Merge pull request #6048 from matejak/value_macros

Introduced macros for working with XCCDF values into the wide content

applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml

@@ -11,13 +11,13 @@ description: |-
 {{%- if product == "ocp4" %}}
     file <tt>/etc/kubernetes/kubernetes.conf</tt>
     on the kubelet node(s) and set the below parameter:
-    <pre>streamingConnectionIdleTimeout: <sub idref="var_streaming_connection_timeouts"/></pre>
+    <pre>streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}</pre>
 {{% else %}}
     file <tt>/etc/origin/node/node-config.yaml</tt>
     on the kubelet node(s) and set the below parameter:
     <pre>kubeletArguments:
       streaming-connection-idle-timeout:
-      - '<sub idref="var_streaming_connection_timeouts"/>'</pre>
+      - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}'</pre>
 {{%- endif %}}
 
 rationale: |-
@@ -33,10 +33,10 @@ ocil: |-
     Run the following command on the kubelet node(s):
 {{%- if product == "ocp4" %}}
     <pre>$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf</pre>
-    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
 {{% else %}}
     <pre>$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml</pre>
-    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
 {{%- endif %}}
 
 identifiers:

applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml

@@ -32,4 +32,4 @@ ocil: |-
     <pre>$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
+    <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>

applications/openstack/keystone/keystone_lockout_duration/rule.yml

@@ -38,4 +38,4 @@ ocil: |-
     <pre>$ grep lockout_duration /etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
+    <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>

applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml

@@ -33,4 +33,4 @@ ocil: |-
     <pre>$ grep lockout_failure_attempts /etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
+    <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>

applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml

@@ -31,4 +31,4 @@ ocil: |-
     <pre>$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
+    <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>

applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml

@@ -37,4 +37,4 @@ ocil: |-
     <pre>$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
+    <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>

applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml

@@ -32,4 +32,4 @@ ocil: |-
     <pre>$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
     <br />
     If properly configured, the output should be:
-    <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
+    <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>

linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml

@@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests'
 
 description: |-
     The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to
-    <sub idref="var_max_keepalive_requests" /> or greater by setting the following
+    {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following
     in <tt>/etc/httpd/conf/httpd.conf</tt>:
-    <pre>MaxKeepAliveRequests <sub idref="var_max_keepalive_requests" /></pre>
+    <pre>MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}</pre>
 
 rationale: |-
     Resource exhaustion can occur when an unlimited number of concurrent requests

linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml

@@ -5,9 +5,9 @@ prodtype: rhel7,rhel8
 title: 'Enable HTTPD LogLevel'
 
 description: |-
-    <tt>LogLevel</tt> should be enabled and set to <sub idref="var_httpd_loglevel" />.
+    <tt>LogLevel</tt> should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}.
     Add or edit the following in <tt>/etc/httpd/conf/httpd.conf</tt>:
-    <pre>LogLevel <sub idref="var_httpd_loglevel" /></pre>
+    <pre>LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}</pre>
 
 rationale: |-
     The server error logs are invaluable because they can also be used to identify

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = Red Hat Virtualization 4,multi_platform_sle
 . /usr/share/scap-security-guide/remediation_functions
-populate var_postfix_root_mail_alias
+{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
 
 replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '@CCENUM@' '%s: %s'
 

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

@@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account'
 
 description: |-
     Set up an alias for root that forwards to a monitored email address:
-    <pre>$ sudo echo "root: <sub idref="var_postfix_root_mail_alias" />" &gt;&gt; /etc/aliases
+    <pre>$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" &gt;&gt; /etc/aliases
     $ sudo newaliases</pre>
 
 rationale: |-

linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml

@@ -6,7 +6,7 @@ description: |-
     Set up a relay host that will act as a gateway for all outbound email.
     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
     <tt>relayhost</tt> line appears:
-    <pre>relayhost = <sub idref="var_postfix_relayhost" /></pre>
+    <pre>relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}</pre>
 
 rationale: |-
     A central outbound email location ensures messages sent from any network host
@@ -20,4 +20,4 @@ ocil_clause: 'it is not'
 ocil: |-
     Run the following command to ensure postfix routes mail to this system:
     <pre>$ grep relayhost /etc/postfix/main.cf</pre>
-    If properly configured, the output should show only <tt><sub idref="var_postfix_relayhost" /></tt>.
+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.

linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml

@@ -3,7 +3,7 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- (xccdf-var var_postfix_inet_interfaces)
+{{{ ansible_instantiate_variables("var_postfix_inet_interfaces") }}}
 
 - name: "Gather list of packages"
   package_facts:

linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml

@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening'
 description: |-
     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
     <tt>inet_interfaces</tt> line appears:
-    <pre>inet_interfaces = <sub idref="var_postfix_inet_interfaces" /></pre>
+    <pre>inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}</pre>
 
 
 rationale: |-
@@ -41,4 +41,4 @@ ocil_clause: 'it does not'
 ocil: |-
     Run the following command to ensure postfix accepts mail messages from only the local system:
     <pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
-    If properly configured, the output should show only <tt><sub idref="var_postfix_inet_interfaces" /></tt>.
+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
 . /usr/share/scap-security-guide/remediation_functions
-populate var_time_service_set_maxpoll
+{{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}}
 
 
 config_file="/etc/ntp.conf"

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval'
 
 description: |-
     The <tt>maxpoll</tt> should be configured to
-    <sub idref="var_time_service_set_maxpoll" /> in <tt>/etc/ntp.conf</tt> or
+    {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
     <tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
     add the following:
-    <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>
+    <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
 
 rationale: |-
     Inaccurate time stamps make it more difficult to correlate
@@ -46,4 +46,4 @@ ocil: |-
     To verify that <tt>maxpoll</tt> has been set properly, perform the following:
     <pre>$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf</pre>
     The output should return
-    <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>.
+    <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>.

linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
 . /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
 
 config_file="/etc/ntp.conf"
 /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"

linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
 . /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
 
 config_file="/etc/ntp.conf"
 /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"

linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml

@@ -3,7 +3,7 @@
 # strategy = configure
 # complexity = low
 # disruption = low
-- (xccdf-var var_multiple_time_servers)
+{{{ ansible_instantiate_variables("var_multiple_time_servers") }}}
 
 - name: "Detect if chrony is already configured with pools or servers"
   find:

linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = multi_platform_all
 . /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
 
 config_file="/etc/chrony.conf"
 

linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml

@@ -11,7 +11,7 @@
   with_items:
     - firewalld
 
-- (xccdf-var sshd_listening_port)
+{{{ ansible_instantiate_variables("sshd_listening_port") }}}
 
 - name: Enable SSHD in firewalld (custom port)
   firewalld:

linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh

@@ -3,6 +3,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate var_sshd_disable_compression
+{{{ bash_instantiate_variables("var_sshd_disable_compression") }}}
 
 replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" '@CCENUM@' '%s %s'

linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

@@ -9,7 +9,7 @@ description: |-
     it should be disabled. To disable compression or delay compression until after
     a user has successfully authenticated, add or correct the following line in the
     <tt>/etc/ssh/sshd_config</tt> file:
-    <pre>Compression <sub idref="var_sshd_disable_compression"/></pre>
+    <pre>Compression {{{ xccdf_value("var_sshd_disable_compression") }}}</pre>
 
 rationale: |-
     If compression is allowed in an SSH connection prior to authentication,

linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml

@@ -7,7 +7,7 @@ description: |-
     the session key of the is renegotiated, both in terms of
     amount of data that may be transmitted and the time
     elapsed. To decrease the default limits, put line
-    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+    <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
 
 rationale: |-
     By decreasing the limit based on the amount of data and enabling
@@ -30,4 +30,4 @@ ocil: |-
     following command:
     <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
     If configured properly, output should be
-    <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
+    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml

@@ -3,6 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- (xccdf-var sshd_idle_timeout_value)
+{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}}
 
 {{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh

@@ -1,5 +1,5 @@
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 . /usr/share/scap-security-guide/remediation_functions
-populate sshd_idle_timeout_value
+{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}}
 
 replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s'

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -8,7 +8,7 @@ description: |-
     <br /><br />
     To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
     follows:
-    <pre>ClientAliveInterval <b><sub idref="sshd_idle_timeout_value" /></b></pre>
+    <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
     <br/><br/>
     The timeout <b>interval</b> is given in seconds. For example, have a timeout
     of 10 minutes, set <b>interval</b> to 600.
@@ -61,4 +61,4 @@ ocil: |-
     Run the following command to see what the timeout interval is:
     <pre>$ sudo grep ClientAliveInterval /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
-    <pre>ClientAliveInterval <sub idref="sshd_idle_timeout_value" /></pre>
+    <pre>ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}</pre>

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml

@@ -3,6 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- (xccdf-var var_sshd_set_keepalive)
+{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}}
 
 {{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh

@@ -3,6 +3,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate var_sshd_set_keepalive
+{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
 
 {{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count'
 description: |-
     To ensure the SSH idle timeout occurs precisely when the <tt>ClientAliveInterval</tt> is set,
     edit <tt>/etc/ssh/sshd_config</tt> as follows:
-    <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
+    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
 
 rationale: |-
     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -48,4 +48,4 @@ ocil: |-
     To ensure the SSH idle timeout will occur when the <tt>ClientAliveInterval</tt> is set, run the following command:
     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
     If properly configured, output should be:
-    <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
+    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>

linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml

@@ -3,6 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- (xccdf-var sshd_max_auth_tries_value)
+{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}}
 
 {{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh

@@ -3,6 +3,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate sshd_max_auth_tries_value
+{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}}
 
 {{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

@@ -6,7 +6,7 @@ description: |-
     The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts
     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
     to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:
-    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
+    <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
 
 rationale: |-
     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
@@ -31,4 +31,4 @@ ocil: |-
     To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:
     <pre>$ sudo grep MaxAuthTries /etc/ssh/sshd_config</pre>
     If properly configured, output should be:
-    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
+    <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>

linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml

@@ -3,6 +3,6 @@
 # strategy = configure
 # complexity = low
 # disruption = low
-- (xccdf-var var_sshd_max_sessions)
+{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}}
 
 {{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh

@@ -7,6 +7,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate var_sshd_max_sessions
+{{{ bash_instantiate_variables("var_sshd_max_sessions") }}}
 
 {{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml

@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit'
 description: |-
     The <tt>MaxSessions</tt> parameter specifies the maximum number of open sessions permitted
     from a given connection. To set MaxSessions edit
-    <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
+    <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
 
 rationale: |-
     To protect a system from denial of service due to a large number of concurrent
@@ -27,4 +27,4 @@ ocil: |-
     Run the following command to see what the max sessions number is:
     <pre>$ sudo grep MaxSessions /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
-    <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
+    <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml

@@ -3,6 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- (xccdf-var sshd_approved_ciphers)
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
 
 {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh

@@ -3,6 +3,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate sshd_approved_ciphers
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
 
 replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

@@ -31,7 +31,7 @@ description: |-
     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
     {{% endif %}}
 {{% endif %}}
-    The rule is parametrized to use the following ciphers: <code>{{{ sub_var_value("sshd_approved_ciphers") }}}</code>.
+    The rule is parametrized to use the following ciphers: <code>{{{ xccdf_value("sshd_approved_ciphers") }}}</code>.
 
 rationale: |-
     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore