General

TEMPLATE ocil_clause_entry_sshd_option

An OCIL clause for an sshd option

ocil_clause_entry_sshd_option()

TEMPLATE openshift_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.

Parameters

  • endpoint (str/list) – The Kubernetes object path(s) to fetch

openshift_cluster_setting(endpoint)

TEMPLATE openshift_filtered_cluster_setting

Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).

Parameters

  • path_filter_pairs (list) – Kubernetes object path/filter directive pairs

  • varargs – A list of path_filter_pairs (in case repeated paths need to be used)

openshift_filtered_cluster_setting(path_filter_pairs)

TEMPLATE openshift_filtered_path

Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources

Parameters

  • path (str) – The Kubernetes object path to fetch

  • filter (str) – A filtering directive

openshift_filtered_path(path, filter)

TEMPLATE ocil_oc_pipe_jq_filter

Macro that creates a check from oc output

ocil_oc_pipe_jq_filter(object, jqfilter, namespace=none, all_namespaces=false)

TEMPLATE ocil_sshd_option

OCIL for an sshd option.

Example usage:

ocil_sshd_option(default="no", option="Banner", value="/etc/issue")
Parameters

  • default (str) – If set to yes the default value is accepted

  • option (str) – The sshd option to configure

  • value (str) – The value for the given option

ocil_sshd_option(default, option, value)

TEMPLATE complete_ocil_entry_sshd_option

OCIL and OCIL clause for and sshd option.

Example usage:

complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue")
Parameters

  • default (str) – If set to yes the default value is accepted

  • option (str) – The sshd option to configure

  • value (str) – The value for the given option

complete_ocil_entry_sshd_option(default, option, value)

TEMPLATE ocil_mount_option

The OCIL text for mount options.

Parameters

  • point (str) – The mount point to check

  • option (str) – The options the mount point should have

ocil_mount_option(point, option)

TEMPLATE ocil_clause_entry_mount_option

The OCIL clause for mount options.

Parameters

  • point (str) – The mount point to check

  • option (str) – The options the mount point should have

ocil_clause_entry_mount_option(point, option)

TEMPLATE sub_var_value

Calls xccdf_value macro under the hood

Parameters

  • varname (str) – The name of the variable to reference

sub_var_value(varname)

TEMPLATE xccdf_value

Create an XCCDF <sub> element

Parameters

  • varname (str) – The name of the variable to reference

xccdf_value(varname)

TEMPLATE complete_ocil_entry_mount_option

The OCIL and OCIL clause for mount options.

Parameters

  • point (str) – The mount point to check

  • option (str) – The options the mount point should have

complete_ocil_entry_mount_option(point, option)

TEMPLATE describe_iptables_block

Describe an iptables block

Parameters

  • proto (str) – protocol to block

  • port (int) – port to block

describe_iptables_block(proto, port)

TEMPLATE describe_iptables_allow

Describe an iptables allow

Parameters

  • proto (str) – protocol to allow

  • port (int) – port to allow

describe_iptables_allow(proto, port)

TEMPLATE partition_check

Describe how to check if given path is on its own partition or logical volume.

Parameters

  • part (str) – Path to check

partition_check(part)

TEMPLATE complete_ocil_entry_separate_partition

OCIL for how to check if given path is on its own partition or logical volume and the correct OCIL clause.

Parameters

  • part (str) – Path to check

complete_ocil_entry_separate_partition(part)

TEMPLATE ocil_audit_syscall

OCIL for adding a syscall to audit logs

Parameters

  • syscall (str) – The syscall to audit

ocil_audit_syscall(syscall)

TEMPLATE ocil_clause_entry_audit_syscall

OCIL clause for adding a syscall to audit logs

ocil_clause_entry_audit_syscall()

TEMPLATE complete_ocil_entry_audit_syscall

OCIL and OCIL clause for adding a syscall to audit logs

Parameters

  • syscall (str) – The syscall to audit

complete_ocil_entry_audit_syscall(syscall)

TEMPLATE ocil_audit_successful_syscall

OCIL for adding a successful syscall to audit logs

Parameters

  • syscall (str) – The syscall to audit

ocil_audit_successful_syscall(syscall)

TEMPLATE complete_ocil_entry_audit_successful_syscall

OCIL and OCIL clause for adding a successful syscall to audit logs

Parameters

  • syscall (str) – The syscall to audit

complete_ocil_entry_audit_successful_syscall(syscall)

TEMPLATE ocil_firewalld_allow_access

OCIL for allowing a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters

  • port (int) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

ocil_firewalld_allow_access(port, proto, service)

TEMPLATE ocil_firewalld_prevent_access

OCIL for preventing access a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters

  • port (int) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

ocil_firewalld_prevent_access(port, proto, service)

TEMPLATE describe_firewalld_prevent

Describe preventing access a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters

  • port (int) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

describe_firewalld_prevent(port, proto, service)

TEMPLATE describe_firewalld_allow

Describe allowing access a port or service in firewalld. If the service parameter is defined it is assumed to be a service and the port and proto parameters will have no effect.

Parameters

  • port (int) – The port to allow

  • proto (str) – The protocol to allow

  • service (str) – The service to allow

describe_firewalld_allow(port, proto, service)

TEMPLATE ocil_auditctl_syscall

OCIL to see if the system is configured to audit calls to given syscall.

Parameters

  • syscall (str) – The syscall to audit

ocil_auditctl_syscall(syscall)

TEMPLATE ocil_module_disable

OCIL for disabling a kernel module.

Parameters

  • module (str) – The module to disable.

ocil_module_disable(module)

TEMPLATE complete_ocil_entry_module_disable

OCIL and OCIL clause for disabling a kernel module.

Parameters

  • module (str) – The module to disable.

complete_ocil_entry_module_disable(module)

TEMPLATE describe_module_disable

Description for how to check for a disabled kernel module.

Parameters

  • module (str) – The module to disable.

describe_module_disable(module)

TEMPLATE xinetd_disabled_check_with_systemd

Describe how to check if service is disabled in system boot configuration with xinetd.

Parameters

  • service (str) – service to disable

xinetd_disabled_check_with_systemd(service)

TEMPLATE socket_disabled_check_with_systemd

Describe how to check if socket is disabled with systemd.

Parameters

  • socket (str) – The socket to check

socket_disabled_check_with_systemd(socket)

TEMPLATE systemd_complete_ocil_entry_socket_and_service_disabled

OCIL and OCIL clause for ensure socket is disabled in systemd and xinetd.

Parameters

  • name (str) – The socket to check

systemd_complete_ocil_entry_socket_and_service_disabled(name)

TEMPLATE upstart_complete_ocil_entry_socket_and_service_disabled

OCIL and OCIL clause for ensure socket is disabled in systemd.

Parameters

  • name (str) – The socket to check

upstart_complete_ocil_entry_socket_and_service_disabled(name)

TEMPLATE rpm_ocil_package

Describe how to check if a package is installed with rpm.

Parameters

  • package (str) – The package to check

rpm_ocil_package(package)

TEMPLATE dpkg_ocil_package

Describe how to check if a package is installed with dpkg.

Parameters

  • package (str) – The package to check

dpkg_ocil_package(package)

TEMPLATE rpm_complete_ocil_entry_package

OCIL and OCIL clause how to check if a package is installed with rpm.

Parameters

  • package (str) – The package to check

rpm_complete_ocil_entry_package(package)

TEMPLATE dpkg_complete_ocil_entry_package

OCIL and OCIL clause how to check if a package is installed with dpkg.

Parameters

  • package (str) – The package to check

dpkg_complete_ocil_entry_package(package)

TEMPLATE ocil_xinetd_service_disabled

Describe how to check if a service is disabled via chkconfig.

Parameters

  • service (str) – The service to check

ocil_xinetd_service_disabled(service)

TEMPLATE systemd_ocil_service_disabled

Describe how to check if a service is disabled via systemd.

Parameters

  • service (str) – The service to check

systemd_ocil_service_disabled(service)

TEMPLATE systemd_ocil_service_enabled

Describe how to check if a service is enabled via systemd.

Parameters

  • service (str) – The service to check

systemd_ocil_service_enabled(service)

TEMPLATE upstart_ocil_service_disabled

Describe how to check if a service is disabled via upstart.

Parameters

  • service (str) – The service to check

upstart_ocil_service_disabled(service)

TEMPLATE upstart_ocil_service_enabled

Describe how to check if a service is enabled via upstart.

Parameters

  • service (str) – The service to check

upstart_ocil_service_enabled(service)

TEMPLATE systemd_describe_socket_disable

Describe how to disable socket in systemd.

Parameters

  • socket (str) – The socket to check

systemd_describe_socket_disable(socket)

TEMPLATE systemd_describe_socket_enable

Describe how to enable a socket in systemd.

Parameters

  • socket (str) – The socket to check

systemd_describe_socket_enable(socket)

TEMPLATE systemd_describe_service_disable

Describe how to disable a service in systemd.

Parameters

  • service (str) – The service to check

systemd_describe_service_disable(service)

TEMPLATE systemd_describe_service_enable

Describe how to enable a service in systemd.

Parameters

  • service (str) – The service to check

systemd_describe_service_enable(service)

TEMPLATE upstart_describe_service_disable

Describe how to disable a service in upstart.

Parameters

  • service (str) – The service to check

upstart_describe_service_disable(service)

TEMPLATE upstart_describe_service_enable

Describe how to enable a service in upstart.

Parameters

  • service (str) – The service to check

upstart_describe_service_enable(service)

TEMPLATE systemd_ocil_timer_enabled

Describe how to check if timer is enabled in upstart.

Parameters

  • service (str) – The service to check

systemd_ocil_timer_enabled(timer)

TEMPLATE describe_sebool_check_disabled

Describe how to check if given SELinux boolean is disabled.

Parameters

  • sebool (str) – The SELinux boolean to check

describe_sebool_check_disabled(sebool)

TEMPLATE complete_ocil_entry_sebool_disabled

OCIL and OCIL clause for how to check if given SELinux boolean is disabled.

Parameters

  • sebool (str) – The SELinux boolean to check

complete_ocil_entry_sebool_disabled(sebool)

TEMPLATE describe_sebool_check_enabled

Describe how to check if given SELinux boolean is enabled.

Parameters

  • sebool (str) – The SELinux boolean to check

describe_sebool_check_enabled(sebool)

TEMPLATE complete_ocil_entry_sebool_enabled

OCIL and OCIL clause for how to check if given SELinux boolean is enabled.

Parameters

  • sebool (str) – The SELinux boolean to check

complete_ocil_entry_sebool_enabled(sebool)

TEMPLATE describe_sebool_disable

Describe how to disable an SELinux boolean.

Parameters

  • sebool (str) – The SELinux boolean to disable

describe_sebool_disable(sebool)

TEMPLATE describe_sebool_enable

Describe how to enable an SELinux boolean.

Parameters

  • sebool (str) – The SELinux boolean to disable

describe_sebool_enable(sebool)

TEMPLATE apt_get_package_install

Show how to install a package with apt-get.

Example output:

apt-get install package
Parameters

  • package (str) – Package to install

apt_get_package_install(package)

TEMPLATE apt_get_package_remove

Show how to remove a package with apt-get.

Example output:

$ apt-get remove package
Parameters

  • package (str) – Package to remove

apt_get_package_remove(package)

TEMPLATE dnf_package_install

Show how to install a package with dnf.

Example output:

$ sudo dnf install package
Parameters

  • package (str) – Package to install

dnf_package_install(package)

TEMPLATE dnf_package_remove

Show how to remove a package with dnf.

Example output:

$ sudo dnf erase remove package
Parameters

  • package (str) – Package to remove

dnf_package_remove(package)

TEMPLATE yum_package_install

Show how to install a package with yum.

Example output:

$ sudo yum install package
Parameters

  • package (str) – Package to install

yum_package_install(package)

TEMPLATE yum_package_remove

Show how to remove a package with yum.

Example output:

$ sudo yum erase package
Parameters

  • package (str) – Package to remove

yum_package_remove(package)

TEMPLATE zypper_package_install

Show how to install a package with zypper.

Example output:

$ sudo zypper install package
Parameters

  • package (str) – Package to install

zypper_package_install(package)

TEMPLATE zypper_package_remove

Show how to remove a package with zypper.

Example output:

$ sudo zypper remove package
Parameters

  • package (str) – Package to remove

zypper_package_remove(package)

TEMPLATE describe_file_permissions

Describe how to set the permissions on a file.

Parameters

  • file (str) – File to change

  • perms (str) – The permissions for the file

describe_file_permissions(file, perms)

TEMPLATE describe_file_owner

Describe how to set the file owner of a file.

Parameters

  • file (str) – File to change

  • owner (str) – the owner for the file

describe_file_owner(file, owner)

TEMPLATE describe_file_group_owner

Describe how to set the file group owner of a file.

Parameters

  • file (str) – File to change

  • group (str) – The group owner for the file

describe_file_group_owner(file, group)

TEMPLATE ocil_file_permissions

OCIL for how to check the permissions on a file.

Parameters

  • file (str) – File to change

  • perms (str) – The permissions for the file

ocil_file_permissions(file, perms)

TEMPLATE ocil_file_owner

OCIL how to check the file owner of a file.

Parameters

  • file (str) – File to change

  • owner (str) – The owner for the file

ocil_file_owner(file, owner)

TEMPLATE ocil_file_group_owner

OCIL how to check the file group owner of a file.

Parameters

  • file (str) – File to change

  • group (str) – the group owner for the file

ocil_file_group_owner(file, group)

TEMPLATE ocil_clause_file_permissions

OCIL clause for file permissions

Parameters

  • file (str) – File to change

  • perms (str) – the permissions for the file

ocil_clause_file_permissions(file, perms)

TEMPLATE ocil_clause_file_owner

OCIL clause for file owner

Parameters

  • file (str) – File to change

  • owner (str) – the owner for the file

ocil_clause_file_owner(file, owner)

TEMPLATE ocil_clause_file_group_owner

OCIL clause for file group owner

Parameters

  • file (str) – File to change

  • owner (str) – the group owner for the file

ocil_clause_file_group_owner(file, group)

TEMPLATE check_file_permissions

How to check a file for the correct permissions.

Parameters

  • file (str) – File to change

  • perms (str) – The permissions for the file

check_file_permissions(file, perms)

TEMPLATE describe_mount

How add mount options to /etc/fstab

Parameters

  • option (str) – The option to add to the partition

  • part (str) – The partition

describe_mount(option, part)

TEMPLATE partition_description

Describe the separate partition is needed.

Parameters

  • part (str) – The partition

partition_description(part)

TEMPLATE ocil_sysctl_option_value

OCIL for a sysctl option

Parameters

  • sysctl (str) – The kernel parameter to change

  • value (str) – The value to be set

ocil_sysctl_option_value(sysctl, value)

TEMPLATE complete_ocil_entry_sysctl_option_value

OCIL and OCIL clause for a sysctl option

Parameters

  • sysctl (str) – The kernel parameter to change

  • value (str) – The value to be set

complete_ocil_entry_sysctl_option_value(sysctl, value)

TEMPLATE describe_sysctl_option_value

Describe how to set a sysctl kernel parameter.

Parameters

  • sysctl (str) – The kernel parameter to change

  • value (str) – The value to be set

describe_sysctl_option_value(sysctl, value)

Creates an HTML <a> element for the given link and text. If no text is given the link will be the text

Parameters

  • link (str) – The url the link should have

  • text (str) – Optional, text for the link

weblink(link, text=none)

TEMPLATE body_of_warning_about_dependent_rule

A warning about rule depending on another.

Parameters

  • rule_id (str) – Rule id of the rule that must be selected.

  • why (str) – The reasoning for the dependency. Should fit into this part of the sentence “make sure that rule with ID is selected as well:”.

body_of_warning_about_dependent_rule(rule_id, why)

TEMPLATE openssl_strong_entropy_config_file

An openssl config file with strong entropy.

openssl_strong_entropy_config_file()

A note about an item need be done for each MachineConfigPool.

machineconfig_description_footer()

TEMPLATE rhcos_node_login_instructions

How to log in to a Red Hat CoreOS Node

rhcos_node_login_instructions()

TEMPLATE fix_audit_file_watch_rule

How to fix an audit rule that watches a file.

Parameters

  • path (str) – Full path of file to watch

  • key (str) – Auditd key for the system

  • rule_path (str) – Full path to where the rule wil

fix_audit_file_watch_rule(path, key, rule_path)

TEMPLATE ovirt_rule_notapplicable_warning

Adds a boiler plate warning with a justification why a rule is disabled on RHV. Note: This is only applied on RHEL8 content.

param rationale

Explanation why RHV needs the rule disabled.

ovirt_rule_notapplicable_warning(rationale)

TEMPLATE rule_notapplicable_when_ovirt_installed

Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.

rule_notapplicable_when_ovirt_installed()