diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
index 8cb2efa193f..c7a75060129 100644
--- a/shared/macros/01-general.jinja
+++ b/shared/macros/01-general.jinja
@@ -12,14 +12,12 @@ This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the {{% if endpoint is string %}}{{{ endpoint }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file.{{% else %}}{{% for item in endpoint %}}{{{ item }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ item.lstrip("/") }}} file{{% endfor %}}.{{% endif %}}
{{%- endmacro %}}
-#}}
{{% macro openshift_cluster_setting_kubeletconfig() -%}}
This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}"/kubeletconfig/role/role" file.
{{%- endmacro %}}
-
{{#
Macro which generates a warning indicating how to make use of a
Kubernetes/OpenShift-related rule as well as how to filter it. This
@@ -91,6 +89,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
{{%- endmacro %}}
+
{{#
Macro which generates a unique identifier for Compliance Operator, this will hide the rule from ComplianceCheckResult
@@ -100,6 +99,7 @@ This rule will be a hidden rule
true
{{%- endmacro %}}
+
{{% macro openshift_filtered_version(path_filter_pairs) -%}}
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
@@ -122,7 +122,6 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
{{%- endmacro %}}
-
{{#
Macro which generates a unique path for a filtered Kubernetes
resource. The path and the filter are used to generate a unique
@@ -1029,6 +1028,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
{{% endif %}}
{{%- endmacro %}}
+
{{#
Adds a default "no easy remediation" warning for kernel_build_config warning.
@@ -1038,6 +1038,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
{{% endmacro %}}
+
{{#
OCIL for a kernel build config rule.
@@ -1062,6 +1063,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
{{% endif %}}
{{%- endmacro %}}
+
{{#
Returns the AIDE strings based on the current product
@@ -1074,6 +1076,7 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
{{%- endif -%}}
{{%- endmacro -%}}
+
{{#
Lists the files need for the rule aide_check_audit_tools with the AIDE string
@@ -1097,9 +1100,9 @@ Generates a correct command based on the product (grubby, grub2-mkconfig, update
Part of the grub2_bootloader_argument(_absent) templates.
:param action: What to do with the argument, must be one of: "update", "add", "remove".
-:type action str:
-:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
-:type arg_name_value str:
+:type action: str
+:param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
+:type arg_name_value: str
#}}
{{% macro grub_command(action, arg_name_value=None) -%}}
@@ -1128,6 +1131,7 @@ Part of the grub2_bootloader_argument(_absent) templates.
{{{ grub_helper_executable }}} {{{ " ".join(grub_helper_args) }}}
{{%- endmacro %}}
+
{{%- macro audit_remediation_unsuccessful_file_modification_detailed_audit_file_content() -%}}
## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
@@ -1171,6 +1175,7 @@ Part of the grub2_bootloader_argument(_absent) templates.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
{{%- endmacro -%}}
+
{{#
Join list of items to create a human readable list in which the last item is
separated by an and and others are separated by a comma.
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 103a1150b1b..47103022b21 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1,6 +1,7 @@
{{#
-Pass strings that correspond to XCCDF value names as arguments to this macro:
-ansible_instantiate_variables("varname1", "varname2")
+Pass strings that correspond to XCCDF value names as arguments to this macro::
+
+ ansible_instantiate_variables("varname1", "varname2")
Then, assume that the task that follows can work with the variable by referencing it, e.g.
value: :code:`Setting={{ varname1 }}`
@@ -497,11 +498,17 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/rules.d`
The macro requires following parameters:
:param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64"
+:type action_arch_filters: str
:param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd"
+:type other_filters: str
:param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset"
+:type auid_filters: str
:param syscalls: List of syscalls to ensure presense among audit rules. For example, "['fchown', 'lchown', 'fchownat']"
-:param syscall_groupings: List of other syscalls that can be grouped with 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']"
+:type syscalls: list[str]
+:param syscall_grouping: List of other syscalls that can be grouped with 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']"
+:type syscall_grouping: list[str]
:param key: The key to use when appending a new rule
+:type key: str
#}}
{{% macro ansible_audit_augenrules_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}}
@@ -583,13 +590,23 @@ The macro requires following parameters:
{{#
The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rules` file.
-:param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64"
-:param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd"
-:param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset"
-:param syscalls: List of syscalls to ensure presense among audit rules. For example, "['fchown', 'lchown', 'fchownat']"
-:param syscall_groupings: List of other syscalls that can be grouped with 'syscalls'
- For example, "['fchown', 'lchown', 'fchownat']"
+:param action_arch_filters: The action and arch filters of the rule.
+ For example, "-a always,exit -F arch=b64"
+:type action_arch_filters: str
+:param other_filters: Other filters that may characterize the rule.
+ For example, "-F a2&03 -F path=/etc/passwd"
+:type other_filters: str
+:param auid_filters: The auid filters of the rule.
+ For example, "-F auid>=1000 -F auid!=unset"
+:type auid_filters: str
+:param syscalls: List of syscalls to ensure presense among audit rules.
+ For example, "['fchown', 'lchown', 'fchownat']"
+:type syscalls: list[str]
:param key: The key to use when appending a new rule
+:type key: str
+:param syscall_grouping: List of other syscalls that can be grouped with
+ 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']"
+:type syscall_grouping: list[str]
#}}
{{% macro ansible_audit_auditctl_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}}
@@ -646,6 +663,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
when: syscalls_found | length == 0
{{%- endmacro %}}
+
{{% macro ansible_sssd_ldap_config(parameter, value) -%}}
- name: "Test for id_provider different than Active Directory (ad)"
command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' /etc/sssd/sssd.conf
@@ -701,6 +719,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
mode: 0644
{{%- endmacro %}}
+
{{%- macro ansible_sudo_remove_config(parameter, pattern) -%}}
- name: Find /etc/sudoers.d/ files
@@ -720,14 +739,19 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
- "{{ sudoers.files }}"
{{%- endmacro -%}}
+
{{#
- This macro creates an Ansible snipped which is used in `when` clause to determine applicability of a task.
- If the package passed as a parameter is installed, the task is applicable.
- The macro respects `platform_package_overrides` variable.
+ This macro creates an Ansible snipped which is used in `when` clause to
+ determine applicability of a task. If the package passed as a parameter is
+ installed, the task is applicable. The macro respects
+ `platform_package_overrides` variable.
:param package: package name
+:type package: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param ver: package version (optional argument, use together with "op")
+:type ver: version
#}}
{{%- macro ansible_pkg_conditional(package, op=None, ver=None) -%}}
@@ -786,6 +810,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
not desired, avoid defining a backup name.
:param backup_name: Changes the default backup name used by authselect.
+:type backup_name: str
#}}
{{% macro ansible_apply_authselect_changes(backup_name='') -%}}
@@ -829,6 +854,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
- result_authselect_enable_feature_cmd is success
{{%- endmacro -%}}
+
{{#
Used to identify if authselect is present or not in the system.
Some macros can change the remediation behavior based on the presence of authselect.
@@ -841,17 +867,21 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
register: result_authselect_present
{{%- endmacro -%}}
+
{{#
Enable pam_pwhistory.so PAM module according to the system capabilities.
If authselect is present and the "with-pwhistory" feature is available, the feature will be enabled.
If authselect is present but the "with-pwhistory" feature is not yet available, a custom profile will be used.
If authselect is not present, PAM files will be directly edited.
- :param pam_file: PAM config file.
- :param control: PAM control flags.
- :param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
- Note: For this macro, there is a special value used to include a line at
- the beginning of the file: "BOF"
+:param pam_file: PAM config file.
+:type pam_file: str
+:param control: PAM control flags.
+:type control: str
+:param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
+ Note: For this macro, there is a special value used to include a line at
+ the beginning of the file: "BOF"
+:type after_match: str
#}}
{{%- macro ansible_pam_pwhistory_enable(pam_file, control, after_match='') -%}}
@@ -881,14 +911,18 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
or result_authselect_available_features is not defined
{{%- endmacro -%}}
+
{{#
Set pam_pwhistory.so PAM module options and values. In case the file
/etc/security/pwhistory.conf is present in the system, the option is ensured there and removed
from pam files to avoid conflicts or confusion.
:param pam_file: PAM config file.
+:type pam_file: str
:param parameter: pwhistory parameter/option e.g.: remember, retry, debug
+:type parameter: str
:param pwhistory_var_name: Literal variable name.
+:type pwhistory_var_name: str
#}}
{{%- macro ansible_pam_pwhistory_parameter_value(pam_file, parameter, pwhistory_var_name='') -%}}
@@ -929,6 +963,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
- not result_pwhistory_conf_check.stat.exists
{{%- endmacro -%}}
+
{{#
This macro ensures the pam_faillock.so PAM module is enabled.
It is enabled using the authselect tool or editing the PAM files, only if authselect tool is not available.
@@ -994,14 +1029,18 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
- not result_authselect_present.stat.exists
{{%- endmacro -%}}
+
{{#
This macro make sure the informed parameter from pam_faillock.so PAM module is properly set. In
case the file /etc/security/faillock.conf is present in the system, the option is removed from
PAM files since it is not needed there in that case.
- :param parameter: The pam_faillock.so parameter name.
- :param faillock_var_name: If the parameter expects a value from a variable, the variable name is informed here.
- :param authfail: check the pam_faillock.so conf line with authfail
+:param parameter: The pam_faillock.so parameter name.
+:type parameter: str
+:param faillock_var_name: If the parameter expects a value from a variable, the variable name is informed here.
+:type faillock_var_name: str
+:param authfail: check the pam_faillock.so conf line with authfail
+:type authfail: bool
#}}
{{%- macro ansible_pam_faillock_parameter_value(parameter, faillock_var_name='', authfail=True) -%}}
@@ -1117,14 +1156,15 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
- not result_faillock_conf_check.stat.exists
{{%- endmacro -%}}
+
{{#
Macro for Ansible remediation for adding a kernel command line argument to the GRUB 2 bootloader.
Part of the grub2_bootloader_argument template.
:param arg_name: Kernel command line argument
-:type arg_name str:
+:type arg_name: str
:param arg_name_value: Kernel command line argument concatenated with the value of this argument using an equal sign, eg. "noexec=off".
-:type arg_name_value str:
+:type arg_name_value: str
#}}
{{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value) -%}}
@@ -1158,12 +1198,13 @@ Part of the grub2_bootloader_argument template.
{{% endif -%}}
{{%- endmacro -%}}
+
{{#
Macro for Ansible remediation for removing a kernel command line argument from the GRUB 2 bootloader.
Part of the grub2_bootloader_argument_absent template.
:param arg_name: Name of the kernel command line argument that will be removed from GRUB 2 configuration.
-:type arg_name str:
+:type arg_name: str
#}}
{{%- macro ansible_grub2_bootloader_argument_absent(arg_name) -%}}
@@ -1191,6 +1232,7 @@ Part of the grub2_bootloader_argument_absent template.
{{% endif -%}}
{{%- endmacro -%}}
+
{{#
Macro to restrict permissions in home directories of interactive users
@@ -1246,10 +1288,15 @@ Part of the grub2_bootloader_argument_absent template.
PAM module is working as expected. Otherwise, a custom remediation should be considered.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param after_match: Regex used as reference to include the line below, if necessary. Optional parameter.
+:type after_match: str
#}}
{{%- macro ansible_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}}
@@ -1310,12 +1357,19 @@ Part of the grub2_bootloader_argument_absent template.
Make sure that an existing PAM module line is properly configured with an option.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
:param value: PAM module option argument, if is case. Optional parameter.
+:type value: str
:param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter.
+:type after_match: str
#}}
{{%- macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}}
@@ -1363,10 +1417,15 @@ Part of the grub2_bootloader_argument_absent template.
Remove a PAM module option if present in a PAM module line.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
#}}
{{%- macro ansible_remove_pam_module_option(pam_file, group, control, module, option) -%}}
@@ -1484,6 +1543,7 @@ Part of the grub2_bootloader_argument_absent template.
to the PAM file to be edited is correctly set.
:param pam_file: PAM config file.
+:type pam_file: str
#}}
{{%- macro ansible_ensure_pam_facts_and_authselect_profile(pam_file) -%}}
@@ -1513,12 +1573,19 @@ Part of the grub2_bootloader_argument_absent template.
relies on authselect. Otherwise, the PAM files will be directly edited.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option. Optional parameter.
+:type option: str
:param value: PAM module option argument, if is case. Optional parameter.
+:type value: str
:param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter.
+:type after_match: str
#}}
{{%- macro ansible_ensure_pam_module_configuration(pam_file, group, control, module, option, value='', after_match='') -%}}
@@ -1554,10 +1621,15 @@ Part of the grub2_bootloader_argument_absent template.
be directly edited.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
#}}
{{%- macro ansible_remove_pam_module_option_configuration(pam_file, group, control, module, option) -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index f52ae185b41..759fc92bf1a 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -20,12 +20,19 @@ Then, assume that variables of that names are defined and contain the correct va
type control module option=valueRegexArg
:param pamFile: PAM config file
+:type pamFile: str
:param type: PAM module interface
+:type type: str
:param control: PAM control flags
+:type control: str
:param module: PAM module name
+:type module: str
:param option: PAM module option
+:type option: str
:param valueRegexArg: PAM module option argument regex pattern
+:type valueRegexArg: str
:param defaultValueArg: PAM module option argument default value
+:type defaultValueArg: str
#}}
{{%- macro bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg) -%}}
@@ -69,13 +76,20 @@ fi
Make sure that we have a line with given type, control and module has the given option in pamFile (additional options are left as-is):
`type control module option=valueRegexArg`
-:param pamFile: PAM config file
-:param type: PAM module interface
-:param control: PAM control flags
-:param module: PAM module name
-:param option: PAM module option
-:param valueRegexArg: PAM module option argument regex pattern
+:param pamFile: PAM config file
+:type pamFile: str
+:param type: PAM module interface
+:type type: str
+:param control: PAM control flags
+:type control: str
+:param module: PAM module name
+:type module: str
+:param option: PAM module option
+:type option: str
+:param valueRegexArg: PAM module option argument regex pattern
+:type valueRegexArg: str
:param defaultValueArg: PAM module option argument default value
+:type defaultValueArg: str
#}}
{{%- macro bash_provide_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg) -%}}
@@ -115,8 +129,8 @@ fi
:type parameter: str
:param value: Value to set
:type value: str
-:param no_quotes: Boolean, if true the value is not quoted. Default is false.
-:type no_quotes: str
+:param no_quotes: If true the value is not quoted. Default is false.
+:type no_quotes: bool
#}}
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
@@ -149,15 +163,16 @@ fi
{{#
Macro to perform remediation for 'audit_rules_privileged_commands' rule
-
-:param tool: tool used to load audit rules either 'auditctl' or 'augenrules'
-:param min_auid: minimum original ID the user logged in with
-
Example macro invocation(s)::
perform_audit_rules_privileged_commands_remediation("auditctl", "500")
perform_audit_rules_privileged_commands_remediation("augenrules", "1000")
+:param tool: tool used to load audit rules either 'auditctl' or 'augenrules'
+:type tool: str
+:param min_auid: minimum original ID the user logged in with
+:type min_auid: str
+
#}}
{{%- macro bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid) -%}}
files_to_inspect=()
@@ -375,6 +390,7 @@ done
{{%- endif %}}
{{%- endmacro %}}
+
{{#
Macro that copies the audit rules into a file.
The purpose is to create exactly the same content in the file specified by filename argument
@@ -391,6 +407,7 @@ cat < "{{{ filename }}}"
EOF
{{%- endmacro -%}}
+
{{#
Set parameter in /etc/audit/auditd.conf
@@ -468,20 +485,24 @@ EOF
{{#
Macro to fix audit file system object watch rule for given path:
+
* if rule exists, also verifies the -w bits match the requirements
* if rule doesn't exist yet, appends expected rule form to $files_to_inspect
audit rules file, depending on the tool which was used to load audit rules
-
-:param audit tool tool used to load audit rules, either 'auditctl', or 'augenrules'
-:param path: value of -w audit rule's argument
-:param required_access_bits: value of -p audit rule's argument
-:param key: value of -k audit rule's argument
-
Example macro invocation::
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}
+:param tool: tool used to load audit rules, either 'auditctl', or 'augenrules'
+:type tool: str
+:param path: value of -w audit rule's argument
+:type path: str
+:param required_access_bits: value of -p audit rule's argument
+:type required_access_bits: str
+:param key: value of -k audit rule's argument
+:type key: str
+
#}}
{{%- macro bash_fix_audit_watch_rule(tool, path, required_access_bits, key) -%}}
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -677,6 +698,7 @@ do
done
{{%- endmacro -%}}
+
{{#
Disable prelinking in sysconfig
@@ -776,17 +798,20 @@ dconf update
{{#
- Macro to enable or disable a particular service.
+Macro to enable or disable a particular service.
Examples::
- bash_service_command("enable", "bluetooth")
- bash_service_command("disable", "bluetooth.service")
- bash_service_command("disable", "rsh.socket", xinetd="rsh")
+ bash_service_command("enable", "bluetooth")
+ bash_service_command("disable", "bluetooth.service")
+ bash_service_command("disable", "rsh.socket", xinetd="rsh")
:param service_state: Desired state of the service
+:type service_state: str
:param service: The service to change
+:type service: str
:param xinetd: Set the xinetd for the service. Defaults to empty string.
+:type xinetd: str
#}}
{{%- macro bash_service_command(service_state, service, xinetd="") -%}}
@@ -864,8 +889,15 @@ Example Calls:
bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="$var_config_file_name")
:param config_file: Configuration file that will be modified
+:type config_file: str
:param key: Configuration option to change
+:type key: str
:param value: Value of the configuration option to change
+:type value: str
+:param quoted_value:
+:type quoted_value: str
+:param sed_separator:
+:type sed_separator: char
#}}
{{%- macro bash_firefox_js_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}}
@@ -906,7 +938,6 @@ done
Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the
preference if it does not exist.
-
Example Call(s):
Without string or variable::
@@ -922,8 +953,15 @@ Example Call(s):
bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}")
:param config_file: Configuration file that will be modified
-:param key: Configuration option to change
-:param value: Value of the configuration option to change
+:type config_file: str
+:param key: Configuration option to change
+:type key: str
+:param value: Value of the configuration option to change
+:type value: str
+:param quoted_value:
+:type quoted_value: str
+:param sed_separator:
+:type sed_separator: char
#}}
{{%- macro bash_firefox_cfg_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}}
@@ -953,7 +991,9 @@ done
Macro to ensure that the ntp/chrony config file contains valid server entries.
:param config_file: Path to the ntp/chrony config file
+:type config_file: str
:param servers_list: Comma-separated list of servers
+:type servers_list: str
#}}
{{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}}
@@ -978,6 +1018,7 @@ fi
not desired, avoid defining a backup name.
:param backup_name: Changes the default backup name used by authselect.
+:type backup_name: str
#}}
{{% macro bash_apply_authselect_changes(backup_name='') -%}}
@@ -1056,6 +1097,7 @@ else
fi
{{%- endmacro -%}}
+
{{#
Validate an authselect custom profile integrity and ensures the correct file path is defined
in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of
@@ -1064,7 +1106,8 @@ fi
the macro will properly locate the correct profile and file to be edited in the authselect
context. This sequence of commands is used in multiple PAM related macros.
- :param pam_file: PAM config file.
+:param pam_file: PAM config file.
+:type pam_file: str
#}}
{{%- macro bash_ensure_pam_variables_and_authselect_profile(pam_file) -%}}
@@ -1076,17 +1119,21 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
{{{ bash_apply_authselect_changes() }}}
{{%- endmacro -%}}
+
{{#
Enable pam_pwhistory.so PAM module according to the system capabilities.
If authselect is present and the "with-pwhistory" feature is available, the feature will be enabled.
If authselect is present but the "with-pwhistory" feature is not yet available, a custom profile will be used.
If authselect is not present, PAM files will be directly edited.
- :param pam_file: PAM config file.
- :param control: PAM control flags.
- :param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
- Note: For this macro, there is a special value used to include a line at
- the beginning of the file: "BOF"
+:param pam_file: PAM config file.
+:type pam_file: str
+:param control: PAM control flags.
+:type control: str
+:param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
+ Note: For this macro, there is a special value used to include a line at
+ the beginning of the file: "BOF"
+:type after_match: str
#}}
{{%- macro bash_pam_pwhistory_enable(pam_file, control, after_match='') -%}}
@@ -1103,14 +1150,18 @@ else
fi
{{%- endmacro -%}}
+
{{#
Set pam_pwhistory.so PAM module options and values. In case the file
/etc/security/pwhistory.conf is present in the system, the option is ensured there and removed
from pam files to avoid conflicts or confusion.
:param pam_file: PAM config file.
+:type pam_file: str
:param option: pwhistory option e.g.: remember, retry, debug
+:type option: str
:param value: value of option
+:type value: str
#}}
{{%- macro bash_pam_pwhistory_parameter_value(pam_file, option, value='') -%}}
@@ -1146,6 +1197,7 @@ else
fi
{{%- endmacro -%}}
+
{{#
Sets PAM faillock module options and values. In case the file
/etc/security/faillock.conf is present in the system, the option is removed from pam files
@@ -1153,8 +1205,11 @@ fi
It also adds pam_faillock.so as required module for account.
:param option: faillock option eg. deny, unlock_time, fail_interval
+:type option: str
:param value: value of option
+:type value: str
:param authfail: check the pam_faillock.so conf line with authfail
+:type authfail: bool
#}}
{{%- macro bash_pam_faillock_parameter_value(option, value='', authfail=True) -%}}
@@ -1214,12 +1269,16 @@ else
fi
{{%- endmacro -%}}
+
{{#
Print a message to stderr and exit the shell
:param message: The message to print.
+:type message: str
:param rc: The error code (optional, default is 1)
+:type rc: int
:param action: What to do (optional, default is 'exit', can be also 'return' or anything else)
+:type action: str
#}}
{{% macro die(message, rc=1, action="exit") -%}}
@@ -1227,22 +1286,34 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
{{{ action }}} {{{ rc }}}
{{%- endmacro %}}
+
{{#
Add an entry to a text configuration file
:param path: path of the configuration file
+:type path: str
:param parameter: the parameter to be set in the configuration file
+:type parameter: str
:param value: the value of the parameter to be set in the configuration file
+:type value: str
:param create: whether create the file specified by path if the file does not exits
+:type create: bool
:param insert_after: inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file
+:type insert_after: str
:param insert_before: inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file
+:type insert_before: str
:param insensitive: ignore case
+:type insensitive: bool
:param separator: separates parameter from the value (literal)
+:type separator: str
:param separator_regex: regular expression that describes the separator and surrounding whitespace
+:type separator_regex: str
:param prefix_regex: regular expression describing allowed leading characters at each line
+:type prefix_regex: str
+:param sed_path_separator:
+:type sed_path_separator: char
#}}
-
{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}}
{{%- set new_line = parameter+separator+value -%}}
{{#- An escaped dollar in the parameter is escaped because of its significance for the shell, so when making a regex out of the parameter, we remove the shell escape, as the regex escape will do its thing. -#}}
@@ -1259,6 +1330,7 @@ fi
{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive, sed_path_separator=sed_path_separator) }}}
{{%- endmacro -%}}
+
{{%- macro lineinfile_absent(path, regex, insensitive=true, sed_path_separator="/") -%}}
{{%- if insensitive -%}}
{{%- set modifier="Id" -%}}
@@ -1271,6 +1343,7 @@ fi
LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}"
{{%- endmacro -%}}
+
{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true, filename_glob="*") -%}}
{{%- if insensitive -%}}
{{%- set modifier="Id" -%}}
@@ -1280,6 +1353,7 @@ LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }
LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/{{{ filename_glob }}}
{{%- endmacro -%}}
+
{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true, sed_path_separator="/") -%}}
{{%- if insensitive -%}}
{{%- set grep_args="-q -m 1 -i" -%}}
@@ -1328,11 +1402,14 @@ fi
rm "{{{ path }}}.bak"
{{%- endmacro -%}}
+
{{#
Generates bash script code that puts 'contents' into a file at 'filepath'
:param filepath: Filepath of the file to check
+:type filepath: str
:param contents: Contents that should be in the file
+:type contents: str
#}}
{{%- macro bash_file_contents(filepath='', contents='') %}}
@@ -1341,36 +1418,43 @@ cat << 'EOF' > {{{ filepath }}}
EOF
{{%- endmacro %}}
+
{{# Strips anchors regex around the banner text #}}
{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g')
{{%- endmacro %}}
+
{{# Strips multibanner regex and keeps only the first banner #}}
{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\.\)|.*)$/\1/g')
{{%- endmacro %}}
+
{{# Strips whitespace or newline regex #}}
{{% macro bash_deregexify_banner_space(banner_var_name) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g')
{{%- endmacro %}}
+
{{# Strips newline or newline escape sequence regex #}}
{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/{{{ newline }}}/g')
{{%- endmacro %}}
+
{{# Strips newline token for a newline escape sequence regex #}}
{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g')
{{%- endmacro %}}
+
{{# Strips backslash regex #}}
{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}}
{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g')
{{%- endmacro %}}
+
{{% macro bash_ini_file_set(filename, section, key, value) -%}}
{{% set config_dir = "/".join(filename.split("/")[:-1]) %}}
# Try find '[{{{ section }}}]' and '{{{ key }}}' in '{{{ filename }}}', if it exists, set
@@ -1393,6 +1477,7 @@ else
fi
{{%- endmacro %}}
+
{{%- macro bash_sudo_remove_config(parameter, pattern) -%}}
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
@@ -1410,6 +1495,7 @@ for f in /etc/sudoers /etc/sudoers.d/* ; do
done
{{%- endmacro -%}}
+
{{% macro bash_sssd_ldap_config(parameter, value) -%}}
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*{{{ parameter }}}'
@@ -1438,6 +1524,7 @@ if grep -qvzosP $AD_REGEX $SSSD_CONF; then
fi
{{%- endmacro %}}
+
{{#
Check whether or not a package is installed.
#}}
@@ -1471,7 +1558,9 @@ cce="{{{ cce_identifiers['cce'] }}}"
Do not modify file at all if there already is newline. Always follows
symlinks.
- :param file: file to check
+:param file: file to check
+:type file: str
+
#}}
{{%- macro bash_ensure_nl_at_eof(file) -%}}
{{#- Plain sed '$a\' updates stat even if it dones not change the file. -#}}
@@ -1499,11 +1588,14 @@ fi
{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}}
-
:param config_file: Configuration file that will be modified
+:type config_file: str
:param key: Configuration option to change
+:type key: str
:param value: Value of the configuration option to change
+:type value: str
:param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =)
+:type format: str
#}}
{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s') -%}}
@@ -1530,6 +1622,7 @@ else
fi
{{%- endmacro -%}}
+
{{#
Macro to restrict permissions in home directories of interactive users.
@@ -1547,15 +1640,20 @@ for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid
done
{{%- endmacro -%}}
+
{{#
To see how args corresponds to an :code:`/etc/fstab` entry, see
`bash_ensure_mount_option_for_vfstype <#template-bash_ensure_mount_option_in_fstab>`_
documentation
:param vfstype: type of filesystem
+:type vfstype: str
:param mount_opt: mount point option which we are checking
+:type mount_opt: str
:param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
+:type fs_spec: str
:param type: mount type of new mount point (used when adding new entry in fstab)
+:type type: str
#}}
{{% macro bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, filesystem, type) -%}}
@@ -1568,6 +1666,7 @@ do
done
{{%- endmacro %}}
+
{{#
Ensures that given mount point is in :code:`/etc/fstab`.
@@ -1579,10 +1678,14 @@ Ensures that given mount point is in :code:`/etc/fstab`.
LABEL=t-home2 /home ext4 defaults,auto_da_alloc 0 2
- :param mount_point: mount point
- :param mount_opt: mount point option whose presence in /etc/fstab we are ensuring
- :param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
- :param type: mount type of mount point (used when adding new entry in fstab)
+:param mount_point: mount point
+:type mount_point: str
+:param mount_opt: mount point option whose presence in /etc/fstab we are ensuring
+:type mount_opt: str
+:param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
+:type fs_spec: str
+:param type: mount type of mount point (used when adding new entry in fstab)
+:type type: str
#}}
{{% macro bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type) -%}}
@@ -1602,6 +1705,7 @@ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "{{{ mount_opt }}}"; t
fi
{{%- endmacro %}}
+
{{#
Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not
@@ -1617,6 +1721,7 @@ grep "$mount_point_match_regexp" -q /etc/fstab \
echo "Not remediating, because there is no record of {{{ mount_point }}} in /etc/fstab" >&2; return 1; }
{{%- endmacro %}}
+
{{#
Ensure that partition is mounted at mount_point with correct options, but only if the partition
is already mounted.
@@ -1630,6 +1735,7 @@ if mkdir -p "{{{ mount_point }}}"; then
fi
{{%- endmacro %}}
+
{{#
Based on example audit syscall rule definitions as outlined in
:code:`/usr/share/doc/audit-2.3.7/stig.rules` file provided with the audit
@@ -1644,19 +1750,29 @@ for further details.
Notes:
-* The 2-nd up to 4-th arguments are used to determine how many existing audit rules will be inspected for resemblance with the new audit rule the macro is going to add.
-* The macro's similarity check uses the 5-th argument to optimize audit rules definitions (merge syscalls of the same group into one rule) to avoid the "single-syscall-per-audit-rule" performance penalty.
-* The key argument (7-th argument) is not used when the syscall is grouped to an
-existing audit rule. The audit rule will retain the key it already had.
-
-:param audit_tool: tool used to load audit rules, either 'auditctl', or 'augenrules
+* The 2-nd up to 4-th arguments are used to determine how many existing audit
+ rules will be inspected for resemblance with the new audit rule the macro
+ is going to add.
+* The macro's similarity check uses the 5-th argument to optimize audit rules
+ definitions (merge syscalls of the same group into one rule) to avoid the
+ "single-syscall-per-audit-rule" performance penalty.
+* The key argument (7-th argument) is not used when the syscall is grouped to
+ an existing audit rule. The audit rule will retain the key it already had.
+
+:param tool: tool used to load audit rules, either 'auditctl', or 'augenrules
+:type tool: str
:param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64"
+:type action_arch_filters: str
:param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd"
+:type other_filters: str
:param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset"
+:type auid_filters: str
:param syscall: The syscall to ensure presense among audit rules. For example, "chown"
+:type syscall: str
:param syscall_groupings: Other syscalls that can be grouped with 'syscall' as a space separated list. For example, "fchown lchown fchownat"
-:param key: The key to use when appending a new rule
-
+:type syscall_groupings: str
+:param key: The key to use when appending a new rule
+:type key: str
#}}
{{% macro bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key) -%}}
@@ -1831,11 +1947,14 @@ if [ "$skip" -ne 0 ]; then
fi
{{%- endmacro %}}
+
{{#
Ensures that /etc/default/grub file contains the arg_name_value.
:param arg_name: name of the grub parameter, e.g.: "audit"
+:type arg_name: str
:param arg_name_value: parameter together with the value to ensure, e.g.: "audit=1"
+:type arg_name_value: str
#}}
{{%- macro update_etc_default_grub_manually(arg_name, arg_name_value) -%}}
@@ -1849,14 +1968,15 @@ else
fi
{{%- endmacro %}}
+
{{#
Macro for Bash remediation for adding a kernel command line argument to the GRUB 2 bootloader.
Part of the grub2_bootloader_argument template.
:param arg_name: Kernel command line argument
-:type arg_name str:
+:type arg_name: str
:param arg_name_value: Kernel command line argument concatenated with the value of this argument using an equal sign, eg. "noexec=off".
-:type arg_name_value str:
+:type arg_name_value: str
#}}
{{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
@@ -1866,10 +1986,12 @@ Part of the grub2_bootloader_argument template.
{{{ grub_command("add", arg_name_value) }}}
{{% endmacro %}}
+
{{#
Ensures that /etc/default/grub file does not contain the arg_name_value.
:param arg_name: name of the grub parameter, e.g.: "audit"
+:type arg_name: str
#}}
{{%- macro update_etc_default_grub_manually_absent(arg_name) -%}}
@@ -1879,12 +2001,13 @@ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; t
fi
{{%- endmacro %}}
+
{{#
Macro for Bash remediation for removing a kernel command line argument from the GRUB 2 bootloader.
Part of the grub2_bootloader_argument_absent template.
:param arg_name: Name of the kernel command line argument that will be removed from GRUB 2 configuration.
-:type arg_name str:
+:type arg_name: str
#}}
{{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}}
@@ -1894,6 +2017,7 @@ Part of the grub2_bootloader_argument_absent template.
{{{ grub_command("remove", arg_name) }}}
{{% endmacro %}}
+
{{#
This macro creates a bash conditional which is used to determine if a
remediation is applicable. The macro takes package as an argument and chooses
@@ -1902,8 +2026,11 @@ optional version restricion, the Bash remediation will be applied. The macro
respects `platform_package_overrides` variable.
:param package: package name
-:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type package: str
+:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param ver: package version (optional argument, use together with "op")
+:type ver: str
#}}
{{%- macro bash_pkg_conditional(package, op=None, ver=None) -%}}
@@ -1921,60 +2048,75 @@ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
{{% endif %}}
{{%- endmacro -%}}
+
{{#
This macro generates code that gets version of an installed RPM package.
:param package: package name
+:type package: str
#}}
{{%- macro bash_get_rpm_package_version(package) -%}}
$(epoch=$(rpm -q --queryformat '%{EPOCH}' {{{ package }}}); version=$(rpm -q --queryformat '%{VERSION}' {{{ package }}}); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")
{{%- endmacro -%}}
+
{{#
This macro creates a Bash conditional that compares version of the package
with a given version.
Description of the algorithm:
-1. Get the actual version of the given package and store it in `real`.
-2. Store the expected version in `ver`.
-3. Perform the comparison and return the result.
+
+#. Get the actual version of the given package and store it in `real`.
+#. Store the expected version in `ver`.
+#. Perform the comparison and return the result.
Comparison method is different based on the comparison operator. The method
code is chosen at the build time during Jinja expansion. Therefore, the
algorithm doesn't use the operator at all.
Based on the operator, these operations are performed:
- a. "<": real != ver && is_sorted([real, ver])
- b. "<=": is_sorted([real, ver])
- c. "==": real == ver
- d. "!=": real != ver
- e. ">=" real != ver && is_sorted([ver, real])
- f. ">" is_sorted([ver, real])
+
+ #. "<": real != ver && is_sorted([real, ver])
+ #. "<=": is_sorted([real, ver])
+ #. "==": real == ver
+ #. "!=": real != ver
+ #. ">=" real != ver && is_sorted([ver, real])
+ #. ">" is_sorted([ver, real])
+
where is_sorted returns true if the given list parameter is a sorted list of version numbers.
The implementation uses the GNU `sort` version ordering, which is described at:
https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-ordering
:param real: real package version
+:type real: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param expected: expected package version
+:type expected: str
#}}
{{%- macro bash_pkg_conditional_compare(real, op, expected) -%}}
{ real="{{{ real }}}"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; }
{{%- endmacro -%}}
+
{{#
This macro generates comparison code based on the operator.
Assumptions:
-- Version arguments are either literal, or they expand to versions (e.g. the argument is a deferenced variable)
-- Either all versions have epoch, or none of them has.
- - Violation of this results in undefined behavior.
- - If one has epoch e.g. 0, and the other one has no epoch, they will not be treated as equal.
+
+* Version arguments are either literal, or they expand to versions (e.g. the argument is a deferenced variable)
+* Either all versions have epoch, or none of them has.
+
+ * Violation of this results in undefined behavior.
+ * If one has epoch e.g. 0, and the other one has no epoch, they will not be treated as equal.
:param real: real package version
+:type real: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param expected: expected package version
+:type expected: str
#}}
{{%- macro bash_compare_version(real, op, expected) -%}}
@@ -1993,13 +2135,17 @@ printf "%s\n%s" "{{{ expected }}}" "{{{ real }}}" | sort -VC
{{%- endif -%}}
{{%- endmacro -%}}
+
{{#
This macro creates a Bash conditional which uses rpm to check if a package passed as a parameter is installed.
:param package: package name
+:type package: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param ver: package version (optional argument, use together with "op")
The version always needs to contain epoch. If the package has no epoch, please prepend "0:".
+:type ver: str
#}}
{{%- macro bash_pkg_conditional_rpm(package, op=None, ver=None) -%}}
@@ -2010,10 +2156,12 @@ rpm --quiet -q {{{ package }}}
{{%- endif -%}}
{{%- endmacro %}}
+
{{#
This macro generates code that gets version of an installed DEB package.
:param package: package name
+:type package: str
#}}
{{%- macro bash_get_dpkg_package_version(package) -%}}
@@ -2021,13 +2169,17 @@ This macro generates code that gets version of an installed DEB package.
dpkg-query -f='${Version}\n' --show {{{ package }}} | cut -f1 -d-
{{%- endmacro -%}}
+
{{#
This macro creates a Bash conditional that compares version of the DEB package
with a given version.
:param package: package name
+:type package: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param ver: package version (optional argument, use together with "op")
+:type ver: str
#}}
{{%- macro bash_compare_version_dpkg(package, op, ver) -%}}
@@ -2035,12 +2187,16 @@ with a given version.
{ real="$({{{ bash_get_dpkg_package_version(package) }}})"; ver="{{{ ver }}}"; dpkg --compare-versions "$real" "{{{ op_codes[op] }}}" "$ver"; }
{{%- endmacro -%}}
+
{{#
This macro creates a Bash conditional which uses dpkg to check if a package passed as a parameter is installed.
:param package: package name
-:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type package: str
+:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param ver: package version (optional argument, use together with "op")
+:type ver: str
#}}
{{%- macro bash_pkg_conditional_dpkg(package, op=None, ver=None) -%}}
@@ -2051,19 +2207,25 @@ dpkg-query --show --showformat='${db:Status-Status}\n' '{{{ package }}}' 2>/dev/
{{%- endif -%}}
{{%- endmacro -%}}
+
{{#
Macro to replace configuration setting(s) in the Chromium stig policy (.json) file or add the
preference if it does not exist.
-Example macro invocation:
+Example macro invocation::
{{{ bash_chromium_pol_setting("chrome_stig_policy.json", "/etc/chromium/policies/managed/", "ExtensionInstallBlacklist", "\[\"*\"\]") }}}
-:param chrome_pol_file: Policy file to that will be modified
-:param chrome_pol_dir: Directory where the policy file is located
-:param pol_setting: The setting that will be modified
-:param pol_setting_val: Value of the setting to replace the current value with
-:param pol_setting_val_edit: Value of the setting to be inserted if setting and value not present
+:param chrome_pol_file: Policy file to that will be modified
+:type chrome_pol_file: str
+:param chrome_pol_dir: Directory where the policy file is located
+:type chrome_pol_dir: str
+:param pol_setting: The setting that will be modified
+:type pol_setting: str
+:param pol_setting_val: Value of the setting to replace the current value with
+:type pol_setting_val: str
+:param pol_setting_val_edit: Value of the setting to be inserted if setting and value not present
+:type pol_setting_val_edit: str
#}}
{{%- macro bash_chromium_pol_setting(chrome_pol_file, chrome_pol_dir, pol_setting, pol_setting_val, pol_setting_val_edit=None) %}}
@@ -2104,18 +2266,22 @@ done < <({{{ command_and_its_args }}})
{{#
- # Ensure key is set to correct value under a correct section in an .ini style config file
+ Ensure key is set to correct value under a correct section in an .ini style config file
+
+Example macro invocation(s)::
+
+ {{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1") }}}
+ {{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") }}}
:param files: list of space-separated files to add key = value to (may contain wildcards)
if none contain section, create and append to FIRST file
+:type files: str
:param section: section to add key = value under
+:type section: str
:param key: key
+:type key: str
:param value: value
-
-Example macro invocation(s):
-
- bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1")
- bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd")
+:type value: str
#}}
{{% macro bash_ensure_ini_config(files, section, key, value) -%}}
@@ -2153,10 +2319,12 @@ fi
If the line is not present, it will be included after the regex informed in the "after_match"
parameter. If the "after_match" parameter is empty, the line will be included at the end of
the file informed in the "pam_file" parameter.
+
If the line was already present, but with a different control, the control will be updated.
Note: If there are multiple lines matching the "group" + "module", no lines will be updated.
Instead, a new line will be included after the regex informed in "after_match" or at the
end of file if "after_match" parameter is empty or there is no match.
+
This is a conservative safeguard for improper use of this macro in rare cases of modules
configured by multiple lines, like pam_sss.so, pam_faillock.so and pam_lastlog.so. In some
situations, these special modules may have similar lines sharing the same "group" and "module".
@@ -2164,11 +2332,16 @@ fi
PAM module is working as expected. Otherwise, a custom remediation should be considered.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
Note: For this macro, there is a special value used to include a line at the beginning of the file: "BOF"
+:type after_match: str
#}}
{{%- macro bash_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}}
@@ -2199,12 +2372,19 @@ fi
Make sure that an existing PAM module line is properly configured with an option.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
:param value: PAM module option argument, if is case. Optional parameter.
+:type value: str
:param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter.
+:type after_match: str
#}}
{{%- macro bash_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}}
@@ -2230,10 +2410,15 @@ fi
Remove a PAM module option if present in a PAM module line.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
#}}
{{%- macro bash_remove_pam_module_option(pam_file, group, control, module, option) -%}}
@@ -2300,12 +2485,19 @@ fi
relies on authselect. Otherwise, the PAM files will be directly edited.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option. Optional parameter.
+:type option: str
:param value: PAM module option argument, if is case. Optional parameter.
+:type value: str
:param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter.
+:type after_match: str
#}}
{{%- macro bash_ensure_pam_module_configuration(pam_file, group, control, module, option='', value='', after_match='') -%}}
@@ -2328,16 +2520,22 @@ else
fi
{{%- endmacro -%}}
+
{{#
Remove a PAM module option from an existing PAM module line. This macro is compatible with
custom authselect profiles if the system relies on authselect. Otherwise, the PAM files will
be directly edited.
:param pam_file: PAM config file.
+:type pam_file: str
:param group: PAM management group: auth, account, password or session. Also known as "type".
+:type group: str
:param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible.
+:type control: str
:param module: PAM module name.
+:type module: str
:param option: PAM module option.
+:type option: str
#}}
{{%- macro bash_remove_pam_module_option_configuration(pam_file, group, control, module, option) -%}}
@@ -2381,6 +2579,7 @@ else
fi
{{%- endmacro %}}
+
{{#
Macro to insert script to find Mozilla Firefox location on the target system.
@@ -2403,10 +2602,14 @@ conforms and satisfies the optional version restricion, the Bash remediation
will be applied.
:param os_id: OS name, value of the ID variable in /etc/os-release
+:type os_id: str
:param expected_ver: expected OS version, value of the VERSION_ID variable in /etc/os-release
(optional argument, use together with "op")
-:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type expected_ver: str
+:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+:type os_release_path: str
#}}
{{%- macro bash_os_linux_conditional(os_id, expected_ver=None, op=None, os_release_path="/etc/os-release") -%}}
@@ -2417,24 +2620,30 @@ grep -qP "^ID=[\"']?{{{ os_id }}}[\"']?$" "{{{ os_release_path }}}"
{{%- endif -%}}
{{%- endmacro %}}
+
{{#
This macro generates bash condition that compares the actual version of the
operating system with the expected version using the given operator.
:param expected: expected OS version, value of the VERSION_ID variable in /etc/os-release
+:type expected: str
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
+:type op: str
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+:type os_release_path: str
#}}
{{%- macro bash_compare_version_os_linux(expected, op, os_release_path="/etc/os-release") -%}}
{ real="$({{{ bash_get_version_os_linux(os_release_path) }}})"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; }
{{%- endmacro -%}}
+
{{#
This macro generates code that retrieves the operating system version
from /etc/os-release from VERSION_ID variable.
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+:type os_release_path: str
#}}
{{%- macro bash_get_version_os_linux(os_release_path="/etc/os-release") -%}}
diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja
index 9edc7f3c5d3..2147919809c 100644
--- a/shared/macros/10-fixtext.jinja
+++ b/shared/macros/10-fixtext.jinja
@@ -7,6 +7,7 @@
:type key: str
:param rule_path: Full path to where the rule wil
:type rule_path: str
+
#}}
{{% macro fixtext_audit_file_watch_rule(path, key, rule_path) -%}}
Configure {{{ full_name }}} to generate audit records for all account creations, modifications, disabling, and termination events that "{{{ path }}}".
@@ -18,6 +19,7 @@ Add or update the following file system rule to "{{{ rule_path }}}":
The audit daemon must be restarted for the changes to take effect.
{{% endmacro %}}
+
{{% macro fixtext_audit_rules(event, key, event_group, extra_params=False, flag=None) -%}}
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "{{{ event }}}" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/{{{ key }}}.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
@@ -47,70 +49,76 @@ It's allowed to group this system call within the same line as {{{ event_group }
The audit daemon must be restarted for the changes to take effect.
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for file deletion events
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_file_deletion_events(syscall) -%}}
{{{ fixtext_audit_rules(syscall, "delete", '"rename", "unlink", "rmdir", "renameat", and "unlinkat"') }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for dac modification events - chmod
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_dac_modification_chmod(syscall) -%}}
{{{ fixtext_audit_rules(syscall, "perm_mod", '"chmod", "fchmod" and "fchmodat"') }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for dac modification events - chown
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_dac_modification_chown(syscall) -%}}
{{{ fixtext_audit_rules(syscall, "perm_mod", '"chown", "fchown", "fchownat" and "lchown"') }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for dac modification events - chown
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_dac_modification_chown(syscall) -%}}
{{{ fixtext_audit_rules(syscall, "perm_mod", '"chown", "fchown", "fchownat" and "lchown"') }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for dac modification events - attr
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_dac_modification_attr(syscall) -%}}
{{{ fixtext_audit_rules(syscall, "perm_mod", '"fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr"') }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for unsuccessful file modification
Used in rules using template audit_rules_unsuccessful_file_modification
:param syscall: syscall name
-:type path: str
+:type syscall: str
:param syscall_grouping: A list of other syscalls that can be audited with the
same audit rules.
-:type path: str
+:type syscall_grouping: list
#}}
{{% macro fixtext_audit_rules_unsuccessful_file_modification(syscall, syscall_grouping) -%}}
@@ -118,13 +126,14 @@ The audit daemon must be restarted for the changes to take effect.
{{{ fixtext_audit_rules(syscall, "access", syscall_grouping_text, extra_params=True) }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for unsuccessful file modification
when O_CREAT flag is specified.
Used in rules using template audit_rules_unsuccessful_file_modification_o_creat
:param syscall: syscall name
-:type path: str
+:type syscall: str
:param pos: position of the O_CREAT argument in the syscall parameters
:type pos: str
@@ -133,13 +142,14 @@ The audit daemon must be restarted for the changes to take effect.
{{{ fixtext_audit_rules(syscall, "unsuccesful-create", '"open", "openat" and "open_by_handle_at"', extra_params=True, flag=pos+"&0100") }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for audit rules for unsuccessful file modification
when O_TRUNC_WRITE flag is specified.
Used in rules using template audit_rules_unsuccessful_file_modification_o_trunc_write
:param syscall: syscall name
-:type path: str
+:type syscall: str
:param pos: position of the O_CREAT argument in the syscall parameters
:type pos: str
@@ -148,12 +158,13 @@ The audit daemon must be restarted for the changes to take effect.
{{{ fixtext_audit_rules(syscall, "unsuccesful-modification", '"openat" and "open_by_handle_at"', extra_params=True, flag=pos+"&01003") }}}
{{% endmacro %}}
+
{{#
Generate a fixtext for ordering of audit rules for unsuccessful file modification.
Used in rules using template audit_rules_unsuccessful_file_modification_rule_order.
:param syscall: syscall name
-:type path: str
+:type syscall: str
#}}
{{% macro fixtext_audit_rules_unsuccessful_file_modification_rule_order(syscall) -%}}
@@ -166,6 +177,7 @@ The audit daemon must be restarted for the changes to take effect.
The audit daemon must be restarted for the changes to take effect.
{{% endmacro %}}
+
{{#
Human readable text for how to fix ini files
@@ -194,6 +206,7 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo dconf update
{{%- endmacro -%}}
+
{{#
Human readable text for how to lock dconf settings
@@ -215,6 +228,7 @@ The audit daemon must be restarted for the changes to take effect.
{{{ section }}}
{{%- endmacro -%}}
+
{{#
Describe how to fix an ssh configure
@@ -223,6 +237,7 @@ The audit daemon must be restarted for the changes to take effect.
:parameter value: Value to set
:type value: str
:param config_is_distributed: Should the value go in 00-complianceascode-hardening.conf vs the main sshd config file
+:type config_is_distributed: bool
#}}
{{%- macro fixtext_sshd_lineinfile(parameter, value, config_is_distributed) -%}}
@@ -241,11 +256,12 @@ The audit daemon must be restarted for the changes to take effect.
{{%- endmacro -%}}
+
{{#
Describe how to enable a service
-:param parameter: service to enable
-:type parameter: str
+:param service: service to enable
+:type service: str
#}}
{{%- macro fixtext_service_enabled(service) -%}}
@@ -254,11 +270,12 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo systemctl enable --now {{{ service }}}
{{%- endmacro -%}}
+
{{#
Describe how to disable a service
-:param parameter: service to be disabled
-:type parameter: str
+:param service: service to be disabled
+:type service: str
#}}
{{%- macro fixtext_service_disabled(service) -%}}
@@ -269,11 +286,12 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo systemctl mask --now {{{ service }}}
{{%- endmacro -%}}
+
{{#
Describe how to disable a socket
-:param parameter: socket to be disabled
-:type parameter: str
+:param socket: socket to be disabled
+:type socket: str
#}}
{{%- macro fixtext_socket_disabled(socket) -%}}
@@ -284,6 +302,7 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo systemctl mask --now {{{ socket }}}
{{%- endmacro -%}}
+
{{#
Macro describing fix for sysctl rules.
@@ -302,6 +321,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
{{%- endmacro %}}
+
{{#
Describe fix for GRUB 2 bootloader kernel argument
This can be used for rules that use grub2_bootloader_argument template
@@ -323,6 +343,7 @@ Run the following command:
$ sudo {{{ grub_command("add", argument + "=" + value) }}}
{{% endmacro %}}
+
{{#
Describe fix for removal of a GRUB 2 bootloader kernel argument
This can be used for rules that use grub2_bootloader_argument_absent template
@@ -352,6 +373,7 @@ $ sudo {{{ grub_command("remove", argument) }}}
:type param: str
:param value: The value of the audit configuration.
:type value: str
+
#}}
{{% macro fixtext_audit_configuration(param, value) -%}}
Edit the file "/etc/audit/auditd.conf" and add or edit the following line:
@@ -359,6 +381,7 @@ Edit the file "/etc/audit/auditd.conf" and add or edit the following line:
{{%- endmacro %}}
+
{{#
Fixtext macro describing configuration of mount option,
for rules using the mount_option template.
@@ -373,6 +396,7 @@ for rules using the mount_option template.
Modify "/etc/fstab" to use the "{{{ mountoption }}}" option on the "{{{ mountpoint }}}" directory.
{{%- endmacro %}}
+
{{#
Fixtext macro describing how to audit a command.
@@ -392,6 +416,7 @@ Configure the audit system to generate an audit event for any successful/unsucce
The audit daemon must be restarted for the changes to take effect.
{{%- endmacro %}}
+
{{#
Fixtext for ensuring that a privileged command is audited.
@@ -399,6 +424,7 @@ Fixtext for ensuring that a privileged command is audited.
:type cmd: str
:param path_prefix: The directory the command is in
:type path_prefix: str
+
#}}
{{% macro fixtext_audit_rules_privileged_commands(cmd, path_prefix, key) -%}}
Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "{{{ cmd }}}" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
@@ -408,6 +434,7 @@ Configure {{{ full_name }}} to generate audit records upon successful/unsuccessf
The audit daemon must be restarted for the changes to take effect.
{{%- endmacro %}}
+
{{#
Fixtext for removing a package
@@ -421,6 +448,7 @@ To remove the {{{ full_name }}} package {{{ package }}} run the following comman
{{{ package_remove(package) }}}
{{%- endmacro %}}
+
{{#
Fixtext for installing a package
@@ -434,6 +462,7 @@ To install the {{{ full_name }}} package {{{ package }}} run the following comma
{{{ package_install(package) }}}
{{%- endmacro %}}
+
{{#
Fixtext for disabling a kernel module
@@ -452,6 +481,7 @@ blacklist {{{ module }}}
Reboot the system for the settings to take effect.
{{%- endmacro %}}
+
{{#
Fixtext for setting the owner on a file.
@@ -467,13 +497,14 @@ Change the owner of the file {{{ file }}} to {{{ owner }}} by running the follow
$ sudo chown {{{ owner }}} {{{ file }}}
{{%- endmacro %}}
+
{{#
Fixtext for setting the group owner on a file.
:param file: The file to set the group owner on
:type file: str
-:param owner: The group to be set
-:type owner: str
+:param group: The group to be set
+:type group: str
#}}
{{% macro fixtext_file_group_owner(file, group) %}}
@@ -482,6 +513,7 @@ Change the group of the file {{{ file }}} to {{{ group }}} by running the follow
$ sudo chgrp {{{ group }}} {{{ file }}}
{{%- endmacro %}}
+
{{#
Fixtext for setting the owner on a directory.
@@ -497,6 +529,7 @@ Change the owner of the directory {{{ file }}} to {{{ owner }}} by running the f
$ sudo chown {{{ owner }}} {{{ file }}}
{{%- endmacro %}}
+
{{#
Fixtext for setting the group owner on a directory.
@@ -512,6 +545,7 @@ Change the group of the directory {{{ file }}} to {{{ group }}} by running the f
$ sudo chgrp {{{ group }}} {{{ file }}}
{{%- endmacro %}}
+
{{#
Fixtext for setting the permissions on a directory.
@@ -543,6 +577,7 @@ Configure the "{{{ file }}}" file to "{{{ mode }}}" by running the following com
$ sudo chmod {{{ mode }}} {{{ file }}}
{{%- endmacro %}}
+
{{#
Fixtext for having a mount point on another partition
@@ -554,10 +589,12 @@ Fixtext for having a mount point on another partition
Migrate the "{{{ part }}}" path onto a separate file system.
{{%- endmacro %}}
+
{{#
Fixtext for how to restrict RBAC permissions for cluster logging
:param verb: The RBAC verb to restrict
+:type verb: str
#}}
{{% macro fix_openshift_logging_rbac(verb) -%}}
diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja
index fe8dabbeda2..31a0681afa0 100644
--- a/shared/macros/10-kubernetes.jinja
+++ b/shared/macros/10-kubernetes.jinja
@@ -174,6 +174,7 @@ spec:
overwrite: true
{{%- endmacro -%}}
+
{{#
Macro which generates Kubernetes remediation in MachineConfig format with
dependencies reflected:
@@ -218,7 +219,6 @@ spec:
- source_content (String): The source of the content to be applied.
- vals (list): The list of required values for this remediation to be applies for example: var_something
#}}
-
{{%- macro kubernetes_machine_config_file_with_required_value(path='', file_permissions_mode='', source='', vals=[]) -%}}
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
@@ -469,12 +469,14 @@ AuditBackend=LinuxAudit
{{{ kubernetes_machine_config_file_with_dependencies(path='/etc/usbguard/usbguard-daemon.conf', file_permissions_mode='0600', source=usbguard_config_source(), deps=deps, ocp_version_range='>=4.7.0') }}}
{{%- endmacro -%}}
+
{{% macro kubernetes_machineconfig_audit_add_watch_rule(path='', permissions='', key='') -%}}
{{%- set audit_watch_rule = "-w " + path + " -p " + permissions + " -k " + key + "\n" -%}}
{{%- set audit_watch_rule_path = "/etc/audit/rules.d/75-" + path | replace('/', '') + "-" + permissions + "-" + key + ".rules" -%}}
{{{ kubernetes_machine_config_file(path=audit_watch_rule_path, file_permissions_mode='0600', source=audit_watch_rule) }}}
{{%- endmacro %}}
+
{{% macro audit_syscalls_rule(syscalls=[], key='', fields='') %}}
{{%- for syscall in syscalls -%}}
-a always,exit -F arch=b64 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}} -k {{{ key }}}
@@ -490,6 +492,7 @@ AuditBackend=LinuxAudit
{{{ kubernetes_machine_config_file(path=path, file_permissions_mode='0600', source=audit_syscalls_rule(syscalls, key, fields)) }}}
{{%- endmacro %}}
+
{{% macro rhcos_ospp_audit_rules() -%}}
## This content is a section of an Audit config snapshot recommended for {{{full_name|urlencode}}} systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
@@ -541,6 +544,7 @@ AuditBackend=LinuxAudit
{{{ kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-remediation.rules', file_permissions_mode='0600', source=rhcos_ospp_audit_rules()) }}}
{{%- endmacro %}}
+
{{% macro rhcos_logrotate_config() -%}}
# see "man logrotate" for details
# rotate log files daily
@@ -572,6 +576,7 @@ include /etc/logrotate.d
{{{ kubernetes_machine_config_file(path='/etc/logrotate.conf', file_permissions_mode='0644', source=rhcos_logrotate_config()) }}}
{{%- endmacro %}}
+
{{% macro rhcos_auditd_config() -%}}
#
# This file controls the configuration of the audit daemon
@@ -622,6 +627,7 @@ plugin_dir = /etc/audit/plugins.d
{{{ kubernetes_machine_config_file(path='/etc/audit/auditd.conf', file_permissions_mode='0640', source=rhcos_auditd_config()) }}}
{{%- endmacro %}}
+
{{% macro kubernetes_machineconfig_auditd_config_with_required_value(vals=[]) -%}}
{{{ kubernetes_machine_config_file_with_required_value(path='/etc/audit/auditd.conf', file_permissions_mode='0640', source=rhcos_auditd_config(),vals=vals)}}}
{{%- endmacro %}}
@@ -656,6 +662,7 @@ spec:
path: /etc/chrony.d/ntp-server.conf
{{%- endmacro %}}
+
{{% macro ntp_server() -%}}
#
# This file controls the configuration of the ntp server
@@ -681,6 +688,7 @@ spec:
{{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}}
{{%- endmacro -%}}
+
{{#
Macro which generates Kubernetes remediation in kubelet config format:
- path (String): path for the variable
@@ -695,7 +703,8 @@ metadata:
complianceascode.io/node-role: "{{.{{{ role }}}}}"
spec:
{{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}}
-{{%- endmacro -%}}
+{{%- endmacro -%}}
+
{{#
Macro which generates Kubernetes remediation in kubelet config format:
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
index 91eccc49fbd..925dbb348ba 100644
--- a/shared/macros/10-ocil.jinja
+++ b/shared/macros/10-ocil.jinja
@@ -44,6 +44,7 @@ Standard audit OCIL clause
the command does not return a line, or the line is commented out
{{%- endmacro %}}
+
{{#
OCIL and OCIL clause for ensuring that a privileged command is audited.
@@ -64,6 +65,7 @@ ocil: |-
-a always,exit -F path={{{ path_prefix }}}{{{ cmd }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -k {{% if key %}}{{{ key }}}{{% else %}}privileged-{{{ cmd }}}{{% endif %}}
{{% endmacro %}}
+
{{#
OCIL for adding a syscall to audit logs
@@ -117,6 +119,7 @@ ocil: |
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
+
{{#
OCIL for adding a unsuccessful syscall to audit logs
@@ -146,6 +149,7 @@ ocil: |
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
+
{{#
OCIL and OCIL clause for adding a unsuccessful syscall to audit logs
@@ -161,7 +165,6 @@ ocil: |
{{%- endmacro %}}
-
{{# Package macros #}}
{{#
@@ -301,6 +304,7 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endmacro %}}
+
{{#
Inserts an OCIL Clause for a case when a service should be enabled.
@@ -371,6 +375,7 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endmacro %}}
+
{{#
Inserts an OCIL Clause for a case when a service should be disabled.
@@ -651,7 +656,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned'
it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect.
:param port: The port to allow
-:type port: int
+:type port: str
:param proto: The protocol to allow
:type proto: str
:param service: The service to allow
@@ -689,6 +694,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned'
If firewalld is configured to prevent access, no output will be returned.
{{%- endmacro %}}
+
{{# Kernel modules macros #}}
{{#
@@ -741,6 +747,7 @@ ocil: |-
ocil_clause: "{{{ sebool }}} is not set as expected"
{{%- endmacro %}}
+
{{#
Describe how to check if given SELinux boolean is set depending on a variable.
@@ -824,8 +831,8 @@ ocil_clause: "{{{ sebool }}} is not enabled"
{{#
Describe how to check if timer is enabled in systemd.
-:param service: The service to check
-:type service: str
+:param timer: The timer to check
+:type timer: str
#}}
{{%- macro systemd_ocil_timer_enabled(timer) %}}
@@ -959,8 +966,8 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
:param file: File to change
:type file: str
-:param owner: the group owner for the file
-:type owner: str
+:param group: the group owner for the file
+:type group: str
#}}
{{%- macro ocil_clause_file_group_owner(file, group) -%}}
@@ -1081,11 +1088,12 @@ Fill in GRUBENV_FILE_LOCATION based on information above.
{{#
Write out the OCIL for generating the common check for Firefox configuration
+
:param preference: Name of preference
:type preference: str
:param config: configuration item name in Firefox
:type config: str
-:param value: Expected value for preference
+:param value: Expected value for preference, "true" or "false"
:type value: str
#}}
@@ -1110,6 +1118,7 @@ ocil: |-
lockPref("{{config}}", "{{value}}");
{{%- endmacro %}}
+
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification template
@@ -1167,6 +1176,7 @@ The output should be the following:
{{%- endmacro %}}
+
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_trunc_write template
@@ -1196,6 +1206,7 @@ The output should be the following:
{{%- endmacro %}}
+
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_rule_order template
@@ -1228,13 +1239,14 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati
-a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
{{%- endmacro %}}
+
{{# OpenShift Logging Macros #}}
{{#
OCIL for how to check RBAC permissions for cluster logging
:param verb: The RBAC verb to check
-:type file: str
+:type verb: str
#}}
{{%- macro ocil_cluster_logging_rbac_review(verb) -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 307df197d98..d913fc53645 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -11,6 +11,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Constants.
@@ -31,13 +32,13 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param separator_regex: Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
:type separator_regex: str
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
-:type missing_parameter_pass: boolean
+:type missing_parameter_pass: bool
:param application: The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
:type application: str
:param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
-:type multi_value: boolean
+:type multi_value: bool
:param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system.
-:type missing_config_file_fail: boolean
+:type missing_config_file_fail: bool
:param section: If set, the parameter will be checked only within the given section defined by [section].
:type section: str
:param quotes: If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
@@ -98,15 +99,18 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the criterion of the OVAL check (Criterion definition).
-:param oval_line_in_file_criterion: Path to the configuration file to be checked.
-:type oval_line_in_file_criterion: str
+:param path: Path to the configuration file to be checked.
+:type path: str
:param parameter: The parameter to be checked in the configuration file.
:type parameter: str
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
:type missing_parameter_pass: bool
+:param comment: Optional criterion comment
+:type comment: str
:param id_stem: The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID.
:type id_stem: str
:param avoid_conflicting: If true, the check will only pass in case all (if any) configurations found are compliant
@@ -131,6 +135,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- endmacro %}}
+
{{#
Macro to define the OVAL test to be constructed (Test definition).
@@ -170,6 +175,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to check if a parameter in a configuration file is set (Object definition).
@@ -184,7 +190,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param separator_regex: Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
:type separator_regex: str
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
-:type missing_parameter_pass: str
+:type missing_parameter_pass: bool
:param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
:type multi_value: bool
:param filename_regex: If specified, the first argument is interpreted as `path`, and this will serve as `filename` regex.
@@ -238,6 +244,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition).
@@ -270,22 +277,27 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false, avoid_conflicting=false) -%}}
{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir", avoid_conflicting=avoid_conflicting) -}}}
{{%- endmacro %}}
+
{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false, avoid_conflicting=false) -%}}
{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir", avoid_conflicting=avoid_conflicting) }}}
{{%- endmacro %}}
+
{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
{{{- oval_line_in_file_object(path_or_filepath=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filename_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
+
{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
+
{{#
Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition).
@@ -297,6 +309,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the OVAL test to check if the configuration file exists (Test definition).
@@ -310,6 +323,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the OVAL criterion that requires a file not to exist.
The id of the test name will be test_.
@@ -322,6 +336,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the OVAL test to check if the configuration file exists (Test definition).
@@ -339,6 +354,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the OVAL object to check if the configuration file exists (Object definition).
@@ -352,6 +368,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition).
@@ -377,6 +394,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
test_ref="test_{{{ rule_id }}}_{{{ name_value|escape_id }}}_argument_in_{{{ filepath|escape_id }}}" {{% if negate %}}negate="true" {{% endif %}}/>
{{%- endmacro -%}}
+
{{#
Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition).
@@ -421,6 +439,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro -%}}
+
{{#
High level macro to define the OVAL test to check if there is a line in file with a pair of argument=value.
@@ -429,7 +448,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param name: Argument name
:type name: str
:param value: Argument value
-:type name: str
+:type value: str
:param line_prefix: The starting part of the line with the list of arguments, default is empty
:type line_prefix: str
:param line_suffix: The ending part of the line with the list of arguments, default is empty
@@ -448,6 +467,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro -%}}
+
{{#
High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set.
A case insensitive comparison is used in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values).
@@ -468,6 +488,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+
{{#
High level macro to check if a particular shell variable is set.
@@ -478,7 +499,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param value: The variable value WITHOUT QUOTES.
:type value: str
:param application: The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
-:type value: application
+:type application: str
:param no_quotes: If set, the check will require that the RHS of the assignment is the literal value, without quotes. If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
:type no_quotes: bool
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
@@ -501,6 +522,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
{{%- endmacro %}}
+
{{#
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
@@ -511,7 +533,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
:type missing_parameter_pass: bool
:param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
-:type missing_parameter_pass: bool
+:type multi_value: bool
:param missing_config_file_fail: If set, the check will fail if the configuration file doesn't exist in the system.
:type missing_config_file_fail: bool
@@ -520,6 +542,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+
{{#
High level macro to set a parameter in /etc/systemd/coredump.conf.
@@ -539,18 +562,19 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file("/etc/systemd/coredump.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="systemd-coredump", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section="Coredump") }}}
{{%- endmacro %}}
+
{{#
High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
:param parameter: The parameter to be checked in the configuration file.
:type parameter: str
:param value: The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
-:type parameter: str
+:type value: str
:param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
:type missing_parameter_pass: bool
:param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
:type multi_value: bool
-:param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system.
+:param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system.
:type missing_config_file_fail: bool
#}}
@@ -558,6 +582,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file("/etc/default/grub", prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application="grub", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+
{{#
To be removed macro. Prevents regression on sshd configuration rules.
#}}
@@ -574,6 +599,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{% endif %}}
{{%- endmacro %}}
+
+
{{#
To be removed macro. Prevents regression on sshd configuration rules.
#}}
@@ -591,6 +618,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{# Note that a criteria was left open #}}
{{%- endmacro %}}
+
{{#
High level macro which checks configuration in an INI file.
@@ -616,6 +644,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{{ oval_check_config_file(path=path, prefix_regex="^\s*", parameter=parameter, value=value, separator_regex="[ \\t]*=[ \\t]*", missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section=section) }}}
{{%- endmacro %}}
+
{{#
Creates OVAL tests with given test_id which checks if package
is not installed.
@@ -624,6 +653,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:type package: str
:param test_id: Suffix of the Ids in test, obj, and state elements
:type test_id: str
+
#}}
{{%- macro oval_test_package_removed(package='', test_id='') -%}}
{{% if pkg_system == "rpm" %}}
@@ -647,6 +677,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{% endif %}}
{{%- endmacro -%}}
+
{{#
Creates OVAL tests with given test_id which checks if package
is installed. Optionally, it can check if a package of a given version (EVR)
@@ -698,6 +729,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{% endif %}}
{{%- endmacro -%}}
+
{{#
Macro which generates OVAL test for OpenShift Container Platform
runtime process configuration.
@@ -726,6 +758,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro -%}}
+
{{#
Macro which generates OVAL definition, test and object that check for contents
of the file.
@@ -733,6 +766,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param filepath: filepath of the file to check
:type filepath: str
:param filepath_id: Used like test_whole_file_contents_$filepath_id
+:type filepath_id: str
:param contents: contents that should be in the file
:type contents: str
@@ -768,6 +802,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Macro which generates the OVAL metadata section
@@ -776,7 +811,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:param title: Optional, the associated rule title is used by default
:type title: str
:param affected_platforms: Optional, list of unix platform strings (e.g. "Fedora") to put under the affected element. Uses the oval_affected macro by default under the hood.
-:type affected_platforms: str
+:type affected_platforms: list[str]
#}}
{{%- macro oval_metadata(description, title="", affected_platforms=None) -%}}
@@ -799,6 +834,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Create a full OVAL check for dconf ini file.
@@ -814,8 +850,10 @@ Generates the :code:`` tag for OVAL check using correct product platfo
:type value: str
:param application: What application this applies to
:type application: str
+:param section: What section this applies to
+:type section: str
:param quotes: If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
-:type value: str
+:type quotes: str
:param lock_path: Path to lock file
:type lock_path: str
@@ -854,6 +892,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{#
Create a full OVAL check for an sshd parameter and value.
@@ -976,8 +1015,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo
The macro receives a string as parameter, which is used as the password_object id in the rule.
- :param object_id: Object id to be created.
- :type object_id: str
+:param object_id: Object id to be created.
+:type object_id: str
#}}
{{%- macro create_interactive_users_list_object(object_id) -%}}
@@ -1009,11 +1048,13 @@ Generates the :code:`` tag for OVAL check using correct product platfo
test_ref="test_mount_active_{{{ path | escape_id }}}_exists" />
{{%- endmacro %}}
+
{{%- macro mount_configured_fstab_criterion(path) %}}
{{%- endmacro %}}
+
{{%- macro mount_active_test_object(path) %}}
{{%- set escaped_path = path | escape_id %}}
` tag for OVAL check using correct product platfo
{{%- endmacro %}}
+
{{%- macro mount_configured_fstab_test_object(path) %}}
{{%- set escaped_path = path | escape_id %}}