Skip to content

Commit 8d1a484

Browse files
Mab879Mab879
authored
Merge pull request #14595 from macko1/fix_8579
Refactor OCIL macros for installed/removed packages + rules
2 parents b9c91e1 + 07a2481 commit 8d1a484

145 files changed

Lines changed: 303 additions & 540 deletions

File tree

  • .claude
  • linux_os/guide
    • auditing
    • services
      • avahi/disable_avahi_group
      • base
      • cron_and_at
      • dhcp
        • disabling_dhcp_client/package_dhcp_client_removed
        • disabling_dhcp_server
      • dns
        • disabling_dns_server/package_bind_removed
        • package_dnsmasq_removed
      • docker/package_docker_installed
      • fapolicyd/package_fapolicyd_installed
      • ftp/disabling_vsftpd/package_vsftpd_removed
      • http
        • disabling_httpd/package_httpd_removed
        • disabling_nginx/package_nginx_removed
      • imap
        • disabling_cyrus-imapd/package_cyrus-imapd_removed
        • disabling_dovecot/package_dovecot_removed
      • kerberos/package_krb5-server_removed
      • ldap
        • openldap_client/package_openldap-clients_removed
        • openldap_server/package_openldap-servers_removed
      • mail
      • nfs_and_rpc
        • disabling_nfs/disabling_nfs_services/package_rpcbind_removed
        • package_nfs-common_removed
        • package_nfs-kernel-server_removed
        • package_nfs-utils_removed
      • ntp
      • obsolete
      • printing/package_cups_removed
      • proxy/disabling_squid/package_squid_removed
      • radius/package_freeradius_removed
      • routing/disabling_quagga/package_quagga_removed
      • smb
        • configuring_samba/package_samba-common_installed
        • disabling_samba/package_samba_removed
      • snmp/disabling_snmp_service/package_net-snmp_removed
      • ssh
      • sssd
      • usbguard/package_usbguard_installed
    • system
      • accounts
        • accounts-pam
        • accounts-physical/screen_locking
      • apparmor/package_pam_apparmor_installed
      • logging
        • journald/package_systemd-journal-remote_installed
        • log_rotation/package_logrotate_installed
        • package_rsyslog-gnutls_installed
        • package_rsyslog_installed
        • rsyslog_accepting_remote_messages/package_syslogng_installed
      • network
        • network-firewalld
          • firewalld_activation/package_firewalld_installed
          • firewalld_deactivation/package_firewalld_removed
        • network-ipsec
        • network-iptables
          • package_iptables-nft_installed
          • package_iptables-persistent_installed
          • package_iptables-persistent_removed
          • package_iptables-services_installed
          • package_iptables-services_removed
          • package_iptables_installed
        • network-nftables
        • network-susefirewall2
          • package_SuSEfirewall2_installed
          • susefirewall2_ddos_protection
          • susefirewall2_only_required_services
        • network-ufw
      • selinux
        • package_libselinux_installed
        • package_policycoreutils-python-utils_installed
        • package_policycoreutils_installed
        • package_setroubleshoot-plugins_removed
        • package_setroubleshoot-server_removed
      • software
        • integrity
          • crypto/package_crypto-policies_installed
          • endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed
          • fips
            • package_dracut-fips-aesni_installed
            • package_dracut-fips_installed
          • software-integrity/aide/package_aide_installed
        • sap_host
        • sudo/package_sudo_installed
        • system-tools
        • updating
  • shared/macros
  • tests/unit/ssg-module/test_playbook_builder_data/guide/package_abrt_removed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude/CLAUDE.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -173,7 +173,8 @@ Used in rule descriptions, OCIL, fixtext, and warnings fields:
173173
- `{{{ describe_file_permissions(file="/path", perms="0700") }}}` - File permission description
174174
- `{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}` - Sysctl description
175175
- `{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}` - Full OCIL for sysctl
176-
- `{{{ complete_ocil_entry_package(package="name") }}}` - Full OCIL for package check
176+
- `{{{ complete_ocil_entry_package_installed("name") }}}` - OCIL when the package must be installed
177+
- `{{{ complete_ocil_entry_package_removed("name") }}}` - OCIL when the package must be absent
177178
- `{{{ fixtext_package_removed("name") }}}` - Fixtext for package removal
178179
- `{{{ fixtext_sysctl("key", "value") }}}` - Fixtext for sysctl setting
179180
- `{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}` - Fixtext for dir permissions

linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,7 @@ identifiers:
2121
references:
2222
srg: SRG-OS-000342-GPOS-00133
2323

24-
ocil_clause: 'the package is not installed'
25-
26-
ocil: '{{{ ocil_package(package="audispd-plugins") }}}'
24+
{{{ complete_ocil_entry_package_installed("audispd-plugins") }}}
2725

2826
fixtext: '{{{ fixtext_package_installed("audispd-plugins") }}}'
2927

linux_os/guide/auditing/package_audit-libs_installed/rule.yml

Lines changed: 9 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
{{% if product in ["sle12","sle15"] %}}
2-
{{% set package_name = "libaudit1" %}}
1+
{{% if product in ["sle12", "sle15", "slmicro5"] %}}
2+
{{%- set package = "libaudit1" %}}
33
{{% else %}}
4-
{{% set package_name = "audit-libs" %}}
4+
{{%- set package = "audit-libs" %}}
55
{{% endif %}}
66

77
documentation_complete: true
88

9-
title: 'Ensure the {{{ package_name }}} package as a part of audit Subsystem is Installed'
9+
title: 'Ensure the {{{ package }}} package as a part of audit Subsystem is Installed'
1010

1111

12-
description: 'The {{{ package_name }}} package should be installed.'
12+
description: 'The {{{ package }}} package should be installed.'
1313

1414
rationale: 'The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.'
1515

@@ -32,25 +32,16 @@ references:
3232
pcidss: Req-10.2.1
3333
srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220
3434

35-
ocil_clause: 'the {{{ package_name }}} package is not installed'
36-
37-
{{% if product in ["sle12","sle15","slmicro5"] %}}
38-
ocil: '{{{ ocil_package("libaudit1") }}}'
39-
{{% else %}}
40-
ocil: '{{{ ocil_package("audit-libs") }}}'
41-
{{% endif %}}
35+
{{{ complete_ocil_entry_package_installed(package=package) }}}
4236

4337
fixtext: |-
44-
Install the {{{ package_name }}} package (if {{{ package_name }}} package is not already installed) with the following command:
45-
{{% if product in ["sle12","sle15","slmicro5"] %}}
46-
{{{ package_install("libaudit1") }}}
47-
{{% else %}}
48-
{{{ package_install("audit-libs") }}}
49-
{{% endif %}}
38+
Install the {{{ package }}} package (if {{{ package }}} package is not already installed) with the following command:
39+
{{{ package_install(package=package) }}}
5040
5141
template:
5242
name: package_installed
5343
vars:
5444
pkgname: audit-libs
45+
pkgname@sle12: libaudit1
5546
pkgname@sle15: libaudit1
5647
pkgname@slmicro5: libaudit1

linux_os/guide/auditing/package_audit_installed/rule.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,7 @@ references:
3333
stigid@sle12: SLES-12-020000
3434
stigid@sle15: SLES-15-030650
3535

36-
ocil_clause: 'the audit package is not installed'
37-
38-
ocil: '{{{ ocil_package("audit") }}}'
36+
{{{ complete_ocil_entry_package_installed("audit") }}}
3937

4038
fixtext: |-
4139
Install the audit service (if the audit service is not already installed) with the following command:

linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ references:
3333
nist: CM-7(a),CM-7(b),CM-6(a)
3434
nist-csf: PR.IP-1,PR.PT-3
3535

36-
{{{ complete_ocil_entry_package(package="avahi-autoipd") }}}
36+
{{{ complete_ocil_entry_package_removed("avahi-autoipd") }}}
37+
3738
fixtext: '{{{ fixtext_package_removed("avahi-autoipd") }}}'
3839

3940
template:

linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,8 @@ references:
3434
nist: CM-7(a),CM-7(b),CM-6(a)
3535
nist-csf: PR.IP-1,PR.PT-3
3636

37-
{{{ complete_ocil_entry_package(package="avahi") }}}
37+
{{{ complete_ocil_entry_package_removed("avahi") }}}
38+
3839
fixtext: '{{{ fixtext_package_removed("avahi") }}}'
3940

4041
template:

linux_os/guide/services/base/package_abrt_removed/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ references:
2626
srg: SRG-OS-000095-GPOS-00049
2727
stigid@ol8: OL08-00-040001
2828

29-
{{{ complete_ocil_entry_package(package="abrt") }}}
29+
{{{ complete_ocil_entry_package_removed("abrt") }}}
3030

3131
template:
3232
name: package_removed

linux_os/guide/services/base/package_psacct_installed/rule.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,7 @@ references:
2929
nist: AU-12(a),CM-6(a)
3030
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
3131

32-
ocil_clause: 'the package is not installed'
33-
34-
ocil: '{{{ ocil_package(package="psacct") }}}'
32+
{{{ complete_ocil_entry_package_installed("psacct") }}}
3533

3634
template:
3735
name: package_installed

linux_os/guide/services/cron_and_at/disable_anacron/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,4 +26,4 @@ references:
2626
nist: CM-7(a),CM-7(b),CM-6(a)
2727
nist-csf: PR.IP-1,PR.PT-3
2828

29-
{{{ complete_ocil_entry_package(package="cronie-anacron") }}}
29+
{{{ complete_ocil_entry_package_removed("cronie-anacron") }}}

linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
1-
{{% if product in [ "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "sle16"] %}}
2-
{{% set package_name = "cronie" %}}
1+
{{% if 'rhel' in product or product in ["ol9", "ol10", "sle12", "sle15", "sle16"] %}}
2+
{{%- set package = "cronie" %}}
33
{{% else %}}
4-
{{% set package_name = "cron" %}}
4+
{{%- set package = "cron" %}}
55
{{% endif %}}
66

77
documentation_complete: true
@@ -35,12 +35,9 @@ references:
3535
nist-csf: PR.IP-1,PR.PT-3
3636
srg: SRG-OS-000480-GPOS-00227
3737

38-
ocil_clause: 'the package is installed'
39-
40-
ocil: |-
41-
{{{ ocil_package(package_name) }}}
38+
{{{ complete_ocil_entry_package_installed(package=package) }}}
4239

4340
template:
4441
name: package_installed
4542
vars:
46-
pkgname: {{{ package_name }}}
43+
pkgname: {{{ package }}}

0 commit comments

Comments
 (0)