From 625d8d1b1c59644a0db791bdbcb62b646d1292cd Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 11:07:14 +0300 Subject: [PATCH 01/97] style: jinja: ws cleanup - WS at EOL - Only one space after :param --- shared/macros/10-bash.jinja | 14 +++++++------- shared/macros/10-kubernetes.jinja | 2 +- shared/macros/10-oval.jinja | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f52ae185b41..410da63e6a7 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -922,8 +922,8 @@ Example Call(s): bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}") :param config_file: Configuration file that will be modified -:param key: Configuration option to change -:param value: Value of the configuration option to change +:param key: Configuration option to change +:param value: Value of the configuration option to change #}} {{%- macro bash_firefox_cfg_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}} @@ -2059,11 +2059,11 @@ Example macro invocation: {{{ bash_chromium_pol_setting("chrome_stig_policy.json", "/etc/chromium/policies/managed/", "ExtensionInstallBlacklist", "\[\"*\"\]") }}} -:param chrome_pol_file: Policy file to that will be modified -:param chrome_pol_dir: Directory where the policy file is located -:param pol_setting: The setting that will be modified -:param pol_setting_val: Value of the setting to replace the current value with -:param pol_setting_val_edit: Value of the setting to be inserted if setting and value not present +:param chrome_pol_file: Policy file to that will be modified +:param chrome_pol_dir: Directory where the policy file is located +:param pol_setting: The setting that will be modified +:param pol_setting_val: Value of the setting to replace the current value with +:param pol_setting_val_edit: Value of the setting to be inserted if setting and value not present #}} {{%- macro bash_chromium_pol_setting(chrome_pol_file, chrome_pol_dir, pol_setting, pol_setting_val, pol_setting_val_edit=None) %}} diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja index fe8dabbeda2..a0e6e936af3 100644 --- a/shared/macros/10-kubernetes.jinja +++ b/shared/macros/10-kubernetes.jinja @@ -695,7 +695,7 @@ metadata: complianceascode.io/node-role: "{{.{{{ role }}}}}" spec: {{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}} -{{%- endmacro -%}} +{{%- endmacro -%}} {{# Macro which generates Kubernetes remediation in kubelet config format: diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 307df197d98..c779b9056f8 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -550,7 +550,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type missing_parameter_pass: bool :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. :type multi_value: bool -:param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system. +:param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system. :type missing_config_file_fail: bool #}} From e3cb9288482832ce2ba1710bbadeb9c4b98d4b72 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:08:49 +0300 Subject: [PATCH 02/97] style: jinja macros: add/remove newlines Try to follow style guide / common examples. Done using something like sed -Ezi ' s/(#\}\})\n+(\{\{%)/\1\n\2/g s/\n\n\n+/\n\n/g s/(:param \w+:[^\n]*\n)(-?\#\}\})/\1\n\2/g s/(:type \w+:[^\n]*\n)(-?\#\}\})/\1\n\2/g s/(\{\{%-? endmacro -?%\}\})\n+(\{\{)/\1\n\n\n\2/g ' shared/macros/*.jinja --- shared/macros/01-general.jinja | 10 ++++- shared/macros/10-ansible.jinja | 11 ++++++ shared/macros/10-bash.jinja | 53 +++++++++++++++++++++++--- shared/macros/10-fixtext.jinja | 35 +++++++++++++++++ shared/macros/10-kubernetes.jinja | 11 +++++- shared/macros/10-ocil.jinja | 13 ++++++- shared/macros/10-oval.jinja | 37 ++++++++++++++++++ shared/macros/10-srg_requirement.jinja | 7 ++++ shared/macros/10-warning.jinja | 4 ++ 9 files changed, 171 insertions(+), 10 deletions(-) diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index 8cb2efa193f..b29db5b4453 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -19,7 +19,6 @@ Therefore, you need to use a tool that can query the OCP API, retrieve KubeletCo {{%- endmacro %}} - {{# Macro which generates a warning indicating how to make use of a Kubernetes/OpenShift-related rule as well as how to filter it. This @@ -91,6 +90,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo {{%- endmacro %}} + {{# Macro which generates a unique identifier for Compliance Operator, this will hide the rule from ComplianceCheckResult @@ -100,6 +100,7 @@ This rule will be a hidden rule true {{%- endmacro %}} + {{% macro openshift_filtered_version(path_filter_pairs) -%}} This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following: @@ -122,7 +123,6 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo {{%- endmacro %}} - {{# Macro which generates a unique path for a filtered Kubernetes resource. The path and the filter are used to generate a unique @@ -1029,6 +1029,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} {{% endif %}} {{%- endmacro %}} + {{# Adds a default "no easy remediation" warning for kernel_build_config warning. @@ -1038,6 +1039,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} There is no remediation for this besides re-compiling the kernel with the appropriate value for the config. {{% endmacro %}} + {{# OCIL for a kernel build config rule. @@ -1062,6 +1064,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} {{% endif %}} {{%- endmacro %}} + {{# Returns the AIDE strings based on the current product @@ -1074,6 +1077,7 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 {{%- endif -%}} {{%- endmacro -%}} + {{# Lists the files need for the rule aide_check_audit_tools with the AIDE string @@ -1128,6 +1132,7 @@ Part of the grub2_bootloader_argument(_absent) templates. {{{ grub_helper_executable }}} {{{ " ".join(grub_helper_args) }}} {{%- endmacro %}} + {{%- macro audit_remediation_unsuccessful_file_modification_detailed_audit_file_content() -%}} ## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules @@ -1171,6 +1176,7 @@ Part of the grub2_bootloader_argument(_absent) templates. -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access {{%- endmacro -%}} + {{# Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma. diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 103a1150b1b..3223d1564b3 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -646,6 +646,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul when: syscalls_found | length == 0 {{%- endmacro %}} + {{% macro ansible_sssd_ldap_config(parameter, value) -%}} - name: "Test for id_provider different than Active Directory (ad)" command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$' /etc/sssd/sssd.conf @@ -701,6 +702,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul mode: 0644 {{%- endmacro %}} + {{%- macro ansible_sudo_remove_config(parameter, pattern) -%}} - name: Find /etc/sudoers.d/ files @@ -720,6 +722,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - "{{ sudoers.files }}" {{%- endmacro -%}} + {{# This macro creates an Ansible snipped which is used in `when` clause to determine applicability of a task. If the package passed as a parameter is installed, the task is applicable. @@ -829,6 +832,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - result_authselect_enable_feature_cmd is success {{%- endmacro -%}} + {{# Used to identify if authselect is present or not in the system. Some macros can change the remediation behavior based on the presence of authselect. @@ -841,6 +845,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul register: result_authselect_present {{%- endmacro -%}} + {{# Enable pam_pwhistory.so PAM module according to the system capabilities. If authselect is present and the "with-pwhistory" feature is available, the feature will be enabled. @@ -881,6 +886,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul or result_authselect_available_features is not defined {{%- endmacro -%}} + {{# Set pam_pwhistory.so PAM module options and values. In case the file /etc/security/pwhistory.conf is present in the system, the option is ensured there and removed @@ -929,6 +935,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - not result_pwhistory_conf_check.stat.exists {{%- endmacro -%}} + {{# This macro ensures the pam_faillock.so PAM module is enabled. It is enabled using the authselect tool or editing the PAM files, only if authselect tool is not available. @@ -994,6 +1001,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - not result_authselect_present.stat.exists {{%- endmacro -%}} + {{# This macro make sure the informed parameter from pam_faillock.so PAM module is properly set. In case the file /etc/security/faillock.conf is present in the system, the option is removed from @@ -1117,6 +1125,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - not result_faillock_conf_check.stat.exists {{%- endmacro -%}} + {{# Macro for Ansible remediation for adding a kernel command line argument to the GRUB 2 bootloader. Part of the grub2_bootloader_argument template. @@ -1158,6 +1167,7 @@ Part of the grub2_bootloader_argument template. {{% endif -%}} {{%- endmacro -%}} + {{# Macro for Ansible remediation for removing a kernel command line argument from the GRUB 2 bootloader. Part of the grub2_bootloader_argument_absent template. @@ -1191,6 +1201,7 @@ Part of the grub2_bootloader_argument_absent template. {{% endif -%}} {{%- endmacro -%}} + {{# Macro to restrict permissions in home directories of interactive users diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 410da63e6a7..f095fe32fcb 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -149,7 +149,6 @@ fi {{# Macro to perform remediation for 'audit_rules_privileged_commands' rule - :param tool: tool used to load audit rules either 'auditctl' or 'augenrules' :param min_auid: minimum original ID the user logged in with @@ -375,6 +374,7 @@ done {{%- endif %}} {{%- endmacro %}} + {{# Macro that copies the audit rules into a file. The purpose is to create exactly the same content in the file specified by filename argument @@ -391,6 +391,7 @@ cat < "{{{ filename }}}" EOF {{%- endmacro -%}} + {{# Set parameter in /etc/audit/auditd.conf @@ -472,7 +473,6 @@ EOF * if rule doesn't exist yet, appends expected rule form to $files_to_inspect audit rules file, depending on the tool which was used to load audit rules - :param audit tool tool used to load audit rules, either 'auditctl', or 'augenrules' :param path: value of -w audit rule's argument :param required_access_bits: value of -p audit rule's argument @@ -677,6 +677,7 @@ do done {{%- endmacro -%}} + {{# Disable prelinking in sysconfig @@ -906,7 +907,6 @@ done Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the preference if it does not exist. - Example Call(s): Without string or variable:: @@ -1056,6 +1056,7 @@ else fi {{%- endmacro -%}} + {{# Validate an authselect custom profile integrity and ensures the correct file path is defined in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of @@ -1076,6 +1077,7 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" {{{ bash_apply_authselect_changes() }}} {{%- endmacro -%}} + {{# Enable pam_pwhistory.so PAM module according to the system capabilities. If authselect is present and the "with-pwhistory" feature is available, the feature will be enabled. @@ -1103,6 +1105,7 @@ else fi {{%- endmacro -%}} + {{# Set pam_pwhistory.so PAM module options and values. In case the file /etc/security/pwhistory.conf is present in the system, the option is ensured there and removed @@ -1146,6 +1149,7 @@ else fi {{%- endmacro -%}} + {{# Sets PAM faillock module options and values. In case the file /etc/security/faillock.conf is present in the system, the option is removed from pam files @@ -1214,6 +1218,7 @@ else fi {{%- endmacro -%}} + {{# Print a message to stderr and exit the shell @@ -1227,6 +1232,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 {{{ action }}} {{{ rc }}} {{%- endmacro %}} + {{# Add an entry to a text configuration file @@ -1242,7 +1248,6 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 :param prefix_regex: regular expression describing allowed leading characters at each line #}} - {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}} {{%- set new_line = parameter+separator+value -%}} {{#- An escaped dollar in the parameter is escaped because of its significance for the shell, so when making a regex out of the parameter, we remove the shell escape, as the regex escape will do its thing. -#}} @@ -1259,6 +1264,7 @@ fi {{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive, sed_path_separator=sed_path_separator) }}} {{%- endmacro -%}} + {{%- macro lineinfile_absent(path, regex, insensitive=true, sed_path_separator="/") -%}} {{%- if insensitive -%}} {{%- set modifier="Id" -%}} @@ -1271,6 +1277,7 @@ fi LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}" {{%- endmacro -%}} + {{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true, filename_glob="*") -%}} {{%- if insensitive -%}} {{%- set modifier="Id" -%}} @@ -1280,6 +1287,7 @@ LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator } LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/{{{ filename_glob }}} {{%- endmacro -%}} + {{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true, sed_path_separator="/") -%}} {{%- if insensitive -%}} {{%- set grep_args="-q -m 1 -i" -%}} @@ -1328,6 +1336,7 @@ fi rm "{{{ path }}}.bak" {{%- endmacro -%}} + {{# Generates bash script code that puts 'contents' into a file at 'filepath' @@ -1341,36 +1350,43 @@ cat << 'EOF' > {{{ filepath }}} EOF {{%- endmacro %}} + {{# Strips anchors regex around the banner text #}} {{% macro bash_deregexify_banner_anchors(banner_var_name) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g') {{%- endmacro %}} + {{# Strips multibanner regex and keeps only the first banner #}} {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\.\)|.*)$/\1/g') {{%- endmacro %}} + {{# Strips whitespace or newline regex #}} {{% macro bash_deregexify_banner_space(banner_var_name) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g') {{%- endmacro %}} + {{# Strips newline or newline escape sequence regex #}} {{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/{{{ newline }}}/g') {{%- endmacro %}} + {{# Strips newline token for a newline escape sequence regex #}} {{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g') {{%- endmacro %}} + {{# Strips backslash regex #}} {{% macro bash_deregexify_banner_backslash(banner_var_name) -%}} {{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g') {{%- endmacro %}} + {{% macro bash_ini_file_set(filename, section, key, value) -%}} {{% set config_dir = "/".join(filename.split("/")[:-1]) %}} # Try find '[{{{ section }}}]' and '{{{ key }}}' in '{{{ filename }}}', if it exists, set @@ -1393,6 +1409,7 @@ else fi {{%- endmacro %}} + {{%- macro bash_sudo_remove_config(parameter, pattern) -%}} for f in /etc/sudoers /etc/sudoers.d/* ; do if [ ! -e "$f" ] ; then @@ -1410,6 +1427,7 @@ for f in /etc/sudoers /etc/sudoers.d/* ; do done {{%- endmacro -%}} + {{% macro bash_sssd_ldap_config(parameter, value) -%}} SSSD_CONF="/etc/sssd/sssd.conf" LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*{{{ parameter }}}' @@ -1438,6 +1456,7 @@ if grep -qvzosP $AD_REGEX $SSSD_CONF; then fi {{%- endmacro %}} + {{# Check whether or not a package is installed. #}} @@ -1472,6 +1491,7 @@ cce="{{{ cce_identifiers['cce'] }}}" symlinks. :param file: file to check + #}} {{%- macro bash_ensure_nl_at_eof(file) -%}} {{#- Plain sed '$a\' updates stat even if it dones not change the file. -#}} @@ -1499,7 +1519,6 @@ fi {{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}} - :param config_file: Configuration file that will be modified :param key: Configuration option to change :param value: Value of the configuration option to change @@ -1530,6 +1549,7 @@ else fi {{%- endmacro -%}} + {{# Macro to restrict permissions in home directories of interactive users. @@ -1547,6 +1567,7 @@ for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid done {{%- endmacro -%}} + {{# To see how args corresponds to an :code:`/etc/fstab` entry, see `bash_ensure_mount_option_for_vfstype <#template-bash_ensure_mount_option_in_fstab>`_ @@ -1568,6 +1589,7 @@ do done {{%- endmacro %}} + {{# Ensures that given mount point is in :code:`/etc/fstab`. @@ -1602,6 +1624,7 @@ elif ! grep "$mount_point_match_regexp" /etc/fstab | grep "{{{ mount_opt }}}"; t fi {{%- endmacro %}} + {{# Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not @@ -1617,6 +1640,7 @@ grep "$mount_point_match_regexp" -q /etc/fstab \ echo "Not remediating, because there is no record of {{{ mount_point }}} in /etc/fstab" >&2; return 1; } {{%- endmacro %}} + {{# Ensure that partition is mounted at mount_point with correct options, but only if the partition is already mounted. @@ -1630,6 +1654,7 @@ if mkdir -p "{{{ mount_point }}}"; then fi {{%- endmacro %}} + {{# Based on example audit syscall rule definitions as outlined in :code:`/usr/share/doc/audit-2.3.7/stig.rules` file provided with the audit @@ -1657,7 +1682,6 @@ existing audit rule. The audit rule will retain the key it already had. :param syscall_groupings: Other syscalls that can be grouped with 'syscall' as a space separated list. For example, "fchown lchown fchownat" :param key: The key to use when appending a new rule - #}} {{% macro bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key) -%}} @@ -1831,6 +1855,7 @@ if [ "$skip" -ne 0 ]; then fi {{%- endmacro %}} + {{# Ensures that /etc/default/grub file contains the arg_name_value. @@ -1849,6 +1874,7 @@ else fi {{%- endmacro %}} + {{# Macro for Bash remediation for adding a kernel command line argument to the GRUB 2 bootloader. Part of the grub2_bootloader_argument template. @@ -1866,6 +1892,7 @@ Part of the grub2_bootloader_argument template. {{{ grub_command("add", arg_name_value) }}} {{% endmacro %}} + {{# Ensures that /etc/default/grub file does not contain the arg_name_value. @@ -1879,6 +1906,7 @@ if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; t fi {{%- endmacro %}} + {{# Macro for Bash remediation for removing a kernel command line argument from the GRUB 2 bootloader. Part of the grub2_bootloader_argument_absent template. @@ -1894,6 +1922,7 @@ Part of the grub2_bootloader_argument_absent template. {{{ grub_command("remove", arg_name) }}} {{% endmacro %}} + {{# This macro creates a bash conditional which is used to determine if a remediation is applicable. The macro takes package as an argument and chooses @@ -1921,6 +1950,7 @@ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'. {{% endif %}} {{%- endmacro -%}} + {{# This macro generates code that gets version of an installed RPM package. @@ -1931,6 +1961,7 @@ This macro generates code that gets version of an installed RPM package. $(epoch=$(rpm -q --queryformat '%{EPOCH}' {{{ package }}}); version=$(rpm -q --queryformat '%{VERSION}' {{{ package }}}); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version") {{%- endmacro -%}} + {{# This macro creates a Bash conditional that compares version of the package with a given version. @@ -1963,6 +1994,7 @@ https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-orderi { real="{{{ real }}}"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; } {{%- endmacro -%}} + {{# This macro generates comparison code based on the operator. @@ -1993,6 +2025,7 @@ printf "%s\n%s" "{{{ expected }}}" "{{{ real }}}" | sort -VC {{%- endif -%}} {{%- endmacro -%}} + {{# This macro creates a Bash conditional which uses rpm to check if a package passed as a parameter is installed. @@ -2010,6 +2043,7 @@ rpm --quiet -q {{{ package }}} {{%- endif -%}} {{%- endmacro %}} + {{# This macro generates code that gets version of an installed DEB package. @@ -2021,6 +2055,7 @@ This macro generates code that gets version of an installed DEB package. dpkg-query -f='${Version}\n' --show {{{ package }}} | cut -f1 -d- {{%- endmacro -%}} + {{# This macro creates a Bash conditional that compares version of the DEB package with a given version. @@ -2035,6 +2070,7 @@ with a given version. { real="$({{{ bash_get_dpkg_package_version(package) }}})"; ver="{{{ ver }}}"; dpkg --compare-versions "$real" "{{{ op_codes[op] }}}" "$ver"; } {{%- endmacro -%}} + {{# This macro creates a Bash conditional which uses dpkg to check if a package passed as a parameter is installed. @@ -2051,6 +2087,7 @@ dpkg-query --show --showformat='${db:Status-Status}\n' '{{{ package }}}' 2>/dev/ {{%- endif -%}} {{%- endmacro -%}} + {{# Macro to replace configuration setting(s) in the Chromium stig policy (.json) file or add the preference if it does not exist. @@ -2328,6 +2365,7 @@ else fi {{%- endmacro -%}} + {{# Remove a PAM module option from an existing PAM module line. This macro is compatible with custom authselect profiles if the system relies on authselect. Otherwise, the PAM files will @@ -2381,6 +2419,7 @@ else fi {{%- endmacro %}} + {{# Macro to insert script to find Mozilla Firefox location on the target system. @@ -2417,6 +2456,7 @@ grep -qP "^ID=[\"']?{{{ os_id }}}[\"']?$" "{{{ os_release_path }}}" {{%- endif -%}} {{%- endmacro %}} + {{# This macro generates bash condition that compares the actual version of the operating system with the expected version using the given operator. @@ -2430,6 +2470,7 @@ operating system with the expected version using the given operator. { real="$({{{ bash_get_version_os_linux(os_release_path) }}})"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; } {{%- endmacro -%}} + {{# This macro generates code that retrieves the operating system version from /etc/os-release from VERSION_ID variable. diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 9edc7f3c5d3..f7712090a85 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -7,6 +7,7 @@ :type key: str :param rule_path: Full path to where the rule wil :type rule_path: str + #}} {{% macro fixtext_audit_file_watch_rule(path, key, rule_path) -%}} Configure {{{ full_name }}} to generate audit records for all account creations, modifications, disabling, and termination events that "{{{ path }}}". @@ -18,6 +19,7 @@ Add or update the following file system rule to "{{{ rule_path }}}": The audit daemon must be restarted for the changes to take effect. {{% endmacro %}} + {{% macro fixtext_audit_rules(event, key, event_group, extra_params=False, flag=None) -%}} Configure the audit system to generate an audit event for any successful/unsuccessful use of the "{{{ event }}}" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/{{{ key }}}.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory: @@ -47,6 +49,7 @@ It's allowed to group this system call within the same line as {{{ event_group } The audit daemon must be restarted for the changes to take effect. {{% endmacro %}} + {{# Generate a fixtext for audit rules for file deletion events @@ -58,6 +61,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "delete", '"rename", "unlink", "rmdir", "renameat", and "unlinkat"') }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for dac modification events - chmod @@ -69,6 +73,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "perm_mod", '"chmod", "fchmod" and "fchmodat"') }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for dac modification events - chown @@ -80,6 +85,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "perm_mod", '"chown", "fchown", "fchownat" and "lchown"') }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for dac modification events - chown @@ -91,6 +97,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "perm_mod", '"chown", "fchown", "fchownat" and "lchown"') }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for dac modification events - attr @@ -102,6 +109,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "perm_mod", '"fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr"') }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for unsuccessful file modification Used in rules using template audit_rules_unsuccessful_file_modification @@ -118,6 +126,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "access", syscall_grouping_text, extra_params=True) }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for unsuccessful file modification when O_CREAT flag is specified. @@ -133,6 +142,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "unsuccesful-create", '"open", "openat" and "open_by_handle_at"', extra_params=True, flag=pos+"&0100") }}} {{% endmacro %}} + {{# Generate a fixtext for audit rules for unsuccessful file modification when O_TRUNC_WRITE flag is specified. @@ -148,6 +158,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ fixtext_audit_rules(syscall, "unsuccesful-modification", '"openat" and "open_by_handle_at"', extra_params=True, flag=pos+"&01003") }}} {{% endmacro %}} + {{# Generate a fixtext for ordering of audit rules for unsuccessful file modification. Used in rules using template audit_rules_unsuccessful_file_modification_rule_order. @@ -166,6 +177,7 @@ The audit daemon must be restarted for the changes to take effect. The audit daemon must be restarted for the changes to take effect. {{% endmacro %}} + {{# Human readable text for how to fix ini files @@ -194,6 +206,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo dconf update {{%- endmacro -%}} + {{# Human readable text for how to lock dconf settings @@ -215,6 +228,7 @@ The audit daemon must be restarted for the changes to take effect. {{{ section }}} {{%- endmacro -%}} + {{# Describe how to fix an ssh configure @@ -241,6 +255,7 @@ The audit daemon must be restarted for the changes to take effect. {{%- endmacro -%}} + {{# Describe how to enable a service @@ -254,6 +269,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo systemctl enable --now {{{ service }}} {{%- endmacro -%}} + {{# Describe how to disable a service @@ -269,6 +285,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo systemctl mask --now {{{ service }}} {{%- endmacro -%}} + {{# Describe how to disable a socket @@ -284,6 +301,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo systemctl mask --now {{{ socket }}} {{%- endmacro -%}} + {{# Macro describing fix for sysctl rules. @@ -302,6 +320,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system {{%- endmacro %}} + {{# Describe fix for GRUB 2 bootloader kernel argument This can be used for rules that use grub2_bootloader_argument template @@ -323,6 +342,7 @@ Run the following command: $ sudo {{{ grub_command("add", argument + "=" + value) }}} {{% endmacro %}} + {{# Describe fix for removal of a GRUB 2 bootloader kernel argument This can be used for rules that use grub2_bootloader_argument_absent template @@ -352,6 +372,7 @@ $ sudo {{{ grub_command("remove", argument) }}} :type param: str :param value: The value of the audit configuration. :type value: str + #}} {{% macro fixtext_audit_configuration(param, value) -%}} Edit the file "/etc/audit/auditd.conf" and add or edit the following line: @@ -359,6 +380,7 @@ Edit the file "/etc/audit/auditd.conf" and add or edit the following line: {{%- endmacro %}} + {{# Fixtext macro describing configuration of mount option, for rules using the mount_option template. @@ -373,6 +395,7 @@ for rules using the mount_option template. Modify "/etc/fstab" to use the "{{{ mountoption }}}" option on the "{{{ mountpoint }}}" directory. {{%- endmacro %}} + {{# Fixtext macro describing how to audit a command. @@ -392,6 +415,7 @@ Configure the audit system to generate an audit event for any successful/unsucce The audit daemon must be restarted for the changes to take effect. {{%- endmacro %}} + {{# Fixtext for ensuring that a privileged command is audited. @@ -399,6 +423,7 @@ Fixtext for ensuring that a privileged command is audited. :type cmd: str :param path_prefix: The directory the command is in :type path_prefix: str + #}} {{% macro fixtext_audit_rules_privileged_commands(cmd, path_prefix, key) -%}} Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "{{{ cmd }}}" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": @@ -408,6 +433,7 @@ Configure {{{ full_name }}} to generate audit records upon successful/unsuccessf The audit daemon must be restarted for the changes to take effect. {{%- endmacro %}} + {{# Fixtext for removing a package @@ -421,6 +447,7 @@ To remove the {{{ full_name }}} package {{{ package }}} run the following comman {{{ package_remove(package) }}} {{%- endmacro %}} + {{# Fixtext for installing a package @@ -434,6 +461,7 @@ To install the {{{ full_name }}} package {{{ package }}} run the following comma {{{ package_install(package) }}} {{%- endmacro %}} + {{# Fixtext for disabling a kernel module @@ -452,6 +480,7 @@ blacklist {{{ module }}} Reboot the system for the settings to take effect. {{%- endmacro %}} + {{# Fixtext for setting the owner on a file. @@ -467,6 +496,7 @@ Change the owner of the file {{{ file }}} to {{{ owner }}} by running the follow $ sudo chown {{{ owner }}} {{{ file }}} {{%- endmacro %}} + {{# Fixtext for setting the group owner on a file. @@ -482,6 +512,7 @@ Change the group of the file {{{ file }}} to {{{ group }}} by running the follow $ sudo chgrp {{{ group }}} {{{ file }}} {{%- endmacro %}} + {{# Fixtext for setting the owner on a directory. @@ -497,6 +528,7 @@ Change the owner of the directory {{{ file }}} to {{{ owner }}} by running the f $ sudo chown {{{ owner }}} {{{ file }}} {{%- endmacro %}} + {{# Fixtext for setting the group owner on a directory. @@ -512,6 +544,7 @@ Change the group of the directory {{{ file }}} to {{{ group }}} by running the f $ sudo chgrp {{{ group }}} {{{ file }}} {{%- endmacro %}} + {{# Fixtext for setting the permissions on a directory. @@ -543,6 +576,7 @@ Configure the "{{{ file }}}" file to "{{{ mode }}}" by running the following com $ sudo chmod {{{ mode }}} {{{ file }}} {{%- endmacro %}} + {{# Fixtext for having a mount point on another partition @@ -554,6 +588,7 @@ Fixtext for having a mount point on another partition Migrate the "{{{ part }}}" path onto a separate file system. {{%- endmacro %}} + {{# Fixtext for how to restrict RBAC permissions for cluster logging diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja index a0e6e936af3..31a0681afa0 100644 --- a/shared/macros/10-kubernetes.jinja +++ b/shared/macros/10-kubernetes.jinja @@ -174,6 +174,7 @@ spec: overwrite: true {{%- endmacro -%}} + {{# Macro which generates Kubernetes remediation in MachineConfig format with dependencies reflected: @@ -218,7 +219,6 @@ spec: - source_content (String): The source of the content to be applied. - vals (list): The list of required values for this remediation to be applies for example: var_something #}} - {{%- macro kubernetes_machine_config_file_with_required_value(path='', file_permissions_mode='', source='', vals=[]) -%}} apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig @@ -469,12 +469,14 @@ AuditBackend=LinuxAudit {{{ kubernetes_machine_config_file_with_dependencies(path='/etc/usbguard/usbguard-daemon.conf', file_permissions_mode='0600', source=usbguard_config_source(), deps=deps, ocp_version_range='>=4.7.0') }}} {{%- endmacro -%}} + {{% macro kubernetes_machineconfig_audit_add_watch_rule(path='', permissions='', key='') -%}} {{%- set audit_watch_rule = "-w " + path + " -p " + permissions + " -k " + key + "\n" -%}} {{%- set audit_watch_rule_path = "/etc/audit/rules.d/75-" + path | replace('/', '') + "-" + permissions + "-" + key + ".rules" -%}} {{{ kubernetes_machine_config_file(path=audit_watch_rule_path, file_permissions_mode='0600', source=audit_watch_rule) }}} {{%- endmacro %}} + {{% macro audit_syscalls_rule(syscalls=[], key='', fields='') %}} {{%- for syscall in syscalls -%}} -a always,exit -F arch=b64 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}} -k {{{ key }}} @@ -490,6 +492,7 @@ AuditBackend=LinuxAudit {{{ kubernetes_machine_config_file(path=path, file_permissions_mode='0600', source=audit_syscalls_rule(syscalls, key, fields)) }}} {{%- endmacro %}} + {{% macro rhcos_ospp_audit_rules() -%}} ## This content is a section of an Audit config snapshot recommended for {{{full_name|urlencode}}} systems that target OSPP compliance. ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules @@ -541,6 +544,7 @@ AuditBackend=LinuxAudit {{{ kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-remediation.rules', file_permissions_mode='0600', source=rhcos_ospp_audit_rules()) }}} {{%- endmacro %}} + {{% macro rhcos_logrotate_config() -%}} # see "man logrotate" for details # rotate log files daily @@ -572,6 +576,7 @@ include /etc/logrotate.d {{{ kubernetes_machine_config_file(path='/etc/logrotate.conf', file_permissions_mode='0644', source=rhcos_logrotate_config()) }}} {{%- endmacro %}} + {{% macro rhcos_auditd_config() -%}} # # This file controls the configuration of the audit daemon @@ -622,6 +627,7 @@ plugin_dir = /etc/audit/plugins.d {{{ kubernetes_machine_config_file(path='/etc/audit/auditd.conf', file_permissions_mode='0640', source=rhcos_auditd_config()) }}} {{%- endmacro %}} + {{% macro kubernetes_machineconfig_auditd_config_with_required_value(vals=[]) -%}} {{{ kubernetes_machine_config_file_with_required_value(path='/etc/audit/auditd.conf', file_permissions_mode='0640', source=rhcos_auditd_config(),vals=vals)}}} {{%- endmacro %}} @@ -656,6 +662,7 @@ spec: path: /etc/chrony.d/ntp-server.conf {{%- endmacro %}} + {{% macro ntp_server() -%}} # # This file controls the configuration of the ntp server @@ -681,6 +688,7 @@ spec: {{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}} {{%- endmacro -%}} + {{# Macro which generates Kubernetes remediation in kubelet config format: - path (String): path for the variable @@ -697,6 +705,7 @@ spec: {{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}} {{%- endmacro -%}} + {{# Macro which generates Kubernetes remediation in kubelet config format: - path (String): path for the variable diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 91eccc49fbd..0a35b283b5b 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -44,6 +44,7 @@ Standard audit OCIL clause the command does not return a line, or the line is commented out {{%- endmacro %}} + {{# OCIL and OCIL clause for ensuring that a privileged command is audited. @@ -64,6 +65,7 @@ ocil: |- -a always,exit -F path={{{ path_prefix }}}{{{ cmd }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -k {{% if key %}}{{{ key }}}{{% else %}}privileged-{{{ cmd }}}{{% endif %}} {{% endmacro %}} + {{# OCIL for adding a syscall to audit logs @@ -117,6 +119,7 @@ ocil: | If the system is configured to audit this activity, it will return a line. {{%- endmacro %}} + {{# OCIL for adding a unsuccessful syscall to audit logs @@ -146,6 +149,7 @@ ocil: | {{{ ocil_clause_entry_audit_syscall() }}} {{%- endmacro %}} + {{# OCIL and OCIL clause for adding a unsuccessful syscall to audit logs @@ -161,7 +165,6 @@ ocil: | {{%- endmacro %}} - {{# Package macros #}} {{# @@ -301,6 +304,7 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'. {{%- endif -%}} {{%- endmacro %}} + {{# Inserts an OCIL Clause for a case when a service should be enabled. @@ -371,6 +375,7 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'. {{%- endif -%}} {{%- endmacro %}} + {{# Inserts an OCIL Clause for a case when a service should be disabled. @@ -689,6 +694,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' If firewalld is configured to prevent access, no output will be returned. {{%- endmacro %}} + {{# Kernel modules macros #}} {{# @@ -741,6 +747,7 @@ ocil: |- ocil_clause: "{{{ sebool }}} is not set as expected" {{%- endmacro %}} + {{# Describe how to check if given SELinux boolean is set depending on a variable. @@ -1110,6 +1117,7 @@ ocil: |- 
lockPref("{{config}}", "{{value}}");
{{%- endmacro %}} + {{# Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification template @@ -1167,6 +1175,7 @@ The output should be the following: {{%- endmacro %}} + {{# Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_trunc_write template @@ -1196,6 +1205,7 @@ The output should be the following: {{%- endmacro %}} + {{# Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_rule_order template @@ -1228,6 +1238,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati -a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access {{%- endmacro %}} + {{# OpenShift Logging Macros #}} {{# diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index c779b9056f8..8191d83e482 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -11,6 +11,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Constants. @@ -98,6 +99,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the criterion of the OVAL check (Criterion definition). @@ -131,6 +133,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" /> {{%- endmacro %}} + {{# Macro to define the OVAL test to be constructed (Test definition). @@ -170,6 +173,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to check if a parameter in a configuration file is set (Object definition). @@ -238,6 +242,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to check if a expected value can be found in the extracted information of an OVAL object (State definition). @@ -270,22 +275,27 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false, avoid_conflicting=false) -%}} {{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir", avoid_conflicting=avoid_conflicting) -}}} {{%- endmacro %}} + {{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false, avoid_conflicting=false) -%}} {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir", avoid_conflicting=avoid_conflicting) }}} {{%- endmacro %}} + {{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}} {{{- oval_line_in_file_object(path_or_filepath=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filename_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}} {{%- endmacro %}} + {{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}} {{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}} {{%- endmacro %}} + {{# Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition). @@ -297,6 +307,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the OVAL test to check if the configuration file exists (Test definition). @@ -310,6 +321,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the OVAL criterion that requires a file not to exist. The id of the test name will be test_. @@ -322,6 +334,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the OVAL test to check if the configuration file exists (Test definition). @@ -339,6 +352,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the OVAL object to check if the configuration file exists (Object definition). @@ -352,6 +366,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Criterion definition). @@ -377,6 +392,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo test_ref="test_{{{ rule_id }}}_{{{ name_value|escape_id }}}_argument_in_{{{ filepath|escape_id }}}" {{% if negate %}}negate="true" {{% endif %}}/> {{%- endmacro -%}} + {{# Macro to define the OVAL test to check if there is a line in file with a pair of argument=value (Test definition). @@ -421,6 +437,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro -%}} + {{# High level macro to define the OVAL test to check if there is a line in file with a pair of argument=value. @@ -448,6 +465,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro -%}} + {{# High level macro to check if a particular combination of parameter and value in the ssh daemon configuration file is set. A case insensitive comparison is used in the prefix because sshd_config has case-insensitive parameters (but case-sensitive values). @@ -468,6 +486,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} {{%- endmacro %}} + {{# High level macro to check if a particular shell variable is set. @@ -501,6 +520,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}} {{%- endmacro %}} + {{# High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set. @@ -520,6 +540,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} {{%- endmacro %}} + {{# High level macro to set a parameter in /etc/systemd/coredump.conf. @@ -539,6 +560,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file("/etc/systemd/coredump.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="systemd-coredump", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section="Coredump") }}} {{%- endmacro %}} + {{# High level macro to check if a particular combination of parameter and value in the grub configuration file is set. @@ -558,6 +580,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file("/etc/default/grub", prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application="grub", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} {{%- endmacro %}} + {{# To be removed macro. Prevents regression on sshd configuration rules. #}} @@ -574,6 +597,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{%- endmacro %}} + + {{# To be removed macro. Prevents regression on sshd configuration rules. #}} @@ -591,6 +616,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{# Note that a criteria was left open #}} {{%- endmacro %}} + {{# High level macro which checks configuration in an INI file. @@ -616,6 +642,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{ oval_check_config_file(path=path, prefix_regex="^\s*", parameter=parameter, value=value, separator_regex="[ \\t]*=[ \\t]*", missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section=section) }}} {{%- endmacro %}} + {{# Creates OVAL tests with given test_id which checks if package is not installed. @@ -624,6 +651,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type package: str :param test_id: Suffix of the Ids in test, obj, and state elements :type test_id: str + #}} {{%- macro oval_test_package_removed(package='', test_id='') -%}} {{% if pkg_system == "rpm" %}} @@ -647,6 +675,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{%- endmacro -%}} + {{# Creates OVAL tests with given test_id which checks if package is installed. Optionally, it can check if a package of a given version (EVR) @@ -698,6 +727,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{%- endmacro -%}} + {{# Macro which generates OVAL test for OpenShift Container Platform runtime process configuration. @@ -726,6 +756,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro -%}} + {{# Macro which generates OVAL definition, test and object that check for contents of the file. @@ -768,6 +799,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Macro which generates the OVAL metadata section @@ -799,6 +831,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Create a full OVAL check for dconf ini file. @@ -854,6 +887,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{# Create a full OVAL check for an sshd parameter and value. @@ -1009,11 +1043,13 @@ Generates the :code:`` tag for OVAL check using correct product platfo test_ref="test_mount_active_{{{ path | escape_id }}}_exists" /> {{%- endmacro %}} + {{%- macro mount_configured_fstab_criterion(path) %}} {{%- endmacro %}} + {{%- macro mount_active_test_object(path) %}} {{%- set escaped_path = path | escape_id %}} ` tag for OVAL check using correct product platfo {{%- endmacro %}} + {{%- macro mount_configured_fstab_test_object(path) %}} {{%- set escaped_path = path | escape_id %}} Date: Sat, 20 May 2023 15:28:55 +0300 Subject: [PATCH 03/97] fix: ansible_audit_augenrules_add_syscall_rule/doc: add types, fix name --- shared/macros/10-ansible.jinja | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 3223d1564b3..5194fa154bd 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -497,11 +497,17 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/rules.d` The macro requires following parameters: :param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64" +:type action_arch_filters: str :param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd" +:type other_filters: str :param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset" +:type auid_filters: str :param syscalls: List of syscalls to ensure presense among audit rules. For example, "['fchown', 'lchown', 'fchownat']" -:param syscall_groupings: List of other syscalls that can be grouped with 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']" +:type syscalls: list[str] +:param syscall_grouping: List of other syscalls that can be grouped with 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']" +:type syscall_grouping: list[str] :param key: The key to use when appending a new rule +:type key: str #}} {{% macro ansible_audit_augenrules_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} From 4a323c5bdce1d0c9f865bbc8cec1e1b64b26a297 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:33:02 +0300 Subject: [PATCH 04/97] fix: ansible_audit_auditctl_add_syscall_rule/doc: add types, fix name/order --- shared/macros/10-ansible.jinja | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 5194fa154bd..df596f2419d 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -589,13 +589,23 @@ The macro requires following parameters: {{# The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rules` file. -:param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64" -:param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd" -:param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset" -:param syscalls: List of syscalls to ensure presense among audit rules. For example, "['fchown', 'lchown', 'fchownat']" -:param syscall_groupings: List of other syscalls that can be grouped with 'syscalls' - For example, "['fchown', 'lchown', 'fchownat']" +:param action_arch_filters: The action and arch filters of the rule. + For example, "-a always,exit -F arch=b64" +:type action_arch_filters: str +:param other_filters: Other filters that may characterize the rule. + For example, "-F a2&03 -F path=/etc/passwd" +:type other_filters: str +:param auid_filters: The auid filters of the rule. + For example, "-F auid>=1000 -F auid!=unset" +:type auid_filters: str +:param syscalls: List of syscalls to ensure presense among audit rules. + For example, "['fchown', 'lchown', 'fchownat']" +:type syscalls: list[str] :param key: The key to use when appending a new rule +:type key: str +:param syscall_grouping: List of other syscalls that can be grouped with + 'syscalls'. For example, "['fchown', 'lchown', 'fchownat']" +:type syscall_grouping: list[str] #}} {{% macro ansible_audit_auditctl_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} From de2c78b5ae585a6e3b99e8312f9f13ec94a03278 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:35:47 +0300 Subject: [PATCH 05/97] fix: ansible_pkg_conditional/doc: add types --- shared/macros/10-ansible.jinja | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index df596f2419d..51a18a99bcf 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -740,13 +740,17 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{# - This macro creates an Ansible snipped which is used in `when` clause to determine applicability of a task. - If the package passed as a parameter is installed, the task is applicable. - The macro respects `platform_package_overrides` variable. + This macro creates an Ansible snipped which is used in `when` clause to + determine applicability of a task. If the package passed as a parameter is + installed, the task is applicable. The macro respects + `platform_package_overrides` variable. :param package: package name +:type package: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param ver: package version (optional argument, use together with "op") +:type ver: version #}} {{%- macro ansible_pkg_conditional(package, op=None, ver=None) -%}} From 31738dad99fe3715ea95c0e7e971fe0eed886214 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:36:54 +0300 Subject: [PATCH 06/97] fix: ansible_apply_authselect_changes/doc: add type --- shared/macros/10-ansible.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 51a18a99bcf..9b32a3e87cd 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -809,6 +809,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul not desired, avoid defining a backup name. :param backup_name: Changes the default backup name used by authselect. +:type backup_name: str #}} {{% macro ansible_apply_authselect_changes(backup_name='') -%}} From 84780bfbba3e211c77c2317ff990ddb6bf84f6c5 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:57:05 +0300 Subject: [PATCH 07/97] fix: ansible_pam_pwhistory_enable/doc: add types Param must start line --- shared/macros/10-ansible.jinja | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 9b32a3e87cd..53c0836f6e8 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -873,11 +873,14 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul If authselect is present but the "with-pwhistory" feature is not yet available, a custom profile will be used. If authselect is not present, PAM files will be directly edited. - :param pam_file: PAM config file. - :param control: PAM control flags. - :param after_match: Regex used as reference to append a line, if necessary. Optional parameter. - Note: For this macro, there is a special value used to include a line at - the beginning of the file: "BOF" +:param pam_file: PAM config file. +:type pam_file: str +:param control: PAM control flags. +:type control: str +:param after_match: Regex used as reference to append a line, if necessary. Optional parameter. + Note: For this macro, there is a special value used to include a line at + the beginning of the file: "BOF" +:type after_match: str #}} {{%- macro ansible_pam_pwhistory_enable(pam_file, control, after_match='') -%}} From d16c3d66dd7e8c89f3ffd9c7cdb4ec2818c81455 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:40:59 +0300 Subject: [PATCH 08/97] fix: ansible_pam_pwhistory_parameter_value/doc: add types --- shared/macros/10-ansible.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 53c0836f6e8..28955905efc 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -917,8 +917,11 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul from pam files to avoid conflicts or confusion. :param pam_file: PAM config file. +:type pam_file: str :param parameter: pwhistory parameter/option e.g.: remember, retry, debug +:type parameter: str :param pwhistory_var_name: Literal variable name. +:type pwhistory_var_name: str #}} {{%- macro ansible_pam_pwhistory_parameter_value(pam_file, parameter, pwhistory_var_name='') -%}} From 00e8d247de40043dd68f8e308b0c3721b2c1e3fc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:57:36 +0300 Subject: [PATCH 09/97] fix: ansible_pam_faillock_parameter_value/doc: add types Param must start line --- shared/macros/10-ansible.jinja | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 28955905efc..092cc2efffe 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1034,9 +1034,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul case the file /etc/security/faillock.conf is present in the system, the option is removed from PAM files since it is not needed there in that case. - :param parameter: The pam_faillock.so parameter name. - :param faillock_var_name: If the parameter expects a value from a variable, the variable name is informed here. - :param authfail: check the pam_faillock.so conf line with authfail +:param parameter: The pam_faillock.so parameter name. +:type parameter: str +:param faillock_var_name: If the parameter expects a value from a variable, the variable name is informed here. +:type faillock_var_name: str +:param authfail: check the pam_faillock.so conf line with authfail +:type authfail: bool #}} {{%- macro ansible_pam_faillock_parameter_value(parameter, faillock_var_name='', authfail=True) -%}} From ef06d1147ac65fd9e20037fe7370a58863039ae6 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:42:26 +0300 Subject: [PATCH 10/97] fix: ansible_ensure_pam_module_line/doc: add types --- shared/macros/10-ansible.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 092cc2efffe..4609ce2fc5e 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1287,10 +1287,15 @@ Part of the grub2_bootloader_argument_absent template. PAM module is working as expected. Otherwise, a custom remediation should be considered. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param after_match: Regex used as reference to include the line below, if necessary. Optional parameter. +:type after_match: str #}} {{%- macro ansible_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}} From 537505fda3a6d57acfb1f1f247d568f77e18b91f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:43:35 +0300 Subject: [PATCH 11/97] fix: ansible_ensure_pam_module_option/doc: add types --- shared/macros/10-ansible.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 4609ce2fc5e..5ba66153f8b 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1356,12 +1356,19 @@ Part of the grub2_bootloader_argument_absent template. Make sure that an existing PAM module line is properly configured with an option. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str :param value: PAM module option argument, if is case. Optional parameter. +:type value: str :param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter. +:type after_match: str #}} {{%- macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}} From d6ad525ab9ebe8cd377532aca9d673b030b16aa2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:44:00 +0300 Subject: [PATCH 12/97] fix: ansible_remove_pam_module_option/doc: add types --- shared/macros/10-ansible.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 5ba66153f8b..577180bd82b 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1416,10 +1416,15 @@ Part of the grub2_bootloader_argument_absent template. Remove a PAM module option if present in a PAM module line. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str #}} {{%- macro ansible_remove_pam_module_option(pam_file, group, control, module, option) -%}} From f6296e63995bba932a2dfb55e06832e5a2dce723 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:44:16 +0300 Subject: [PATCH 13/97] fix: ansible_ensure_pam_facts_and_authselect_profile/doc: add type --- shared/macros/10-ansible.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 577180bd82b..cfaba48757e 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1542,6 +1542,7 @@ Part of the grub2_bootloader_argument_absent template. to the PAM file to be edited is correctly set. :param pam_file: PAM config file. +:type pam_file: str #}} {{%- macro ansible_ensure_pam_facts_and_authselect_profile(pam_file) -%}} From b1fc1f669bbf27c27665c72f30c0c4ee341acd08 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:44:39 +0300 Subject: [PATCH 14/97] fix: ansible_ensure_pam_module_configuration/doc: add types --- shared/macros/10-ansible.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index cfaba48757e..4f3749d3230 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1572,12 +1572,19 @@ Part of the grub2_bootloader_argument_absent template. relies on authselect. Otherwise, the PAM files will be directly edited. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. Optional parameter. +:type option: str :param value: PAM module option argument, if is case. Optional parameter. +:type value: str :param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter. +:type after_match: str #}} {{%- macro ansible_ensure_pam_module_configuration(pam_file, group, control, module, option, value='', after_match='') -%}} From 7a72606db5e7c74cf02b4f7af5107928ec522821 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:51:11 +0300 Subject: [PATCH 15/97] fix: ansible_remove_pam_module_option_configuration/doc: add types --- shared/macros/10-ansible.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 4f3749d3230..fe94d7ef241 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1620,10 +1620,15 @@ Part of the grub2_bootloader_argument_absent template. be directly edited. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str #}} {{%- macro ansible_remove_pam_module_option_configuration(pam_file, group, control, module, option) -%}} From b8321c51961b41e25d59bc8bde6d58ca534010cc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 21:53:50 +0300 Subject: [PATCH 16/97] fix: ansible_instantiate_variables/doc: fix format --- shared/macros/10-ansible.jinja | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index fe94d7ef241..63c6da2ba12 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1,6 +1,7 @@ {{# -Pass strings that correspond to XCCDF value names as arguments to this macro: -ansible_instantiate_variables("varname1", "varname2") +Pass strings that correspond to XCCDF value names as arguments to this macro:: + + ansible_instantiate_variables("varname1", "varname2") Then, assume that the task that follows can work with the variable by referencing it, e.g. value: :code:`Setting={{ varname1 }}` From 8e15b79bfd3c38a8f36c3215a427b19beee69e6d Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 21:54:10 +0300 Subject: [PATCH 17/97] fix: ansible_grub2_bootloader_argument/doc: fix type format --- shared/macros/10-ansible.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 63c6da2ba12..8ca66702126 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1162,9 +1162,9 @@ Macro for Ansible remediation for adding a kernel command line argument to the G Part of the grub2_bootloader_argument template. :param arg_name: Kernel command line argument -:type arg_name str: +:type arg_name: str :param arg_name_value: Kernel command line argument concatenated with the value of this argument using an equal sign, eg. "noexec=off". -:type arg_name_value str: +:type arg_name_value: str #}} {{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value) -%}} From d9e474fab515865a7c006543389b96a6d1f520f0 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 21:54:54 +0300 Subject: [PATCH 18/97] fix: ansible_grub2_bootloader_argument_absent/doc: fix type format --- shared/macros/10-ansible.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 8ca66702126..47103022b21 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1204,7 +1204,7 @@ Macro for Ansible remediation for removing a kernel command line argument from t Part of the grub2_bootloader_argument_absent template. :param arg_name: Name of the kernel command line argument that will be removed from GRUB 2 configuration. -:type arg_name str: +:type arg_name: str #}} {{%- macro ansible_grub2_bootloader_argument_absent(arg_name) -%}} From d0822dbe664db96b2a4b3d609c2d9432e22f1d0c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:58:25 +0300 Subject: [PATCH 19/97] fix: bash_pam_pwhistory_enable/doc: param must start line, add types --- shared/macros/10-bash.jinja | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f095fe32fcb..da1dc21c6a4 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1084,11 +1084,14 @@ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" If authselect is present but the "with-pwhistory" feature is not yet available, a custom profile will be used. If authselect is not present, PAM files will be directly edited. - :param pam_file: PAM config file. - :param control: PAM control flags. - :param after_match: Regex used as reference to append a line, if necessary. Optional parameter. - Note: For this macro, there is a special value used to include a line at - the beginning of the file: "BOF" +:param pam_file: PAM config file. +:type pam_file: str +:param control: PAM control flags. +:type control: str +:param after_match: Regex used as reference to append a line, if necessary. Optional parameter. + Note: For this macro, there is a special value used to include a line at + the beginning of the file: "BOF" +:type after_match: str #}} {{%- macro bash_pam_pwhistory_enable(pam_file, control, after_match='') -%}} From 62ae116a7c7fe65f052c17ea56df387ce153edde Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:58:50 +0300 Subject: [PATCH 20/97] fix: bash_ensure_nl_at_eof/doc: param must start line, add types --- shared/macros/10-bash.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index da1dc21c6a4..570bc1efac3 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1493,7 +1493,8 @@ cce="{{{ cce_identifiers['cce'] }}}" Do not modify file at all if there already is newline. Always follows symlinks. - :param file: file to check +:param file: file to check +:type file: str #}} {{%- macro bash_ensure_nl_at_eof(file) -%}} From 30f83297191ca109545488e3970e03afa0d761e4 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:59:05 +0300 Subject: [PATCH 21/97] fix: bash_ensure_mount_option_in_fstab/doc: param must start line, add types --- shared/macros/10-bash.jinja | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 570bc1efac3..2ec5a8d923a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1605,10 +1605,14 @@ Ensures that given mount point is in :code:`/etc/fstab`. LABEL=t-home2 /home ext4 defaults,auto_da_alloc 0 2 - :param mount_point: mount point - :param mount_opt: mount point option whose presence in /etc/fstab we are ensuring - :param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.) - :param type: mount type of mount point (used when adding new entry in fstab) +:param mount_point: mount point +:type mount_point: str +:param mount_opt: mount point option whose presence in /etc/fstab we are ensuring +:type mount_opt: str +:param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.) +:type fs_spec: str +:param type: mount type of mount point (used when adding new entry in fstab) +:type type: str #}} {{% macro bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type) -%}} From 01b66665eba78bae092a2c3f21f1bfd0410716ba Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:56:02 +0300 Subject: [PATCH 22/97] fix: bash_ensure_pam_module_options/doc: add types --- shared/macros/10-bash.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 2ec5a8d923a..4fa119799cd 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -20,12 +20,19 @@ Then, assume that variables of that names are defined and contain the correct va type control module option=valueRegexArg :param pamFile: PAM config file +:type pamFile: str :param type: PAM module interface +:type type: str :param control: PAM control flags +:type control: str :param module: PAM module name +:type module: str :param option: PAM module option +:type option: str :param valueRegexArg: PAM module option argument regex pattern +:type valueRegexArg: str :param defaultValueArg: PAM module option argument default value +:type defaultValueArg: str #}} {{%- macro bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg) -%}} From 7d12c1732ddbdd9ed9d7d13233eda038244705bc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:56:23 +0300 Subject: [PATCH 23/97] fix: bash_provide_pam_module_options/doc: add types --- shared/macros/10-bash.jinja | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 4fa119799cd..2c168a31013 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -76,13 +76,20 @@ fi Make sure that we have a line with given type, control and module has the given option in pamFile (additional options are left as-is): `type control module option=valueRegexArg` -:param pamFile: PAM config file -:param type: PAM module interface -:param control: PAM control flags -:param module: PAM module name -:param option: PAM module option -:param valueRegexArg: PAM module option argument regex pattern +:param pamFile: PAM config file +:type pamFile: str +:param type: PAM module interface +:type type: str +:param control: PAM control flags +:type control: str +:param module: PAM module name +:type module: str +:param option: PAM module option +:type option: str +:param valueRegexArg: PAM module option argument regex pattern +:type valueRegexArg: str :param defaultValueArg: PAM module option argument default value +:type defaultValueArg: str #}} {{%- macro bash_provide_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg) -%}} From 5a30bb9c386d21a302971b3faecc0b9e76b8208f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:58:07 +0300 Subject: [PATCH 24/97] fix: bash_ensure_pam_variables_and_authselect_profile/doc: add type Param must start line. --- shared/macros/10-bash.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 2c168a31013..eef99474894 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1079,7 +1079,8 @@ fi the macro will properly locate the correct profile and file to be edited in the authselect context. This sequence of commands is used in multiple PAM related macros. - :param pam_file: PAM config file. +:param pam_file: PAM config file. +:type pam_file: str #}} {{%- macro bash_ensure_pam_variables_and_authselect_profile(pam_file) -%}} From a79d48f4ea7cf5db9f6fd8e4d579d110793d3d0a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:57:45 +0300 Subject: [PATCH 25/97] fix: bash_service_command/doc: add types, indent --- shared/macros/10-bash.jinja | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index eef99474894..c1fe778a391 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -791,17 +791,20 @@ dconf update {{# - Macro to enable or disable a particular service. +Macro to enable or disable a particular service. Examples:: - bash_service_command("enable", "bluetooth") - bash_service_command("disable", "bluetooth.service") - bash_service_command("disable", "rsh.socket", xinetd="rsh") + bash_service_command("enable", "bluetooth") + bash_service_command("disable", "bluetooth.service") + bash_service_command("disable", "rsh.socket", xinetd="rsh") :param service_state: Desired state of the service +:type service_state: str :param service: The service to change +:type service: str :param xinetd: Set the xinetd for the service. Defaults to empty string. +:type xinetd: str #}} {{%- macro bash_service_command(service_state, service, xinetd="") -%}} From 5becc3a348240aeae2a746c21ad72fe96b6269db Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:23:58 +0300 Subject: [PATCH 26/97] fix: bash_perform_audit_rules_privileged_commands_remediation/doc: add types, move right place --- shared/macros/10-bash.jinja | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index c1fe778a391..e565d2389c9 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -163,14 +163,16 @@ fi {{# Macro to perform remediation for 'audit_rules_privileged_commands' rule -:param tool: tool used to load audit rules either 'auditctl' or 'augenrules' -:param min_auid: minimum original ID the user logged in with - Example macro invocation(s):: perform_audit_rules_privileged_commands_remediation("auditctl", "500") perform_audit_rules_privileged_commands_remediation("augenrules", "1000") +:param tool: tool used to load audit rules either 'auditctl' or 'augenrules' +:type tool: str +:param min_auid: minimum original ID the user logged in with +:type min_auid: str + #}} {{%- macro bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid) -%}} files_to_inspect=() From d4baa5df138b49a05a5eb8dd344073e37521072e Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:21:44 +0300 Subject: [PATCH 27/97] fix: bash_fix_audit_watch_rule/doc: add types, move right place --- shared/macros/10-bash.jinja | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index e565d2389c9..14e2545fc4a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -485,19 +485,24 @@ EOF {{# Macro to fix audit file system object watch rule for given path: + * if rule exists, also verifies the -w bits match the requirements * if rule doesn't exist yet, appends expected rule form to $files_to_inspect audit rules file, depending on the tool which was used to load audit rules -:param audit tool tool used to load audit rules, either 'auditctl', or 'augenrules' -:param path: value of -w audit rule's argument -:param required_access_bits: value of -p audit rule's argument -:param key: value of -k audit rule's argument - Example macro invocation:: {{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}} +:param tool: tool used to load audit rules, either 'auditctl', or 'augenrules' +:type tool: str +:param path: value of -w audit rule's argument +:type path: str +:param required_access_bits: value of -p audit rule's argument +:type required_access_bits: str +:param key: value of -k audit rule's argument +:type key: str + #}} {{%- macro bash_fix_audit_watch_rule(tool, path, required_access_bits, key) -%}} # Create a list of audit *.rules files that should be inspected for presence and correctness From e4e1e6f32639fa8cd391c1ff0b43dd95da5ae01a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:28:43 +0300 Subject: [PATCH 28/97] fix: bash_firefox_js_setting/doc: add types, add missing param --- shared/macros/10-bash.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 14e2545fc4a..f86c857dbf6 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -889,8 +889,15 @@ Example Calls: bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="$var_config_file_name") :param config_file: Configuration file that will be modified +:type config_file: str :param key: Configuration option to change +:type key: str :param value: Value of the configuration option to change +:type value: str +:param quoted_value: +:type quoted_value: str +:param sed_separator: +:type sed_separator: char #}} {{%- macro bash_firefox_js_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}} From e11c3555926856763945df1072dd733fbbc19a40 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:30:26 +0300 Subject: [PATCH 29/97] fix: bash_firefox_cfg_setting/doc: add types, add missing params --- shared/macros/10-bash.jinja | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f86c857dbf6..a2c52f575b1 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -953,8 +953,15 @@ Example Call(s): bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}") :param config_file: Configuration file that will be modified -:param key: Configuration option to change -:param value: Value of the configuration option to change +:type config_file: str +:param key: Configuration option to change +:type key: str +:param value: Value of the configuration option to change +:type value: str +:param quoted_value: +:type quoted_value: str +:param sed_separator: +:type sed_separator: char #}} {{%- macro bash_firefox_cfg_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}} From 444ee9b86471b85e69ae4f9714454c1910d641a6 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:31:23 +0300 Subject: [PATCH 30/97] fix: bash_ensure_there_are_servers_in_ntp_compatible_config_file/doc: add types --- shared/macros/10-bash.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index a2c52f575b1..89acf010ff1 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -991,7 +991,9 @@ done Macro to ensure that the ntp/chrony config file contains valid server entries. :param config_file: Path to the ntp/chrony config file +:type config_file: str :param servers_list: Comma-separated list of servers +:type servers_list: str #}} {{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}} From 03c1ac9b569aac2079af1b97746b16d6f827aa24 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:31:39 +0300 Subject: [PATCH 31/97] fix: bash_apply_authselect_changes/doc: add type --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 89acf010ff1..1fa6887e53e 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1018,6 +1018,7 @@ fi not desired, avoid defining a backup name. :param backup_name: Changes the default backup name used by authselect. +:type backup_name: str #}} {{% macro bash_apply_authselect_changes(backup_name='') -%}} From b97a6ddb4b43a716ee3937f7ed3e9bc82c1b1a00 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:32:31 +0300 Subject: [PATCH 32/97] fix: bash_pam_pwhistory_parameter_value/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 1fa6887e53e..035972acb37 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1157,8 +1157,11 @@ fi from pam files to avoid conflicts or confusion. :param pam_file: PAM config file. +:type pam_file: str :param option: pwhistory option e.g.: remember, retry, debug +:type option: str :param value: value of option +:type value: str #}} {{%- macro bash_pam_pwhistory_parameter_value(pam_file, option, value='') -%}} From f8f718637b0fb5ba97f7cbddb44742f4159460c2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:33:12 +0300 Subject: [PATCH 33/97] fix: bash_pam_faillock_parameter_value/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 035972acb37..23f632b859a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1205,8 +1205,11 @@ fi It also adds pam_faillock.so as required module for account. :param option: faillock option eg. deny, unlock_time, fail_interval +:type option: str :param value: value of option +:type value: str :param authfail: check the pam_faillock.so conf line with authfail +:type authfail: bool #}} {{%- macro bash_pam_faillock_parameter_value(option, value='', authfail=True) -%}} From d7e2735d864e6dd7ec4bd641f4ef3c489566bf06 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:41:36 +0300 Subject: [PATCH 34/97] fix: bash_file_contents/doc: add types --- shared/macros/10-bash.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 23f632b859a..539ed71d78c 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1392,7 +1392,9 @@ rm "{{{ path }}}.bak" Generates bash script code that puts 'contents' into a file at 'filepath' :param filepath: Filepath of the file to check +:type filepath: str :param contents: Contents that should be in the file +:type contents: str #}} {{%- macro bash_file_contents(filepath='', contents='') %}} From c796c63bfa0285d762775fbe413a83595d130faa Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:42:09 +0300 Subject: [PATCH 35/97] fix: bash_replace_or_append/doc: add types --- shared/macros/10-bash.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 539ed71d78c..afa334e149c 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1574,9 +1574,13 @@ fi {{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}} :param config_file: Configuration file that will be modified +:type config_file: str :param key: Configuration option to change +:type key: str :param value: Value of the configuration option to change +:type value: str :param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =) +:type format: str #}} {{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s') -%}} From b23f1278419392e7e6001afb51544e7230ad68ae Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:57:42 +0300 Subject: [PATCH 36/97] fix: bash_ensure_mount_option_for_vfstype/doc: add types --- shared/macros/10-bash.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index afa334e149c..367dacc3f50 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1632,9 +1632,13 @@ done documentation :param vfstype: type of filesystem +:type vfstype: str :param mount_opt: mount point option which we are checking +:type mount_opt: str :param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.) +:type fs_spec: str :param type: mount type of new mount point (used when adding new entry in fstab) +:type type: str #}} {{% macro bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, filesystem, type) -%}} From 57e8c08d5d8e56a65ca32fc7a4fceea60f4e0624 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:04:16 +0300 Subject: [PATCH 37/97] fix: bash_pkg_conditional/doc: add types --- shared/macros/10-bash.jinja | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 367dacc3f50..b7007f46ef3 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1997,8 +1997,11 @@ optional version restricion, the Bash remediation will be applied. The macro respects `platform_package_overrides` variable. :param package: package name -:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type package: str +:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=") +:type op: str :param ver: package version (optional argument, use together with "op") +:type ver: str #}} {{%- macro bash_pkg_conditional(package, op=None, ver=None) -%}} From 100d56e85f8be7b927544e68b896088704034c39 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:04:48 +0300 Subject: [PATCH 38/97] fix: bash_get_rpm_package_version/doc: add type --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index b7007f46ef3..c3dce130d4c 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2024,6 +2024,7 @@ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'. This macro generates code that gets version of an installed RPM package. :param package: package name +:type package: str #}} {{%- macro bash_get_rpm_package_version(package) -%}} From ee9b030fd7a69a71134c3694fcd0a4e5f08ed853 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:07:34 +0300 Subject: [PATCH 39/97] fix: bash_pkg_conditional_compare/doc: add types, fix sphinx format --- shared/macros/10-bash.jinja | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index c3dce130d4c..ffc3e8842aa 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2037,27 +2037,33 @@ This macro creates a Bash conditional that compares version of the package with a given version. Description of the algorithm: -1. Get the actual version of the given package and store it in `real`. -2. Store the expected version in `ver`. -3. Perform the comparison and return the result. + +#. Get the actual version of the given package and store it in `real`. +#. Store the expected version in `ver`. +#. Perform the comparison and return the result. Comparison method is different based on the comparison operator. The method code is chosen at the build time during Jinja expansion. Therefore, the algorithm doesn't use the operator at all. Based on the operator, these operations are performed: - a. "<": real != ver && is_sorted([real, ver]) - b. "<=": is_sorted([real, ver]) - c. "==": real == ver - d. "!=": real != ver - e. ">=" real != ver && is_sorted([ver, real]) - f. ">" is_sorted([ver, real]) + + #. "<": real != ver && is_sorted([real, ver]) + #. "<=": is_sorted([real, ver]) + #. "==": real == ver + #. "!=": real != ver + #. ">=" real != ver && is_sorted([ver, real]) + #. ">" is_sorted([ver, real]) + where is_sorted returns true if the given list parameter is a sorted list of version numbers. The implementation uses the GNU `sort` version ordering, which is described at: https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-ordering :param real: real package version +:type real: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param expected: expected package version +:type expected: str #}} {{%- macro bash_pkg_conditional_compare(real, op, expected) -%}} From 4ee12e5d26c4c378f922a7bb15dcb03890243e95 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:10:13 +0300 Subject: [PATCH 40/97] fix: bash_compare_version/doc: add types, fix sphinx format --- shared/macros/10-bash.jinja | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index ffc3e8842aa..e983246705a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2075,14 +2075,19 @@ https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-orderi This macro generates comparison code based on the operator. Assumptions: -- Version arguments are either literal, or they expand to versions (e.g. the argument is a deferenced variable) -- Either all versions have epoch, or none of them has. - - Violation of this results in undefined behavior. - - If one has epoch e.g. 0, and the other one has no epoch, they will not be treated as equal. + +* Version arguments are either literal, or they expand to versions (e.g. the argument is a deferenced variable) +* Either all versions have epoch, or none of them has. + + * Violation of this results in undefined behavior. + * If one has epoch e.g. 0, and the other one has no epoch, they will not be treated as equal. :param real: real package version +:type real: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param expected: expected package version +:type expected: str #}} {{%- macro bash_compare_version(real, op, expected) -%}} From 49048510dd6f002f50ffe73972541b3a0e7f4b37 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:11:16 +0300 Subject: [PATCH 41/97] fix: bash_pkg_conditional_rpm/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index e983246705a..305bc297822 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2111,9 +2111,12 @@ printf "%s\n%s" "{{{ expected }}}" "{{{ real }}}" | sort -VC This macro creates a Bash conditional which uses rpm to check if a package passed as a parameter is installed. :param package: package name +:type package: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param ver: package version (optional argument, use together with "op") The version always needs to contain epoch. If the package has no epoch, please prepend "0:". +:type ver: str #}} {{%- macro bash_pkg_conditional_rpm(package, op=None, ver=None) -%}} From c47c23554006ea4890c8fe0a7c3096e168ecacd2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:11:36 +0300 Subject: [PATCH 42/97] fix: bash_get_dpkg_package_version/doc: add type --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 305bc297822..b1f2c647356 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2132,6 +2132,7 @@ rpm --quiet -q {{{ package }}} This macro generates code that gets version of an installed DEB package. :param package: package name +:type package: str #}} {{%- macro bash_get_dpkg_package_version(package) -%}} From 6be074660eca5c5af0f1e45d806d669db066fa84 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:12:13 +0300 Subject: [PATCH 43/97] fix: bash_compare_version_dpkg/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index b1f2c647356..9851a7cce61 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2146,8 +2146,11 @@ This macro creates a Bash conditional that compares version of the DEB package with a given version. :param package: package name +:type package: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param ver: package version (optional argument, use together with "op") +:type ver: str #}} {{%- macro bash_compare_version_dpkg(package, op, ver) -%}} From 767c1336e261bbd302cef9dd3b9051fad0d6de24 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:13:17 +0300 Subject: [PATCH 44/97] fix: bash_pkg_conditional_dpkg/doc: add types --- shared/macros/10-bash.jinja | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 9851a7cce61..96ce15d629d 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2163,8 +2163,11 @@ with a given version. This macro creates a Bash conditional which uses dpkg to check if a package passed as a parameter is installed. :param package: package name -:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type package: str +:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=") +:type op: str :param ver: package version (optional argument, use together with "op") +:type ver: str #}} {{%- macro bash_pkg_conditional_dpkg(package, op=None, ver=None) -%}} From 2dd248a71e3f57c38291637471950f0b98a32f2b Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:14:46 +0300 Subject: [PATCH 45/97] fix: bash_chromium_pol_setting/doc: add types --- shared/macros/10-bash.jinja | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 96ce15d629d..6af7d257aef 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2183,15 +2183,20 @@ dpkg-query --show --showformat='${db:Status-Status}\n' '{{{ package }}}' 2>/dev/ Macro to replace configuration setting(s) in the Chromium stig policy (.json) file or add the preference if it does not exist. -Example macro invocation: +Example macro invocation:: {{{ bash_chromium_pol_setting("chrome_stig_policy.json", "/etc/chromium/policies/managed/", "ExtensionInstallBlacklist", "\[\"*\"\]") }}} :param chrome_pol_file: Policy file to that will be modified +:type chrome_pol_file: str :param chrome_pol_dir: Directory where the policy file is located +:type chrome_pol_dir: str :param pol_setting: The setting that will be modified +:type pol_setting: str :param pol_setting_val: Value of the setting to replace the current value with +:type pol_setting_val: str :param pol_setting_val_edit: Value of the setting to be inserted if setting and value not present +:type pol_setting_val_edit: str #}} {{%- macro bash_chromium_pol_setting(chrome_pol_file, chrome_pol_dir, pol_setting, pol_setting_val, pol_setting_val_edit=None) %}} From 69e5fcf5133c23062c6b5b5bb05d717df79a258b Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:19:23 +0300 Subject: [PATCH 46/97] fix: bash_ensure_ini_config/doc: add types, fix format --- shared/macros/10-bash.jinja | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 6af7d257aef..d46ccc5399f 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2237,18 +2237,22 @@ done < <({{{ command_and_its_args }}}) {{# - # Ensure key is set to correct value under a correct section in an .ini style config file + Ensure key is set to correct value under a correct section in an .ini style config file + +Example macro invocation(s):: + + {{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1") }}} + {{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") }}} :param files: list of space-separated files to add key = value to (may contain wildcards) if none contain section, create and append to FIRST file +:type files: str :param section: section to add key = value under +:type section: str :param key: key +:type key: str :param value: value - -Example macro invocation(s): - - bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1") - bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "sssd", "user", "sssd") +:type value: str #}} {{% macro bash_ensure_ini_config(files, section, key, value) -%}} From 0ee5dfbbec2c682f441ce541a0c5c7a989228ae2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:20:41 +0300 Subject: [PATCH 47/97] fix: bash_ensure_pam_module_line/doc: add types, fix format --- shared/macros/10-bash.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index d46ccc5399f..234061550ce 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2290,10 +2290,12 @@ fi If the line is not present, it will be included after the regex informed in the "after_match" parameter. If the "after_match" parameter is empty, the line will be included at the end of the file informed in the "pam_file" parameter. + If the line was already present, but with a different control, the control will be updated. Note: If there are multiple lines matching the "group" + "module", no lines will be updated. Instead, a new line will be included after the regex informed in "after_match" or at the end of file if "after_match" parameter is empty or there is no match. + This is a conservative safeguard for improper use of this macro in rare cases of modules configured by multiple lines, like pam_sss.so, pam_faillock.so and pam_lastlog.so. In some situations, these special modules may have similar lines sharing the same "group" and "module". @@ -2301,11 +2303,16 @@ fi PAM module is working as expected. Otherwise, a custom remediation should be considered. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param after_match: Regex used as reference to append a line, if necessary. Optional parameter. Note: For this macro, there is a special value used to include a line at the beginning of the file: "BOF" +:type after_match: str #}} {{%- macro bash_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}} From 965b13822891dab7ab7547caec277a202d970fd7 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:21:46 +0300 Subject: [PATCH 48/97] fix: bash_ensure_pam_module_option/doc: add types --- shared/macros/10-bash.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 234061550ce..90050c1b2fe 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2343,12 +2343,19 @@ fi Make sure that an existing PAM module line is properly configured with an option. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str :param value: PAM module option argument, if is case. Optional parameter. +:type value: str :param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter. +:type after_match: str #}} {{%- macro bash_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}} From b80f589e6f07f192ab06a482320b47f2b0448516 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:22:00 +0300 Subject: [PATCH 49/97] fix: bash_remove_pam_module_option/doc: add types --- shared/macros/10-bash.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 90050c1b2fe..fafcca2375b 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2381,10 +2381,15 @@ fi Remove a PAM module option if present in a PAM module line. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str #}} {{%- macro bash_remove_pam_module_option(pam_file, group, control, module, option) -%}} From a5ad341f8dbadd384d80660c4f6b1a4a066540e3 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:22:15 +0300 Subject: [PATCH 50/97] fix: bash_ensure_pam_module_configuration/doc: add types --- shared/macros/10-bash.jinja | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index fafcca2375b..c80ca52a1d5 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2456,12 +2456,19 @@ fi relies on authselect. Otherwise, the PAM files will be directly edited. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. Optional parameter. +:type option: str :param value: PAM module option argument, if is case. Optional parameter. +:type value: str :param after_match: Regex used as reference to include the PAM line below, if necessary. Optional parameter. +:type after_match: str #}} {{%- macro bash_ensure_pam_module_configuration(pam_file, group, control, module, option='', value='', after_match='') -%}} From 10e69db9cdde4cd0612f3826d264296fa849b7f6 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:22:28 +0300 Subject: [PATCH 51/97] fix: bash_remove_pam_module_option_configuration/doc: add types --- shared/macros/10-bash.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index c80ca52a1d5..fea3112219c 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2498,10 +2498,15 @@ fi be directly edited. :param pam_file: PAM config file. +:type pam_file: str :param group: PAM management group: auth, account, password or session. Also known as "type". +:type group: str :param control: PAM control flags. Optional parameter, but recommended to be informed whenever possible. +:type control: str :param module: PAM module name. +:type module: str :param option: PAM module option. +:type option: str #}} {{%- macro bash_remove_pam_module_option_configuration(pam_file, group, control, module, option) -%}} From db33bcd677a4c46703539c8ecb76ed781447e885 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:24:12 +0300 Subject: [PATCH 52/97] fix: bash_os_linux_conditional/doc: add types --- shared/macros/10-bash.jinja | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index fea3112219c..135eafdc92a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2573,10 +2573,14 @@ conforms and satisfies the optional version restricion, the Bash remediation will be applied. :param os_id: OS name, value of the ID variable in /etc/os-release +:type os_id: str :param expected_ver: expected OS version, value of the VERSION_ID variable in /etc/os-release (optional argument, use together with "op") -:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type expected_ver: str +:param op: version comparison operator (optional argument, "<", "<=", "==", "!=", ">", ">=") +:type op: str :param os_release_path: path to the os-release file, default: "/etc/os-release" +:type os_release_path: str #}} {{%- macro bash_os_linux_conditional(os_id, expected_ver=None, op=None, os_release_path="/etc/os-release") -%}} From 407b420ba73f68679e65765e51cd1520cc4ce674 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:24:36 +0300 Subject: [PATCH 53/97] fix: bash_compare_version_os_linux/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 135eafdc92a..88ea300f172 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2597,8 +2597,11 @@ This macro generates bash condition that compares the actual version of the operating system with the expected version using the given operator. :param expected: expected OS version, value of the VERSION_ID variable in /etc/os-release +:type expected: str :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") +:type op: str :param os_release_path: path to the os-release file, default: "/etc/os-release" +:type os_release_path: str #}} {{%- macro bash_compare_version_os_linux(expected, op, os_release_path="/etc/os-release") -%}} From b44a113a02538fed6be8d61646e48a2daa0402eb Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:24:49 +0300 Subject: [PATCH 54/97] fix: bash_get_version_os_linux/doc: add type --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 88ea300f172..1828d7574b1 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2614,6 +2614,7 @@ This macro generates code that retrieves the operating system version from /etc/os-release from VERSION_ID variable. :param os_release_path: path to the os-release file, default: "/etc/os-release" +:type os_release_path: str #}} {{%- macro bash_get_version_os_linux(os_release_path="/etc/os-release") -%}} From 33a258cd5629f8b50191dbd8f9b101177094ac3a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:01:42 +0300 Subject: [PATCH 55/97] fix: bash_fix_audit_syscall_rule/doc: fix names, add types --- shared/macros/10-bash.jinja | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 1828d7574b1..6904af216a9 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1735,18 +1735,29 @@ for further details. Notes: -* The 2-nd up to 4-th arguments are used to determine how many existing audit rules will be inspected for resemblance with the new audit rule the macro is going to add. -* The macro's similarity check uses the 5-th argument to optimize audit rules definitions (merge syscalls of the same group into one rule) to avoid the "single-syscall-per-audit-rule" performance penalty. -* The key argument (7-th argument) is not used when the syscall is grouped to an -existing audit rule. The audit rule will retain the key it already had. - -:param audit_tool: tool used to load audit rules, either 'auditctl', or 'augenrules +* The 2-nd up to 4-th arguments are used to determine how many existing audit + rules will be inspected for resemblance with the new audit rule the macro + is going to add. +* The macro's similarity check uses the 5-th argument to optimize audit rules + definitions (merge syscalls of the same group into one rule) to avoid the + "single-syscall-per-audit-rule" performance penalty. +* The key argument (7-th argument) is not used when the syscall is grouped to + an existing audit rule. The audit rule will retain the key it already had. + +:param tool: tool used to load audit rules, either 'auditctl', or 'augenrules +:type tool: str :param action_arch_filters: The action and arch filters of the rule. For example, "-a always,exit -F arch=b64" +:type action_arch_filters: str :param other_filters: Other filters that may characterize the rule. For example, "-F a2&03 -F path=/etc/passwd" +:type other_filters: str :param auid_filters: The auid filters of the rule. For example, "-F auid>=1000 -F auid!=unset" +:type auid_filters: str :param syscall: The syscall to ensure presense among audit rules. For example, "chown" +:type syscall: str :param syscall_groupings: Other syscalls that can be grouped with 'syscall' as a space separated list. For example, "fchown lchown fchownat" -:param key: The key to use when appending a new rule +:type syscall_groupings: str +:param key: The key to use when appending a new rule +:type key: str #}} {{% macro bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key) -%}} From 279c85687d587c699c8a773ab239190fcd7770f6 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 10:39:04 +0300 Subject: [PATCH 56/97] fix: bash_shell_file_set/doc: argument types --- shared/macros/10-bash.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 6904af216a9..caef9b778be 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -129,8 +129,8 @@ fi :type parameter: str :param value: Value to set :type value: str -:param no_quotes: Boolean, if true the value is not quoted. Default is false. -:type no_quotes: str +:param no_quotes: If true the value is not quoted. Default is false. +:type no_quotes: bool #}} {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} From 834aeb89a9e454f72ff85463a093f7e1729e7f3d Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:55:01 +0300 Subject: [PATCH 57/97] fix: fixtext_sshd_lineinfile/doc: add type --- shared/macros/10-fixtext.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index f7712090a85..16828d86910 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -237,6 +237,7 @@ The audit daemon must be restarted for the changes to take effect. :parameter value: Value to set :type value: str :param config_is_distributed: Should the value go in 00-complianceascode-hardening.conf vs the main sshd config file +:type config_is_distributed: bool #}} {{%- macro fixtext_sshd_lineinfile(parameter, value, config_is_distributed) -%}} From 9f92474a2c0459539d736cb9d7b5ed26f375a5a7 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:51:01 +0300 Subject: [PATCH 58/97] fix: fixtext_audit_rules_unsuccessful_file_modification_rule_order/doc: fix type --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 16828d86910..ad9d1274eb9 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -164,7 +164,7 @@ The audit daemon must be restarted for the changes to take effect. Used in rules using template audit_rules_unsuccessful_file_modification_rule_order. :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_unsuccessful_file_modification_rule_order(syscall) -%}} From b8c12302f33297dfee17fc98b1154faaa6c5cf2f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:51:23 +0300 Subject: [PATCH 59/97] fix: fixtext_audit_rules_unsuccessful_file_modification_o_trunc_write/doc: fix type --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index ad9d1274eb9..99d605dc617 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -149,7 +149,7 @@ The audit daemon must be restarted for the changes to take effect. Used in rules using template audit_rules_unsuccessful_file_modification_o_trunc_write :param syscall: syscall name -:type path: str +:type syscall: str :param pos: position of the O_CREAT argument in the syscall parameters :type pos: str From 5cae887b37579af2a4e784993a8d49f4c570b4e6 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:51:42 +0300 Subject: [PATCH 60/97] fix: fixtext_audit_rules_unsuccessful_file_modification_o_creat/doc: fix type --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 99d605dc617..31b6e58df91 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -133,7 +133,7 @@ The audit daemon must be restarted for the changes to take effect. Used in rules using template audit_rules_unsuccessful_file_modification_o_creat :param syscall: syscall name -:type path: str +:type syscall: str :param pos: position of the O_CREAT argument in the syscall parameters :type pos: str From d8e774d4950fd0b5910c49c08afc08d51c62b73f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:52:30 +0300 Subject: [PATCH 61/97] fix: fixtext_audit_rules_unsuccessful_file_modification/doc: fix types --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 31b6e58df91..0af7b35770d 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -115,10 +115,10 @@ The audit daemon must be restarted for the changes to take effect. Used in rules using template audit_rules_unsuccessful_file_modification :param syscall: syscall name -:type path: str +:type syscall: str :param syscall_grouping: A list of other syscalls that can be audited with the same audit rules. -:type path: str +:type syscall_grouping: list #}} {{% macro fixtext_audit_rules_unsuccessful_file_modification(syscall, syscall_grouping) -%}} From 3ef8a4a235bb9ec299d6d900783f784067eb31d9 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:52:52 +0300 Subject: [PATCH 62/97] fix: fixtext_audit_rules_dac_modification_attr: fix types --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 0af7b35770d..1cdd97ba1a6 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -102,7 +102,7 @@ The audit daemon must be restarted for the changes to take effect. Generate a fixtext for audit rules for dac modification events - attr :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_dac_modification_attr(syscall) -%}} From ffb7ede8c0a7746f588b734ff39b3c4d47683fef Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:53:56 +0300 Subject: [PATCH 63/97] fix: fixtext_audit_rules_dac_modification_chmod/doc: fix type --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 1cdd97ba1a6..40393d74e10 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -66,7 +66,7 @@ The audit daemon must be restarted for the changes to take effect. Generate a fixtext for audit rules for dac modification events - chmod :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_dac_modification_chmod(syscall) -%}} From e4345569c23923ccd2e562829180ceed4396dad0 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:54:17 +0300 Subject: [PATCH 64/97] fix: fixtext_audit_rules_file_deletion_events/doc: fix type --- shared/macros/10-fixtext.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 40393d74e10..37f25eed61a 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -54,7 +54,7 @@ The audit daemon must be restarted for the changes to take effect. Generate a fixtext for audit rules for file deletion events :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_file_deletion_events(syscall) -%}} From 06a4c4df4875d833b9f5bda7de24b96bab4cb0d2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:52:08 +0300 Subject: [PATCH 65/97] fix: fixtext_file_group_owner/doc: parameter name --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 37f25eed61a..42a45a7f973 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -503,8 +503,8 @@ Fixtext for setting the group owner on a file. :param file: The file to set the group owner on :type file: str -:param owner: The group to be set -:type owner: str +:param group: The group to be set +:type group: str #}} {{% macro fixtext_file_group_owner(file, group) %}} From 2c996dae9c0767f788492269d814522a0f498d3f Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:52:35 +0300 Subject: [PATCH 66/97] fix: fixtext_socket_disabled/doc: parameter name --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 42a45a7f973..bb2f8f899e7 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -290,8 +290,8 @@ The audit daemon must be restarted for the changes to take effect. {{# Describe how to disable a socket -:param parameter: socket to be disabled -:type parameter: str +:param socket: socket to be disabled +:type socket: str #}} {{%- macro fixtext_socket_disabled(socket) -%}} From 00ef07b99e792a8f9b8ee7e102911ba721288372 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:53:00 +0300 Subject: [PATCH 67/97] fix: fixtext_service_disabled/doc: parameter name --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index bb2f8f899e7..76e096977d8 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -274,8 +274,8 @@ The audit daemon must be restarted for the changes to take effect. {{# Describe how to disable a service -:param parameter: service to be disabled -:type parameter: str +:param service: service to be disabled +:type service: str #}} {{%- macro fixtext_service_disabled(service) -%}} From b43baef050f5d72aad0d3c46086c0995c49e2935 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:53:24 +0300 Subject: [PATCH 68/97] fix: fixtext_service_enabled/doc: parameter name --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 76e096977d8..32f4ea6cddd 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -260,8 +260,8 @@ The audit daemon must be restarted for the changes to take effect. {{# Describe how to enable a service -:param parameter: service to enable -:type parameter: str +:param service: service to enable +:type service: str #}} {{%- macro fixtext_service_enabled(service) -%}} From 5a32076be8defa773e7741e165c85e71b9ea4cf8 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:45:22 +0300 Subject: [PATCH 69/97] fix: ocil_cluster_logging_rbac_review/doc: fix types --- shared/macros/10-ocil.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 0a35b283b5b..e6f0798f2bd 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -1245,7 +1245,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati OCIL for how to check RBAC permissions for cluster logging :param verb: The RBAC verb to check -:type file: str +:type verb: str #}} {{%- macro ocil_cluster_logging_rbac_review(verb) -%}} From 1eb9a76ab3ef00b6822f9d5ce8cbda2cf741f080 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:49:30 +0300 Subject: [PATCH 70/97] fix: ocil_clause_file_group_owner/doc: fix parameter name in doc --- shared/macros/10-ocil.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index e6f0798f2bd..804574a2e09 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -966,8 +966,8 @@ JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'. :param file: File to change :type file: str -:param owner: the group owner for the file -:type owner: str +:param group: the group owner for the file +:type group: str #}} {{%- macro ocil_clause_file_group_owner(file, group) -%}} From 1f3d58c7f836cd784c1c072523f5ffe1c9748125 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 11:09:50 +0300 Subject: [PATCH 71/97] fix: oval_check_config_file/doc: bool type as bool Use jinja type names like rest. --- shared/macros/10-oval.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 8191d83e482..371d4a3e5ff 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -32,13 +32,13 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param separator_regex: Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression. :type separator_regex: str :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). -:type missing_parameter_pass: boolean +:type missing_parameter_pass: bool :param application: The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. :type application: str :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -:type multi_value: boolean +:type multi_value: bool :param missing_config_file_fail: If set, the check will fail if the configuration is not existent in the system. -:type missing_config_file_fail: boolean +:type missing_config_file_fail: bool :param section: If set, the parameter will be checked only within the given section defined by [section]. :type section: str :param quotes: If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info. From 62845cf784f7d1ac07fba725f436a447b5e5407c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 11:10:39 +0300 Subject: [PATCH 72/97] fix: oval_check_shell_file/doc: use jinja type names, fix type name --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 371d4a3e5ff..5d1407ec178 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -497,7 +497,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param value: The variable value WITHOUT QUOTES. :type value: str :param application: The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. -:type value: application +:type application: str :param no_quotes: If set, the check will require that the RHS of the assignment is the literal value, without quotes. If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check. :type no_quotes: bool :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). From b70bc444c2ec32d44e5aabb48aae55560aa63bfc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:53:47 +0300 Subject: [PATCH 73/97] fix: oval_file_contents/doc: add type --- shared/macros/10-oval.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 5d1407ec178..6423347fb4f 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -764,6 +764,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param filepath: filepath of the file to check :type filepath: str :param filepath_id: Used like test_whole_file_contents_$filepath_id +:type filepath_id: str :param contents: contents that should be in the file :type contents: str From 4a21b2bb1abcd9b354e45cc3371efd8d877e321c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:42:05 +0300 Subject: [PATCH 74/97] fix: oval_grub_config/doc: fix type --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 6423347fb4f..297f9fb4b16 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -567,7 +567,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param parameter: The parameter to be checked in the configuration file. :type parameter: str :param value: The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). -:type parameter: str +:type value: str :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). :type missing_parameter_pass: bool :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. From f6624c7438f8d990bb26ee057650387f9288b809 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:43:07 +0300 Subject: [PATCH 75/97] fix: oval_auditd_config/doc: fix types --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 297f9fb4b16..c6a018e7dea 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -531,7 +531,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). :type missing_parameter_pass: bool :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -:type missing_parameter_pass: bool +:type multi_value: bool :param missing_config_file_fail: If set, the check will fail if the configuration file doesn't exist in the system. :type missing_config_file_fail: bool From 5a4d65172f1533a034a47f357d897e66203dcd26 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:44:36 +0300 Subject: [PATCH 76/97] fix: oval_argument_value_in_line/doc: fix types --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index c6a018e7dea..41c83bb157a 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -446,7 +446,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param name: Argument name :type name: str :param value: Argument value -:type name: str +:type value: str :param line_prefix: The starting part of the line with the list of arguments, default is empty :type line_prefix: str :param line_suffix: The ending part of the line with the list of arguments, default is empty From c1a7ef44ed17cd26a162905c2ed4bc25ddbc9da3 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:29:41 +0300 Subject: [PATCH 77/97] fix: oval_check_dconf_ini_file/doc: fix types and add missing argument --- shared/macros/10-oval.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 41c83bb157a..90a96d023df 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -848,8 +848,10 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type value: str :param application: What application this applies to :type application: str +:param section: What section this applies to +:type section: str :param quotes: If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. -:type value: str +:type quotes: str :param lock_path: Path to lock file :type lock_path: str From c8dcba26c80e6b6be5808aa7efb03f7615dfc78c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:46:36 +0300 Subject: [PATCH 78/97] fix: oval_line_in_file_criterion/doc: fix parameters --- shared/macros/10-oval.jinja | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 90a96d023df..d7e4d4b3460 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -103,12 +103,14 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{# Macro to define the criterion of the OVAL check (Criterion definition). -:param oval_line_in_file_criterion: Path to the configuration file to be checked. -:type oval_line_in_file_criterion: str +:param path: Path to the configuration file to be checked. +:type path: str :param parameter: The parameter to be checked in the configuration file. :type parameter: str :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). :type missing_parameter_pass: bool +:param comment: Optional criterion comment +:type comment: str :param id_stem: The first suffix of tests, objects etc. that ensures uniqueness of the particular OVAL entity ID. Defaults to the rule ID. :type id_stem: str :param avoid_conflicting: If true, the check will only pass in case all (if any) configurations found are compliant From 4ebb1f09368b7c6d182ece72449b9ccac55fe510 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:44:33 +0300 Subject: [PATCH 79/97] fix: srg_requirement_directory_group_owner/doc: fix name in doc --- shared/macros/10-srg_requirement.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-srg_requirement.jinja b/shared/macros/10-srg_requirement.jinja index f2aecf2e6db..4f35c4bf48b 100644 --- a/shared/macros/10-srg_requirement.jinja +++ b/shared/macros/10-srg_requirement.jinja @@ -141,8 +141,8 @@ SRG requirement for setting the group owner on a directory. :param file: The directory to set the group owner on :type file: str -:param owner: The group to be set -:type owner: str +:param group: The group to be set +:type group: str #}} {{% macro srg_requirement_directory_group_owner(file, group) %}} From 98f60a6e30fa40a84aa1e863fc83af9daf18c97b Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 14:59:32 +0300 Subject: [PATCH 80/97] fix: warning_ovirt_rule_notapplicable/doc: add type Param must start line --- shared/macros/10-warning.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-warning.jinja b/shared/macros/10-warning.jinja index 1b187b206da..0198eacb5b3 100644 --- a/shared/macros/10-warning.jinja +++ b/shared/macros/10-warning.jinja @@ -2,7 +2,8 @@ Adds a boiler plate warning with a justification why a rule is disabled on RHV. Note: This is only applied on RHEL8 content. - :param rationale: Explanation why RHV needs the rule disabled. +:param rationale: Explanation why RHV needs the rule disabled. +:type rationale: str #}} {{% macro warning_ovirt_rule_notapplicable(rationale) %}} From 3a0585ac82886219e111b844c3a830dd7a07ceaa Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:00:03 +0300 Subject: [PATCH 81/97] fix: warning_rule_deprecated_by/doc: add types Param must start line --- shared/macros/10-warning.jinja | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-warning.jinja b/shared/macros/10-warning.jinja index 0198eacb5b3..242f46170a9 100644 --- a/shared/macros/10-warning.jinja +++ b/shared/macros/10-warning.jinja @@ -19,8 +19,10 @@ Includes a deprecation warning in rules which are no longer recommended in favor of a similar and more updated rule. - :param rule: Rule which replaces the deprecated rule. - :param release: Release number since the rule is officially deprecated. +:param rule: Rule which replaces the deprecated rule. +:type rule: str +:param release: Release number since the rule is officially deprecated. +:type release: str #}} {{% macro warning_rule_deprecated_by(rule, release='') %}} From 76e8ffc3fb787eb6f834ebf21ba649deb7584d57 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 11:11:21 +0300 Subject: [PATCH 82/97] fix: create_interactive_users_list_object/doc: param/type must start line --- shared/macros/10-oval.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index d7e4d4b3460..d8ccd95f6ac 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1015,8 +1015,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo The macro receives a string as parameter, which is used as the password_object id in the rule. - :param object_id: Object id to be created. - :type object_id: str +:param object_id: Object id to be created. +:type object_id: str #}} {{%- macro create_interactive_users_list_object(object_id) -%}} From 82b6125e7d900a25187b0ab2918e92d4bbde9d2e Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:34:48 +0300 Subject: [PATCH 83/97] fix: die/doc: add types --- shared/macros/10-bash.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index caef9b778be..21cd80db1fa 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1274,8 +1274,11 @@ fi Print a message to stderr and exit the shell :param message: The message to print. +:type message: str :param rc: The error code (optional, default is 1) +:type rc: int :param action: What to do (optional, default is 'exit', can be also 'return' or anything else) +:type action: str #}} {{% macro die(message, rc=1, action="exit") -%}} From b23b9820d2c48a8256102c39070b400e7050c357 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 15:55:37 +0300 Subject: [PATCH 84/97] fix: fix_openshift_logging_rbac/doc: add type --- shared/macros/10-fixtext.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 32f4ea6cddd..90de8f79bbb 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -594,6 +594,7 @@ Migrate the "{{{ part }}}" path onto a separate file system. Fixtext for how to restrict RBAC permissions for cluster logging :param verb: The RBAC verb to restrict +:type verb: str #}} {{% macro fix_openshift_logging_rbac(verb) -%}} From 1a6f88af6ef733de6e64c5702366c4c011a67239 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 11:08:41 +0300 Subject: [PATCH 85/97] fix: grub_command/doc: arguments/types - wrong format - no arg_name argument --- shared/macros/01-general.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index b29db5b4453..d9511190891 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -1101,9 +1101,9 @@ Generates a correct command based on the product (grubby, grub2-mkconfig, update Part of the grub2_bootloader_argument(_absent) templates. :param action: What to do with the argument, must be one of: "update", "add", "remove". -:type action str: -:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit". -:type arg_name_value str: +:type action: str +:param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit". +:type arg_name_value: str #}} {{% macro grub_command(action, arg_name_value=None) -%}} From 890bbb3ffa1da16ae1327c701d309687aa643567 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:06:07 +0300 Subject: [PATCH 86/97] fix: grub2_bootloader_argument_remediation/doc: fix type format --- shared/macros/10-bash.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 21cd80db1fa..0dac47b4239 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1960,9 +1960,9 @@ Macro for Bash remediation for adding a kernel command line argument to the GRUB Part of the grub2_bootloader_argument template. :param arg_name: Kernel command line argument -:type arg_name str: +:type arg_name: str :param arg_name_value: Kernel command line argument concatenated with the value of this argument using an equal sign, eg. "noexec=off". -:type arg_name_value str: +:type arg_name_value: str #}} {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}} From 1f5a5f9977f3341589177107937c0f04289b7137 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 22:06:25 +0300 Subject: [PATCH 87/97] fix: grub2_bootloader_argument_absent_remediation/doc: fix type format --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 0dac47b4239..bc22680f280 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1992,7 +1992,7 @@ Macro for Bash remediation for removing a kernel command line argument from the Part of the grub2_bootloader_argument_absent template. :param arg_name: Name of the kernel command line argument that will be removed from GRUB 2 configuration. -:type arg_name str: +:type arg_name: str #}} {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}} From de541442fbe99233311a8c7794b36eb5c79afc05 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 21:04:59 +0300 Subject: [PATCH 88/97] fix: openshift_cluster_setting_kubeletconfig/doc: bad doc --- shared/macros/01-general.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index d9511190891..c7a75060129 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -12,7 +12,6 @@ This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the {{% if endpoint is string %}}{{{ endpoint }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file.{{% else %}}{{% for item in endpoint %}}{{{ item }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ item.lstrip("/") }}} file{{% endfor %}}.{{% endif %}} {{%- endmacro %}} -#}} {{% macro openshift_cluster_setting_kubeletconfig() -%}} This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes. Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}"/kubeletconfig/role/role" file. From f22be78d4abd64179b0a3dde709518abd2d167af Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 16:37:08 +0300 Subject: [PATCH 89/97] fix: set_config_file/doc: add types, add missing argument --- shared/macros/10-bash.jinja | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index bc22680f280..5df4802e292 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1291,15 +1291,27 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 Add an entry to a text configuration file :param path: path of the configuration file +:type path: str :param parameter: the parameter to be set in the configuration file +:type parameter: str :param value: the value of the parameter to be set in the configuration file +:type value: str :param create: whether create the file specified by path if the file does not exits +:type create: bool :param insert_after: inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file +:type insert_after: str :param insert_before: inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file +:type insert_before: str :param insensitive: ignore case +:type insensitive: bool :param separator: separates parameter from the value (literal) +:type separator: str :param separator_regex: regular expression that describes the separator and surrounding whitespace +:type separator_regex: str :param prefix_regex: regular expression describing allowed leading characters at each line +:type prefix_regex: str +:param sed_path_separator: +:type sed_path_separator: char #}} {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}} From e1c020b12bd2039067f931aae4e08a9dfb84eba8 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 09:50:14 +0300 Subject: [PATCH 90/97] fix: systemd_ocil_timer_enabled/doc: fix parameter name --- shared/macros/10-ocil.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 804574a2e09..615d368bd4e 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -831,8 +831,8 @@ ocil_clause: "{{{ sebool }}} is not enabled" {{# Describe how to check if timer is enabled in systemd. -:param service: The service to check -:type service: str +:param timer: The timer to check +:type timer: str #}} {{%- macro systemd_ocil_timer_enabled(timer) %}} From abdec9ef467fe9c49f3b8035ac34558a90fda716 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:02:13 +0300 Subject: [PATCH 91/97] fix: update_etc_default_grub_manually/doc: add types --- shared/macros/10-bash.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 5df4802e292..cc907d6520d 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1952,7 +1952,9 @@ fi Ensures that /etc/default/grub file contains the arg_name_value. :param arg_name: name of the grub parameter, e.g.: "audit" +:type arg_name: str :param arg_name_value: parameter together with the value to ensure, e.g.: "audit=1" +:type arg_name_value: str #}} {{%- macro update_etc_default_grub_manually(arg_name, arg_name_value) -%}} From 909ca3e76de40a3aa1742be0a27b69ca7941dacb Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 20 May 2023 17:02:57 +0300 Subject: [PATCH 92/97] fix: update_etc_default_grub_manually_absent/doc: add type --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index cc907d6520d..759fc92bf1a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1991,6 +1991,7 @@ Part of the grub2_bootloader_argument template. Ensures that /etc/default/grub file does not contain the arg_name_value. :param arg_name: name of the grub parameter, e.g.: "audit" +:type arg_name: str #}} {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}} From a72ade24bd8baedb0acc05dd3786ed078b341506 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 12:01:14 +0300 Subject: [PATCH 93/97] fix: ocil_firefox_config/doc: add hint about accepted values for value --- shared/macros/10-ocil.jinja | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 615d368bd4e..82f535ae813 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -1088,11 +1088,12 @@ Fill in GRUBENV_FILE_LOCATION based on information above. {{# Write out the OCIL for generating the common check for Firefox configuration + :param preference: Name of preference :type preference: str :param config: configuration item name in Firefox :type config: str -:param value: Expected value for preference +:param value: Expected value for preference, "true" or "false" :type value: str #}} From 538743ffb6eb4734280d221015cb7a208cc9a985 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 12:02:38 +0300 Subject: [PATCH 94/97] fix: ocil_firewalld_allow_access/doc: port is str See usage. --- shared/macros/10-ocil.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 82f535ae813..925dbb348ba 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -656,7 +656,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect. :param port: The port to allow -:type port: int +:type port: str :param proto: The protocol to allow :type proto: str :param service: The service to allow From bf306d122324470f4757c6735601dd7b342d2a37 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 12:05:18 +0300 Subject: [PATCH 95/97] fix: fixtext_audit_rules_dac_modification_chown: type name --- shared/macros/10-fixtext.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 90de8f79bbb..2147919809c 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -78,7 +78,7 @@ The audit daemon must be restarted for the changes to take effect. Generate a fixtext for audit rules for dac modification events - chown :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_dac_modification_chown(syscall) -%}} @@ -90,7 +90,7 @@ The audit daemon must be restarted for the changes to take effect. Generate a fixtext for audit rules for dac modification events - chown :param syscall: syscall name -:type path: str +:type syscall: str #}} {{% macro fixtext_audit_rules_dac_modification_chown(syscall) -%}} From 419154b52a9035389285124235ea3b210607f2aa Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 12:06:14 +0300 Subject: [PATCH 96/97] fix: oval_metadata/doc: affected_platforms is list[str] --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index d8ccd95f6ac..f821ba9b7cf 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -811,7 +811,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param title: Optional, the associated rule title is used by default :type title: str :param affected_platforms: Optional, list of unix platform strings (e.g. "Fedora") to put under the affected element. Uses the oval_affected macro by default under the hood. -:type affected_platforms: str +:type affected_platforms: list[str] #}} {{%- macro oval_metadata(description, title="", affected_platforms=None) -%}} From 1428ab1189520d656dd0e883438df51031497660 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 21 May 2023 12:06:56 +0300 Subject: [PATCH 97/97] fix: oval_line_in_file_object/doc: missing_parameter_pass is bool --- shared/macros/10-oval.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index f821ba9b7cf..d913fc53645 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -190,7 +190,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :param separator_regex: Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression. :type separator_regex: str :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). -:type missing_parameter_pass: str +:type missing_parameter_pass: bool :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. :type multi_value: bool :param filename_regex: If specified, the first argument is interpreted as `path`, and this will serve as `filename` regex.