General
- TEMPLATE openshift_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule. This is used by the Compliance Operator to automatically figure out what resources to fetch.
- Parameters
endpoint (str/list) – The Kubernetes object path(s) to fetch
openshift_cluster_setting(endpoint)
- TEMPLATE openshift_filtered_cluster_setting
Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This is used by the Compliance Operator to automatically figure out what resources to fetch. The filtering directive can be used by the jq command ( https://stedolan.github.io/jq/manual/ ).
- Parameters
path_filter_pairs (list) – Kubernetes object path/filter directive pairs
varargs – A list of path_filter_pairs (in case repeated paths need to be used)
openshift_filtered_cluster_setting(path_filter_pairs)
- TEMPLATE openshift_filtered_path
Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique identifier in such a way that it won’t conflict with unfiltered resources
- Parameters
path (str) – The Kubernetes object path to fetch
filter (str) – A filtering directive
openshift_filtered_path(path, filter)
- TEMPLATE sub_var_value
Calls
xccdf_value
macro under the hood. Deprecated: Usexccdf_value
.
- Parameters
varname (str) – The name of the variable to reference
sub_var_value(varname)
- TEMPLATE xccdf_value
Create an XCCDF
<sub>
element
- Parameters
varname (str) – The name of the variable to reference
xccdf_value(varname)
- TEMPLATE describe_iptables_block
Describe an iptables block
- Parameters
proto (str) – protocol to block
port (int) – port to block
describe_iptables_block(proto, port)
- TEMPLATE describe_iptables_allow
Describe an iptables allow
- Parameters
proto (str) – protocol to allow
port (int) – port to allow
describe_iptables_allow(proto, port)
- TEMPLATE describe_firewalld_prevent
Describe preventing access a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
describe_firewalld_prevent(port, proto, service)
- TEMPLATE describe_firewalld_allow
Describe allowing access a port or service in firewalld. If the
service
parameter is defined it is assumed to be a service and theport
andproto
parameters will have no effect.
- Parameters
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
describe_firewalld_allow(port, proto, service)
- TEMPLATE describe_module_disable
Description for how to check for a disabled kernel module.
- Parameters
module (str) – The module to disable.
describe_module_disable(module)
- TEMPLATE systemd_describe_socket_disable
Describe how to disable socket in systemd.
- Parameters
socket (str) – The socket to check
systemd_describe_socket_disable(socket)
- TEMPLATE systemd_describe_socket_enable
Describe how to enable a socket in systemd.
- Parameters
socket (str) – The socket to check
systemd_describe_socket_enable(socket)
- TEMPLATE describe_socket_enable
Inserts a rule description for a case when a socket should be enabled, substituting the correct init system.
- Parameters
socket (str) – Name of socket
describe_socket_enable(socket)
- TEMPLATE describe_socket_disable
Inserts a rule description for a case when a socket should be disabled, substituting the correct init system.
- Parameters
socket (str) – Name of socket
describe_socket_disable(socket)
- TEMPLATE systemd_describe_service_disable
Describe how to disable a service in systemd.
- Parameters
service (str) – The service to check
systemd_describe_service_disable(service)
- TEMPLATE systemd_describe_service_enable
Describe how to enable a service in systemd.
- Parameters
service (str) – The service to check
systemd_describe_service_enable(service)
- TEMPLATE describe_timer_enable
Inserts a rule description for a case when a timer should be enabled, substituting the correct init system.
- Parameters
timer (str) – Name of timer
describe_timer_enable(timer)
- TEMPLATE describe_service_enable
Inserts a rule description for a case when a service should be enabled, substituting the correct init system.
- Parameters
service (str) – Name of service
describe_service_enable(service)
- TEMPLATE describe_service_disable
Inserts a rule description for a case when a service should be disabled, substituting the correct init system.
- Parameters
service (str) – Name of service
describe_service_disable(service)
- TEMPLATE describe_sebool_var
Describe how to set an SELinux boolean depending on a variable.
- Parameters
sebool (str) – The SELinux boolean to disable
describe_sebool_var(sebool)
- TEMPLATE describe_sebool_disable
Describe how to disable an SELinux boolean.
- Parameters
sebool (str) – The SELinux boolean to disable
describe_sebool_disable(sebool)
- TEMPLATE describe_sebool_enable
Describe how to enable an SELinux boolean.
- Parameters
sebool (str) – The SELinux boolean to disable
describe_sebool_enable(sebool)
- TEMPLATE apt_get_package_install
Show how to install a package with apt-get.
Example output:
apt-get install package
- Parameters
package (str) – Package to install
apt_get_package_install(package)
- TEMPLATE apt_get_package_remove
Show how to remove a package with apt-get.
Example output:
$ apt-get remove package
- Parameters
package (str) – Package to remove
apt_get_package_remove(package)
- TEMPLATE dnf_package_install
Show how to install a package with dnf.
Example output:
$ sudo dnf install package
- Parameters
package (str) – Package to install
dnf_package_install(package)
- TEMPLATE dnf_package_remove
Show how to remove a package with dnf.
Example output:
$ sudo dnf erase remove package
- Parameters
package (str) – Package to remove
dnf_package_remove(package)
- TEMPLATE yum_package_install
Show how to install a package with yum.
Example output:
$ sudo yum install package
- Parameters
package (str) – Package to install
yum_package_install(package)
- TEMPLATE yum_package_remove
Show how to remove a package with yum.
Example output:
$ sudo yum erase package
- Parameters
package (str) – Package to remove
yum_package_remove(package)
- TEMPLATE zypper_package_install
Show how to install a package with zypper.
Example output:
$ sudo zypper install package
- Parameters
package (str) – Package to install
zypper_package_install(package)
- TEMPLATE zypper_package_remove
Show how to remove a package with zypper.
Example output:
$ sudo zypper remove package
- Parameters
package (str) – Package to remove
zypper_package_remove(package)
- TEMPLATE package_install
Outputs a command for installing a package, substituting the correct package management software.
- Parameters
package (str) – Name of package
package_install(package)
- TEMPLATE describe_package_install
Inserts a rule description for a case when a package should be installed, substituting the correct package management software.
- Parameters
package (str) – Name of package
describe_package_install(package)
- TEMPLATE package_remove
Outputs a command for removing a package, substituting the correct package management software. package_remove(package)
- TEMPLATE describe_package_remove
Inserts a rule description for a case when a package should be removed, substituting the correct package management software.
- Parameters
package (str) – Name of package
describe_package_remove(package)
- TEMPLATE describe_file_permissions
Describe how to set the permissions on a file.
- Parameters
file (str) – File to change
perms (str) – The permissions for the file
describe_file_permissions(file, perms)
- TEMPLATE describe_file_owner
Describe how to set the file owner of a file.
- Parameters
file (str) – File to change
owner (str) – the owner for the file
describe_file_owner(file, owner)
- TEMPLATE describe_file_group_owner
Describe how to set the file group owner of a file.
- Parameters
file (str) – File to change
group (str) – The group owner for the file
describe_file_group_owner(file, group)
- TEMPLATE check_file_permissions
How to check a file for the correct permissions.
- Parameters
file (str) – File to change
perms (str) – The permissions for the file
check_file_permissions(file, perms)
- TEMPLATE describe_mount
How add mount options to
/etc/fstab
- Parameters
option (str) – The option to add to the partition
part (str) – The partition
describe_mount(option, part)
- TEMPLATE partition_description
Describe the separate partition is needed.
- Parameters
part (str) – The partition
partition_description(part)
- TEMPLATE describe_sysctl_option_value
Describe how to set a sysctl kernel parameter.
- Parameters
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
describe_sysctl_option_value(sysctl, value)
- TEMPLATE weblink
Creates an HTML
<a>
element for the given link and text. If no text is given the link will be the text
- Parameters
link (str) – The url the link should have
text (str) – Optional, text for the link
weblink(link, text=none)
- TEMPLATE body_of_warning_about_dependent_rule
A warning about rule depending on another.
- Parameters
rule_id (str) – Rule id of the rule that must be selected.
why (str) – The reasoning for the dependency. Should fit into this part of the sentence “make sure that rule with ID is selected as well:”.
body_of_warning_about_dependent_rule(rule_id, why)
- TEMPLATE openssl_strong_entropy_config_file
An openssl config file with strong entropy.
openssl_strong_entropy_config_file()
A note about an item need be done for each
MachineConfigPool
.machineconfig_description_footer()
- TEMPLATE rule_notapplicable_when_ovirt_installed
Makes a rule not applicable on systems where oVirt is installed. Note: This is only applied on RHEL8 content.
rule_notapplicable_when_ovirt_installed()
- TEMPLATE describe_grub2_argument
Describe how to configure Grub2 to add an argument to the default kernel command line. The parameter should be in form parameter=value.
describe_grub2_argument(arg_name_value)
- TEMPLATE describe_kernel_build_config
Describe how to check a kernel compile parameter
- Parameters
config (str) – The kernel config parameter
value (str) – The value for the given config
describe_kernel_build_config(config, value)
- TEMPLATE kernel_build_config_warning
Adds a default “no easy remediation” warning for kernel_build_config warning.
kernel_build_config_warning()
- TEMPLATE kernel_build_config_ocil
OCIL for a kernel build config rule.
Example usage:
ocil_kernel_build_config(config="config_kernel_strict_rwx", value="y")
- Parameters
config (str) – The kernel config parameter
value (str) – The value for the given config
kernel_build_config_ocil(config, value)
- TEMPLATE aide_string
Returns the AIDE strings based on the current product
aide_string()
- TEMPLATE aide_files
Lists the files need for the rule aide_check_audit_tools with the AIDE string
aide_files()
- TEMPLATE grub_command
Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) Part of the grub2_bootloader_argument(_absent) templates.
- Parameters
action – What to do with the argument, must be one of: “update”, “add”, “remove”.
arg_name –
- type arg_name str
- param arg_name_value
If action is “add”, it’s kernel command line argument concatenated with the value of this argument using an equal sign, eg. “audit=1”. If action is “remove”, it’s only the kernel command line argument name, eg. “audit”.
grub_command(action, arg_name_value=None)
- TEMPLATE join_list
Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma.
- Parameters
items (list) – list of strings
join_list(items)