OVAL

TEMPLATE oval_check_config_file

High level macro which checks if a particular combination of parameter and value in a configuration file is set.

Parameters
  • path (str) – Path to the configuration file to be checked.

  • prefix_regex (str) – Regular expression to be used in the beginning of the OVAL text file content check.

  • parameter (str) – The parameter to be checked in the configuration file.

  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • separator_regex (str) – Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.

  • missing_parameter_pass (boolean) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • multi_value (boolean) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (boolean) – If set, the check will fail if the configuration is not existent in the system.

  • section (str) – If set, the parameter will be checked only within the given section defined by [section].

  • quotes (str) – If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.

oval_check_config_file(path=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=false, section=’’, quotes=’’)

TEMPLATE oval_line_in_file_criterion

Macro to define the criterion of the OVAL check (Criterion definition).

Parameters
  • oval_line_in_file_criterion (str) – Path to the configuration file to be checked.

  • parameter (str) – The parameter to be checked in the configuration file.

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.

oval_line_in_file_criterion(path=’’, parameter=’’, missing_parameter_pass=false, comment=’’, id_stem=’’)

TEMPLATE oval_line_in_file_test

Macro to define the OVAL test to be constructed (Test definition).

Parameters
  • path (str) – Path to the configuration file to be checked.

  • parameter (str) – The parameter to be checked in the configuration file.

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.

oval_line_in_file_test(path=’’, parameter=’’, missing_parameter_pass=false, id_stem=’’)

TEMPLATE oval_line_in_file_object

Macro to check if a parameter in a configuration file is set (Object definition).

Parameters
  • path_or_filepath (str) – Either filepath to the configuration file to be checked, or if filename_regex is specified, path to the directory where filenames are matched against it.

  • section (str) – If set, the parameter will be checked only within the given section defined by [section].

  • prefix_regex (str) – Regular expression to be used in the beginning of the OVAL text file content check.

  • parameter (str) – The parameter to be checked in the configuration file.

  • separator_regex (str) – Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.

  • missing_parameter_pass (str) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • filename_regex (str) – If specified, the first argument is interpreted as path, and this will serve as filename regex.

  • id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.

oval_line_in_file_object(path_or_filepath=’’, section=’’, prefix_regex=’^[ \t]*’, parameter=’’, separator_regex=’[ \t]+’, missing_parameter_pass=false, multi_value=false, filename_regex=’’, id_stem=’’)

TEMPLATE oval_line_in_file_state

Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition).

Parameters
  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • quotes (str) – If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.

  • id_stem (str) – The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.

oval_line_in_file_state(value=’’, multi_value=’’, quotes=’’, id_stem=’’)

TEMPLATE oval_config_file_exists_criterion

Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition).

Parameters
  • path (str) – Path to the configuration file to be checked.

oval_config_file_exists_criterion(path=’’)

TEMPLATE oval_config_file_exists_test

Macro to define the OVAL test to check if the configuration file exists (Test definition).

Parameters
  • path (str) – Path to the configuration file to be checked.

oval_config_file_exists_test(path=’’)

TEMPLATE oval_file_absent_criterion

Macro to define the OVAL criterion that requires a file not to exist. The id of the test name will be test_<id>.

Parameters
  • filepath (str) – Path to the file to be checked.

oval_file_absent_criterion(filepath)

TEMPLATE oval_file_absent

Macro to define the OVAL test to check if the configuration file exists (Test definition).

Parameters
  • filepath_regex (str) – Regex to the filepath to be checked, will be prefixed by ^.

oval_file_absent(filepath_regex)

TEMPLATE oval_config_file_exists_object

Macro to define the OVAL object to check if the configuration file exists (Object definition).

Parameters
  • filepath_regex (str) – Regex to the filepath to be checked, will be prefixed by ^.

oval_config_file_exists_object(filepath_regex=’’)

TEMPLATE oval_argument_value_in_line_criterion

Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition).

Parameters
  • filepath (str) – Path to the file to be checked.

  • name (str) – Argument name

  • value (str) – Argument value (Optional)

  • application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • negate (bool) – Whether to negate this criterion or not

oval_argument_value_in_line_criterion(filepath, name, value=’’, application=’’, negate=False)

TEMPLATE oval_argument_value_in_line_test

Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition).

Parameters
  • filepath (str) – Path to the configuration file to be checked. The operation is “pattern match”

  • name (str) – Argument name

  • value (str) – Argument value (Optional)

  • line_prefix (str) – The starting part of the line with the list of arguments, default is empty

  • line_suffix (str) – The ending part of the line with the list of arguments, default is empty

  • is_regex (bool) – Defines whether the given name or value is a regex

oval_argument_value_in_line_test(filepath, name, value, line_prefix=’’, line_suffix=’’, is_regex=False)

TEMPLATE oval_argument_value_in_line

High level macro to define the OVAL test to check if there is a line in file with a pair of argument=value.

Parameters
  • filepath (str) – Path to the configuration file to be checked.

  • name (str) – Argument name

  • value – Argument value

  • line_prefix (str) – The starting part of the line with the list of arguments, default is empty

  • line_suffix (str) – The ending part of the line with the list of arguments, default is empty

oval_argument_value_in_line(filepath, name, value, line_prefix=’’, line_suffix=’’)

TEMPLATE oval_sshd_config

High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set. A case insensitive comparison is used in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values).

Parameters
  • parameter (str) – The parameter to be checked in the configuration file.

  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.

oval_sshd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_check_shell_file

High level macro to check if a particular shell variable is set.

Parameters
  • path (str) – Path to the file.

  • parameter (str) – The shell variable name.

  • value (application) – The variable value WITHOUT QUOTES.

  • application – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • no_quotes (bool) – If set, the check will require that the RHS of the assignment is the literal value, without quotes. If no_quotes is false, then one level of single or double quotes won’t be regarded as part of the value by the check.

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.

oval_check_shell_file(path, parameter=’’, value=’’, application=’’, no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_auditd_config

High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.

Parameters
  • parameter (str) – The parameter to be checked in the configuration file.

  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration file doesn’t exist in the system.

oval_auditd_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_coredump_config_set

High level macro to set a parameter in /etc/systemd/coredump.conf.

Parameters
  • parameter (str) – The parameter to be checked in the configuration file.

  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.

oval_coredump_config_set(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false)

TEMPLATE oval_grub_config

High level macro to check if a particular combination of parameter and value in the grub configuration file is set.

Parameters
  • parameter (str) – The parameter to be checked in the configuration file.

  • value – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.

oval_grub_config(parameter=’’, value=’’, missing_parameter_pass=false, multi_value=true, missing_config_file_fail=false)

TEMPLATE application_not_required_or_requirement_unset

To be removed macro. Prevents regression on sshd configuration rules.

application_not_required_or_requirement_unset()

TEMPLATE application_required_or_requirement_unset

To be removed macro. Prevents regression on sshd configuration rules.

application_required_or_requirement_unset()

TEMPLATE oval_check_ini_file

High level macro which checks configuration in an INI file.

Parameters
  • path (str) – Path to the configuration file to be checked.

  • section (str) – The parameter will be checked only within the given section defined by [section].

  • parameter (str) – The parameter to be checked in the configuration file.

  • value (str) – The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).

  • missing_parameter_pass (bool) – If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

  • application (str) – The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.

  • multi_value (bool) – If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

  • missing_config_file_fail (bool) – If set, the check will fail if the configuration is not existent in the system.

oval_check_ini_file(path=’’, section=’’, parameter=’’, value=’’, missing_parameter_pass=false, application=’’, multi_value=false, missing_config_file_fail=true)

TEMPLATE oval_test_package_removed

Creates OVAL tests with given test_id which checks if package is not installed.

Parameters
  • package (str) – Name of the package to be removed

  • test_id (str) – Suffix of the Ids in test, obj, and state elements

oval_test_package_removed(package=’’, test_id=’’)

TEMPLATE oval_test_package_installed

Creates OVAL tests with given test_id which checks if package is installed. Optionally, it can check if a package of a given version (EVR) or newer version is present.

Parameters
  • package (str) – Name of the package to be installed

  • evr (str) – Optional, version or newer version to check

  • test_id (str) – Suffix of the Ids in test, obj, and state elements

oval_test_package_installed(package=’’, evr=’’, test_id=’’)

TEMPLATE oval_ocp_service_runtime_config

Macro which generates OVAL test for OpenShift Container Platform runtime process configuration.

Parameters
  • command (str) – command that executes the OpenShift process

  • option (str) – command line option of the command

  • value (str) – value of the option

  • option_id (str) – used to build the OVAL test ID. The OVAL test ID is test_ocp_runtime_<option_id>.

oval_ocp_service_runtime_config(command=’’, option=’’, value=’’, option_id=’’)

TEMPLATE oval_file_contents

Macro which generates OVAL definition, test and object that check for contents of the file.

Parameters
  • filepath (str) – filepath of the file to check

  • filepath_id – Used like test_whole_file_contents_$filepath_id

  • contents (str) – contents that should be in the file

oval_file_contents(filepath=’’, filepath_id=’’, contents=’’)

TEMPLATE oval_metadata

Macro which generates the OVAL metadata section

Parameters
  • description (str) – The text to place in the description section

  • title (str) – Optional, the associated rule title is used by default

  • affected_platforms (str) – Optional, list of unix platform strings (e.g. “Fedora”) to put under the affected element. Uses the oval_affected macro by default under the hood.

oval_metadata(description, title=””, affected_platforms=None)

TEMPLATE oval_check_dconf_ini_file

Create a full OVAL check for dconf ini file.

Parameters
  • path (str) – Path to the file

  • prefix_regex (str) – Defaults to ^s*. What can prefix the parameter.

  • parameter (str) – What parameter to be set.

  • separator_regex (str) – Defaults to [ \t]*=[ \t]*. What is the separator between the parameter and value.

  • value (str) – What value to be set

  • application (str) – What application this applies to

  • quotes – If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes=”’"”), which will make sure that value, ‘value’ and “value” are matched, but ‘value” or ‘“value”’ won’t be.

  • lock_path (str) – Path to lock file

oval_check_dconf_ini_file(path=’’, prefix_regex=’^s*’, parameter=’’, separator_regex=’[ \t]*=[ \t]*’, value=’’, application=’’, section=’’, quotes=’’, lock_path=’’)

TEMPLATE sshd_oval_check

Create a full OVAL check for an sshd parameter and value.

Parameters
  • parameter (str) – Parameter to check

  • value (str) – Value to check

  • missing_parameter_pass (bool) – If true, the check will pass if the parameter missing.

  • config_is_distributed (bool) – Is the param in /etc/sshd_config.d vs just /etc/ssh/sshd_config

sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed)