key (str) – Auditd key for the system
rule_path (str) – Full path to where the rule wil
fix_audit_file_watch_rule(path, key, rule_path)
- TEMPLATE ovirt_rule_notapplicable_warning
Adds a boiler plate warning with a justification why a rule is disabled on RHV. Note: This is only applied on RHEL8 content.
- param rationale
Explanation why RHV needs the rule disabled.
ovirt_rule_notapplicable_warning(rationale)
- TEMPLATE rule_notapplicable_when_ovirt_installed
Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.
rule_notapplicable_when_ovirt_installed()