OVAL
- TEMPLATE oval_check_config_file
High level macro which checks if a particular combination of parameter and value in a configuration file is set.
- Parameters
path (str) – Path to the configuration file to be checked.
prefix_regex (str) – Regular expression to be used in the beginning of the OVAL text file content check.
parameter (str) – The parameter to be checked in the configuration file.
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
separator_regex (str) – Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
missing_parameter_pass (boolean) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
multi_value (boolean) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (boolean) – If set, the check will fail if the configuration is not existent in the system.
section (str) – If set, the parameter will be checked only within the given section defined by [section].
quotes (str) – If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
oval_check_config_file(path=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=false, section=’’, quotes=’’)
- TEMPLATE oval_line_in_file_criterion
Macro to define the criterion of the OVAL check (Criterion definition).
- Parameters
oval_line_in_file_criterion (str) – Path to the configuration file to be checked.
parameter (str) – The parameter to be checked in the configuration file.
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.
oval_line_in_file_criterion(path=’’, parameter=’’, missing_parameter_pass=false, comment=’’, id_stem=’’)
- TEMPLATE oval_line_in_file_test
Macro to define the OVAL test to be constructed (Test definition).
- Parameters
path (str) – Path to the configuration file to be checked.
parameter (str) – The parameter to be checked in the configuration file.
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.
oval_line_in_file_test(path=’’, parameter=’’, missing_parameter_pass=false, id_stem=’’)
- TEMPLATE oval_line_in_file_object
Macro to check if a parameter in a configuration file is set (Object definition).
- Parameters
path_or_filepath (str) – Either filepath to the configuration file to be checked, or if filename_regex is specified, path to the directory where filenames are matched against it.
section (str) – If set, the parameter will be checked only within the given section defined by [section].
prefix_regex (str) – Regular expression to be used in the beginning of the OVAL text file content check.
parameter (str) – The parameter to be checked in the configuration file.
separator_regex (str) – Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
missing_parameter_pass (str) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
filename_regex (str) – If specified, the first argument is interpreted as path, and this will serve as filename regex.
id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.
oval_line_in_file_object(path_or_filepath=’’, section=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, missing_parameter_pass=false, multi_value=false, filename_regex=’’, id_stem=’’)
- TEMPLATE oval_line_in_file_state
Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition).
- Parameters
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
quotes (str) – If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.
id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.
oval_line_in_file_state(value=’’, multi_value=’’, quotes=’’, id_stem=’’)
- TEMPLATE oval_config_file_exists_criterion
Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition).
- Parameters
path (str) – Path to the configuration file to be checked.
oval_config_file_exists_criterion(path=’’)
- TEMPLATE oval_config_file_exists_test
Macro to define the OVAL test to check if the configuration file exists (Test definition).
- Parameters
path (str) – Path to the configuration file to be checked.
oval_config_file_exists_test(path=’’)
- TEMPLATE oval_file_absent_criterion
Macro to define the OVAL criterion that requires a file not to exist. The id of the test name will be test_<id>.
- Parameters
filepath (str) – Path to the file to be checked.
oval_file_absent_criterion(filepath)
- TEMPLATE oval_file_absent
Macro to define the OVAL test to check if the configuration file exists (Test definition).
- Parameters
filepath_regex (str) – Regex to the filepath to be checked, will be prefixed by ^.
oval_file_absent(filepath_regex)
- TEMPLATE oval_config_file_exists_object
Macro to define the OVAL object to check if the configuration file exists (Object definition).
- Parameters
filepath_regex (str) – Regex to the filepath to be checked, will be prefixed by ^.
oval_config_file_exists_object(filepath_regex=’’)
- TEMPLATE oval_argument_value_in_line_criterion
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition).
- Parameters
filepath (str) – Path to the file to be checked.
name (str) – Argument name
value (str) – Argument value (Optional)
application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
negate (bool) – Whether to negate this criterion or not
oval_argument_value_in_line_criterion(filepath, name, value=’’, application=’’, negate=False)
- TEMPLATE oval_argument_value_in_line_test
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition).
- Parameters
filepath (str) – Path to the configuration file to be checked. The operation is “pattern match”
name (str) – Argument name
value (str) – Argument value (Optional)
line_prefix (str) – The starting part of the line with the list of arguments, default is empty
line_suffix (str) – The ending part of the line with the list of arguments, default is empty
is_regex (bool) – Defines whether the given name or value is a regex
oval_argument_value_in_line_test(filepath, name, value, line_prefix=’’, line_suffix=’’, is_regex=False)
- TEMPLATE oval_argument_value_in_line
High level macro to define the OVAL test to check if there is a line in file with a pair of argument=value.
- Parameters
filepath (str) – Path to the configuration file to be checked.
name (str) – Argument name
value – Argument value
line_prefix (str) – The starting part of the line with the list of arguments, default is empty
line_suffix (str) – The ending part of the line with the list of arguments, default is empty
oval_argument_value_in_line(filepath, name, value, line_prefix=’’, line_suffix=’’)
- TEMPLATE oval_sshd_config
High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set. A case insensitive comparison is used in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values).
- Parameters
parameter (str) – The parameter to be checked in the configuration file.
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.
oval_sshd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_check_shell_file
High level macro to check if a particular shell variable is set.
- Parameters
path (str) – Path to the file.
parameter (str) – The shell variable name.
value (application) – The variable value WITHOUT QUOTES.
application – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
no_quotes (bool) – If set, the check will require that the RHS of the assignment is the literal value, without quotes. If no_quotes is false, then one level of single or double quotes won’t be regarded as part of the value by the check.
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.
oval_check_shell_file(path, parameter=’’, value=’’, application=’’, no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_auditd_config
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
- Parameters
parameter (str) – The parameter to be checked in the configuration file.
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.
oval_auditd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_coredump_config_set
High level macro to set a parameter in /etc/systemd/coredump.conf.
- Parameters
parameter (str) – The parameter to be checked in the configuration file.
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.
oval_coredump_config_set(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)
- TEMPLATE oval_grub_config
High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
- Parameters
parameter (str) – The parameter to be checked in the configuration file.
value – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.
oval_grub_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=true, missing_config_file_fail=false)
- TEMPLATE application_not_required_or_requirement_unset
To be removed macro. Prevents regression on sshd configuration rules.
application_not_required_or_requirement_unset()
- TEMPLATE application_required_or_requirement_unset
To be removed macro. Prevents regression on sshd configuration rules.
application_required_or_requirement_unset()
- TEMPLATE oval_check_ini_file
High level macro which checks configuration in an INI file.
- Parameters
path (str) – Path to the configuration file to be checked.
section (str) – The parameter will be checked only within the given section defined by [section].
parameter (str) – The parameter to be checked in the configuration file.
value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.
oval_check_ini_file(path=’’, section=’’, parameter=’’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=true)
- TEMPLATE oval_test_package_removed
Creates OVAL tests with given test_id which checks if package is not installed.
- Parameters
package (str) – Name of the package to be removed
test_id (str) – Suffix of the Ids in test, obj, and state elements
oval_test_package_removed(package=’’, test_id=’’)
- TEMPLATE oval_test_package_installed
Creates OVAL tests with given test_id which checks if package is installed. Optionally, it can check if a package of a given version (EVR) or newer version is present.
- Parameters
package (str) – Name of the package to be installed
evr (str) – Optional, version or newer version to check
test_id (str) – Suffix of the Ids in test, obj, and state elements
oval_test_package_installed(package=’’, evr=’’, test_id=’’)
- TEMPLATE oval_ocp_service_runtime_config
Macro which generates OVAL test for OpenShift Container Platform runtime process configuration.
- Parameters
command (str) – command that executes the OpenShift process
option (str) – command line option of the command
value (str) – value of the option
option_id (str) – used to build the OVAL test ID. The OVAL test ID is test_ocp_runtime_<option_id>.
oval_ocp_service_runtime_config(command=’’, option=’’, value=’’, option_id=’’)
- TEMPLATE oval_file_contents
Macro which generates OVAL definition, test and object that check for contents of the file.
- Parameters
filepath (str) – filepath of the file to check
filepath_id – Used like test_whole_file_contents_$filepath_id
contents (str) – contents that should be in the file
oval_file_contents(filepath=’’, filepath_id=’’, contents=’’)
- TEMPLATE oval_metadata
Macro which generates the OVAL metadata section
- Parameters
description (str) – The text to place in the description section
title (str) – Optional, the associated rule title is used by default
affected_platforms (str) – Optional, list of unix platform strings (e.g. “Fedora”) to put under the affected element. Uses the oval_affected macro by default under the hood.
oval_metadata(description, title=””, affected_platforms=None)
- TEMPLATE oval_check_dconf_ini_file
Create a full OVAL check for dconf ini file.
- Parameters
path (str) – Path to the file
prefix_regex (str) – Defaults to ^s*. What can prefix the parameter.
parameter (str) – What parameter to be set.
separator_regex (str) – Defaults to [ \t]*=[ \t]*. What is the separator between the parameter and value.
value (str) – What value to be set
application (str) – What application this applies to
quotes – If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.
lock_path (str) – Path to lock file
oval_check_dconf_ini_file(path=’’, prefix_regex=’^s*’, parameter=’’, separator_regex=’[ \t]*=[ \t]*’, value=’’, application=’’, section=’’, quotes=’’, lock_path=’’)
- TEMPLATE sshd_oval_check
Create a full OVAL check for an sshd parameter and value.
- Parameters
parameter (str) – Parameter to check
value (str) – Value to check
missing_parameter_pass (bool) – If true, the check will pass if the parameter missing.
config_is_distributed (bool) – Is the param in /etc/sshd_config.d vs just /etc/ssh/sshd_config
sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed)