{{{ file }}}, run the command:
@@ -776,6 +779,7 @@ substituting the correct package management software.
:type file: str
:param perms: The permissions for the file
:type perms: str
+
#}}
{{%- macro check_file_permissions(file, perms) %}}
To check the permissions of {{{ file }}}, run the command:
@@ -914,6 +918,7 @@ substituting the correct package management software.
{{#
An openssl config file with strong entropy.
+
#}}
{{% macro openssl_strong_entropy_config_file() -%}}
# provide a default -rand /dev/random option to openssl commands that
@@ -950,6 +955,7 @@ openssl()
{{#
A note about an item need be done for each :code:`MachineConfigPool`.
+
#}}
{{% macro machineconfig_description_footer() -%}}
@@ -980,6 +986,7 @@ Operator see
{{#
Describe how to configure Grub2 to add an argument to the default kernel command line.
The parameter should be in form `parameter=value`.
+
#}}
{{%- macro describe_grub2_argument(arg_name_value) -%}}
{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}}
@@ -1023,8 +1030,8 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
{{%- endmacro %}}
{{#
-
Adds a default "no easy remediation" warning for kernel_build_config warning.
+
#}}
{{% macro kernel_build_config_warning() %}}
- general: |-
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 99831f69b34..103a1150b1b 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -25,6 +25,7 @@ value: :code:`Setting={{ varname1 }}`
calling the ansible_only_lineinfile macro to handle deduplication of values.
Note that all string-like parameters are single quoted in the YAML.
+
#}}
{{%- macro ansible_lineinfile(msg='', path='', mode='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
- name: "{{{ msg or rule_title }}}"
@@ -90,6 +91,7 @@ value: :code:`Setting={{ varname1 }}`
{{#
Find files matching a particular value. Not a full implementation.
+
#}}
{{%- macro ansible_find(msg='', paths='', recurse='yes', follow='no', contains='', register='', when='') %}}
- name: '{{{ msg or rule_title }}}'
@@ -115,6 +117,7 @@ value: :code:`Setting={{ varname1 }}`
a single configuration parameter might have multiple values, but only one
value is approved. All lines matching the regex are first removed and then
the new line is appended to the file.
+
#}}
{{%- macro ansible_only_lineinfile(msg, path, line_regex, new_line, create='no', block=False, validate='', insert_after='', insert_before='', mode='') -%}}
{{%- if block %}}
@@ -136,6 +139,7 @@ value: :code:`Setting={{ varname1 }}`
key-seperator-value files with no sense of structure. In particular,
ini configuration files are best served with the ini Ansible module
instead of lineinfile-based solutions.
+
#}}
{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', escape_regex=False, mode='') %}}
{{{ ansible_only_lineinfile(msg, file, prefix_regex + parameter + separator_regex, parameter + separator + value, create=create, block=True, validate=validate, insert_after=insert_after, insert_before=insert_before, mode=mode) }}}
@@ -148,6 +152,7 @@ value: :code:`Setting={{ varname1 }}`
files with no sense of structure. In particular, ini configuration files are
best served with the ini Ansible module instead of lineinfile-based
solutions.
+
#}}
{{%- macro ansible_set_config_file_dir(msg, config_file, config_dir, set_file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='') %}}
{{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
@@ -262,6 +267,7 @@ value: :code:`Setting={{ varname1 }}`
files. Note this is only suitable for calling a single command once with the
correct arguments and not for calling the same command multiple times with
different arguments. This includes setting an environment variable once.
+
#}}
{{%- macro ansible_etc_profile_set(msg='', parameter='', value='') %}}
{{{ ansible_set_config_file_dir(msg, "/etc/profile", "/etc/profile.d", "/etc/profile", parameter, separator='=', separator_regex='=', value=value, create='yes', validate="bash -n %s") }}}
@@ -323,6 +329,7 @@ value: :code:`Setting={{ varname1 }}`
:type filepath: str
:param contents: contents that should be in the file
:type contents: str
+
#}}
{{%- macro ansible_file_contents(filepath='', contents='') %}}
- name: "Put contents into {{{ filepath }}} according to policy"
@@ -339,6 +346,7 @@ value: :code:`Setting={{ varname1 }}`
:param banner_var_name: name of ansible variable with the banner regex
:type banner_var_name: str
+
#}}
{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}}
{{ {{{ banner_var_name }}} |
@@ -356,6 +364,7 @@ wordwrap() }}
:param banner_var_name: name of ansible variable with the banner regex
:type banner_var_name: str
+
#}}
{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}}
''{{ {{{ banner_var_name }}} |
@@ -719,6 +728,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
:param package: package name
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param ver: package version (optional argument, use together with "op")
+
#}}
{{%- macro ansible_pkg_conditional(package, op=None, ver=None) -%}}
{{%- if package in platform_package_overrides -%}}
@@ -741,6 +751,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
Macro used to check if authselect files are intact. When used, it will exit the respective
script if any authselect file was modified without proper use of authselect tool and
respective profiles.
+
#}}
{{% macro ansible_check_authselect_integrity() -%}}
- name: '{{{ rule_title }}} - Check integrity of authselect current profile'
@@ -791,6 +802,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{#
Enable authselect feature if the authselect current profile is intact or inform that its
integrity check failed.
+
#}}
{{%- macro ansible_enable_authselect_feature(feature) -%}}
{{{ ansible_check_authselect_integrity() }}}
@@ -820,6 +832,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{#
Used to identify if authselect is present or not in the system.
Some macros can change the remediation behavior based on the presence of authselect.
+
#}}
{{%- macro ansible_check_authselect_presence() -%}}
- name: '{{{ rule_title }}} - Check if system relies on authselect tool'
@@ -839,6 +852,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
:param after_match: Regex used as reference to append a line, if necessary. Optional parameter.
Note: For this macro, there is a special value used to include a line at
the beginning of the file: "BOF"
+
#}}
{{%- macro ansible_pam_pwhistory_enable(pam_file, control, after_match='') -%}}
{{{ ansible_check_authselect_presence() }}}
@@ -918,6 +932,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{#
This macro ensures the pam_faillock.so PAM module is enabled.
It is enabled using the authselect tool or editing the PAM files, only if authselect tool is not available.
+
#}}
{{%- macro ansible_pam_faillock_enable() -%}}
@@ -1178,6 +1193,7 @@ Part of the grub2_bootloader_argument_absent template.
{{#
Macro to restrict permissions in home directories of interactive users
+
#}}
{{%- macro ansible_restrict_permissions_home_directories(recursive=false) -%}}
- name: Get all local users from /etc/passwd
@@ -1375,6 +1391,7 @@ Part of the grub2_bootloader_argument_absent template.
new custom profile will be created based on the current profile and preserving the already
enabled features. Custom profiles are only recommeded if an authselect feature for the same
purpose is not available.
+
#}}
{{% macro ansible_ensure_authselect_custom_profile() -%}}
- name: '{{{ rule_title }}} - Get authselect current profile'
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 0189c5e59ab..44642ab1ea8 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -679,6 +679,7 @@ done
{{#
Disable prelinking in sysconfig
+
#}}
{{%- macro bash_disable_prelink() -%}}
# prelink not installed
@@ -703,6 +704,7 @@ fi
Macro to configure DConf settings for RHEL and Fedora systems.
If files contain ibus or distro, ignore them.
+
#}}
{{%- macro bash_dconf_settings(path, key, value, db, setting_file) -%}}
# Check for setting in any of the DConf db directories
@@ -1002,6 +1004,7 @@ authselect enable-feature {{{ feature }}}
Enable pam_faillock.so PAM module using authselect.
If an authselect profile is not selected or the selected profile is not intact, the operation is aborted.
If the operation is aborted, an informative message is shown in the remediation report.
+
#}}
{{%- macro bash_enable_pam_faillock_with_authselect() -%}}
{{{ bash_enable_authselect_feature('with-faillock') }}}
@@ -1011,6 +1014,7 @@ authselect enable-feature {{{ feature }}}
{{#
Enable pam_faillock.so PAM module by directly editing PAM files.
This option is only recommended when authselect tool is not available for the system.
+
#}}
{{%- macro bash_enable_pam_faillock_directly_in_pam_files() -%}}
{{% if 'ubuntu' in product %}}
@@ -1061,6 +1065,7 @@ fi
context. This sequence of commands is used in multiple PAM related macros.
:param pam_file: PAM config file.
+
#}}
{{%- macro bash_ensure_pam_variables_and_authselect_profile(pam_file) -%}}
{{{ bash_check_authselect_integrity() }}}
@@ -1215,6 +1220,7 @@ fi
:param message: The message to print.
:param rc: The error code (optional, default is 1)
:param action: What to do (optional, default is 'exit', can be also 'return' or anything else)
+
#}}
{{% macro die(message, rc=1, action="exit") -%}}
printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
@@ -1433,8 +1439,8 @@ fi
{{%- endmacro %}}
{{#
- # Check whether or not a package is installed.
- #}}
+ Check whether or not a package is installed.
+#}}
{{%- macro bash_package_installed(pkgname) -%}}
{{%- if pkg_manager == "apt_get" -%}}
dpkg-query --show --showformat='${db:Status-Status}\n' "{{{ pkgname }}}" 2>/dev/null | grep -q installed
@@ -1450,6 +1456,7 @@ rpm --quiet -q "{{{ pkgname }}}"
This macro gets the var cce_identifiers from the environment created by the build scripts.
The cce_identifiers is a dictionary that contains either the 'cce':'CCENUM' record for the
product this remediation is being built for, or it is empty.
+
#}}
{{%- macro set_cce_value() -%}}
{{% if cce_identifiers and 'cce' in cce_identifiers -%}}
@@ -1517,6 +1524,7 @@ fi
{{#
Macro to restrict permissions in home directories of interactive users.
+
#}}
{{%- macro bash_restrict_permissions_home_directories(recursive=false) -%}}
for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}) print $6 }' /etc/passwd); do
@@ -1567,6 +1575,7 @@ Ensures that given mount point is in :code:`/etc/fstab`.
:param mount_opt: mount point option whose presence in /etc/fstab we are ensuring
:param fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
:param type: mount type of mount point (used when adding new entry in fstab)
+
#}}
{{% macro bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type) -%}}
mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" {{{ mount_point }}})"
@@ -1586,13 +1595,14 @@ fi
{{%- endmacro %}}
{{#
- # Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not
- #}}
+ Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not
+
+#}}
{{% macro bash_assert_mount_point_in_fstab(mount_point) -%}}
mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "{{{ mount_point }}}")"
{{#
-# This macro gets expanded to code that will return 1 if MOUNTPOINT is not in /etc/fstab;
-# This is consistent with the behavior prior to converting this function to a jinja macro
+ This macro gets expanded to code that will return 1 if MOUNTPOINT is not in /etc/fstab;
+ This is consistent with the behavior prior to converting this function to a jinja macro
#}}
grep "$mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '{{{ mount_point }}}' is not even in /etc/fstab, so we can't set up mount options" >&2;
@@ -1600,9 +1610,10 @@ grep "$mount_point_match_regexp" -q /etc/fstab \
{{%- endmacro %}}
{{#
- # Ensure that partition is mounted at mount_point with correct options, but only if the partition
- # is already mounted.
- #}}
+ Ensure that partition is mounted at mount_point with correct options, but only if the partition
+ is already mounted.
+
+#}}
{{% macro bash_ensure_partition_is_mounted(mount_point) -%}}
if mkdir -p "{{{ mount_point }}}"; then
if mountpoint -q "{{{ mount_point }}}"; then
@@ -1849,6 +1860,7 @@ Part of the grub2_bootloader_argument template.
{{#
Ensures that /etc/default/grub file does not contain the arg_name_value.
+
:param arg_name: name of the grub parameter, e.g.: "audit"
#}}
@@ -1884,6 +1896,7 @@ respects `platform_package_overrides` variable.
:param package: package name
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param ver: package version (optional argument, use together with "op")
+
#}}
{{%- macro bash_pkg_conditional(package, op=None, ver=None) -%}}
{{%- if package in platform_package_overrides -%}}
@@ -1904,6 +1917,7 @@ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
This macro generates code that gets version of an installed RPM package.
:param package: package name
+
#}}
{{%- macro bash_get_rpm_package_version(package) -%}}
$(epoch=$(rpm -q --queryformat '%{EPOCH}' {{{ package }}}); version=$(rpm -q --queryformat '%{VERSION}' {{{ package }}}); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")
@@ -1935,6 +1949,7 @@ https://www.gnu.org/software/coreutils/manual/coreutils.html#Version-sort-orderi
:param real: real package version
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param expected: expected package version
+
#}}
{{%- macro bash_pkg_conditional_compare(real, op, expected) -%}}
{ real="{{{ real }}}"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; }
@@ -1952,6 +1967,7 @@ Assumptions:
:param real: real package version
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param expected: expected package version
+
#}}
{{%- macro bash_compare_version(real, op, expected) -%}}
{{%- if op == "<" -%}}
@@ -1976,6 +1992,7 @@ This macro creates a Bash conditional which uses rpm to check if a package passe
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param ver: package version (optional argument, use together with "op")
The version always needs to contain epoch. If the package has no epoch, please prepend "0:".
+
#}}
{{%- macro bash_pkg_conditional_rpm(package, op=None, ver=None) -%}}
{{%- if ver -%}}
@@ -1989,6 +2006,7 @@ rpm --quiet -q {{{ package }}}
This macro generates code that gets version of an installed DEB package.
:param package: package name
+
#}}
{{%- macro bash_get_dpkg_package_version(package) -%}}
{{# We don't take the "release" part into account. #}}
@@ -2002,6 +2020,7 @@ with a given version.
:param package: package name
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param ver: package version (optional argument, use together with "op")
+
#}}
{{%- macro bash_compare_version_dpkg(package, op, ver) -%}}
{{%- set op_codes = ({"<":"lt", "<=":"le", "==":"eq", "!=":"ne", ">":"gt", ">=":"ge"}) -%}}
@@ -2014,6 +2033,7 @@ This macro creates a Bash conditional which uses dpkg to check if a package pass
:param package: package name
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param ver: package version (optional argument, use together with "op")
+
#}}
{{%- macro bash_pkg_conditional_dpkg(package, op=None, ver=None) -%}}
{{%- if ver -%}}
@@ -2054,6 +2074,7 @@ fi
{{#
Macro that lets you define the body of a loop that iterates over the output of the find command
Use with the call block syntax {{% call iterate_over_find_output("fname", "mydir -name *.conf") %}} ...
+
#}}
{{% macro iterate_over_find_output(varname, find_args="") -%}}
while IFS= read -r -d '' {{{ varname }}}; do
@@ -2065,6 +2086,7 @@ done < <(find {{{ find_args }}} -print0)
{{#
Macro that lets you define the body of a loop that iterates over the output of any command
Use with the call block syntax {{% call iterate_over_find_output("fname", "awk ... myfile") %}} ...
+
#}}
{{% macro iterate_over_command_output(varname, command_and_its_args) -%}}
while IFS= read -r {{{ varname }}}; do
@@ -2222,6 +2244,7 @@ fi
Macro used to check if authselect files are intact. When used, it will exit the respective
script if any authselect file was modified without proper use of authselect tool and
respective profiles.
+
#}}
{{% macro bash_check_authselect_integrity() -%}}
if ! authselect check; then
@@ -2244,6 +2267,7 @@ fi
enabled features. Custom profiles are only recommeded if an authselect feature for the same
purpose is not available. In any case, this macro will also set the "CURRENT_PROFILE" variable
which is also used in the "bash_ensure_pam_variables_and_authselect_profile" macro.
+
#}}
{{% macro bash_ensure_authselect_custom_profile() -%}}
CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
@@ -2332,6 +2356,7 @@ fi
{{#
Macro to insert script to find a Python interpreter on the target system.
+
#}}
{{% macro find_python() -%}}
@@ -2350,6 +2375,7 @@ fi
{{#
Macro to insert script to find Mozilla Firefox location on the target system.
+
#}}
{{% macro find_firefox() -%}}
@@ -2373,6 +2399,7 @@ will be applied.
(optional argument, use together with "op")
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+
#}}
{{%- macro bash_os_linux_conditional(os_id, expected_ver=None, op=None, os_release_path="/etc/os-release") -%}}
{{%- if expected_ver -%}}
@@ -2389,6 +2416,7 @@ operating system with the expected version using the given operator.
:param expected: expected OS version, value of the VERSION_ID variable in /etc/os-release
:param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=")
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+
#}}
{{%- macro bash_compare_version_os_linux(expected, op, os_release_path="/etc/os-release") -%}}
{ real="$({{{ bash_get_version_os_linux(os_release_path) }}})"; expected="{{{ expected }}}"; {{{ bash_compare_version("$real", op, "$expected") }}}; }
@@ -2399,6 +2427,7 @@ This macro generates code that retrieves the operating system version
from /etc/os-release from VERSION_ID variable.
:param os_release_path: path to the os-release file, default: "/etc/os-release"
+
#}}
{{%- macro bash_get_version_os_linux(os_release_path="/etc/os-release") -%}}
grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" {{{ os_release_path }}} | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/"
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
index 6d7243a37c3..f021abc92ae 100644
--- a/shared/macros/10-ocil.jinja
+++ b/shared/macros/10-ocil.jinja
@@ -1,5 +1,6 @@
{{#
How to log in to a Red Hat CoreOS Node
+
#}}
{{% macro rhcos_node_login_instructions() -%}}
As a user with administrator privileges, log into a node in the relevant pool:
@@ -17,6 +18,7 @@
{{#
Macro that creates a check from :code:`oc` output
+
#}}
{{% macro ocil_oc_pipe_jq_filter(object, jqfilter, namespace=none, all_namespaces=false) -%}}
oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ namespace }}}{{% endif %}} {{{ object }}} -o json | jq '{{{ jqfilter }}}'
@@ -79,6 +81,7 @@ ocil: |-
{{#
OCIL clause for adding a syscall to audit logs
+
#}}
{{% macro ocil_clause_entry_audit_syscall() -%}}
ocil_clause: "no line is returned"
@@ -228,6 +231,7 @@ ocil_clause: "the package is installed"
:param package: The package to check
:type package: str
+
#}}
{{%- macro dpkg_complete_ocil_entry_package(package) %}}
ocil: |-
@@ -477,6 +481,7 @@ ocil: |-
{{#
An OCIL clause for an sshd option
+
#}}
{{% macro ocil_clause_entry_sshd_option() -%}}
ocil_clause: "the required value is not set"
@@ -1082,6 +1087,7 @@ Write out the OCIL for generating the common check for Firefox configuration
:type config: str
:param value: Expected value for preference
:type value: str
+
#}}
{{% macro ocil_firefox_config(preference, config, value) -%}}
{{%- if value == "true" -%}}
@@ -1109,6 +1115,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati
:param syscall: system call
:type syscall: str
+
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification(syscall, key) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to use the {{{ syscall }}} system call.
@@ -1138,6 +1145,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati
:type syscall: str
:param position: the position of the system call O_CREAT argument, eg. a2
:type position: str
+
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_o_creat(syscall, position) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to create files using the {{{ syscall }}} system call with O_CREAT flag.
@@ -1166,6 +1174,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati
:type syscall: str
:param position: the position of the system call O_TRUNC_WRITE argument, eg. a2
:type position: str
+
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_o_trunc_write(syscall, position) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to modify files using the {{{ syscall }}} system call with O_TRUNC_WRITE flag.
@@ -1194,6 +1203,7 @@ Create an OCIL text for rules using the audit_rules_unsuccessful_file_modificati
:type syscall: str
:param position: the position of the system call O_TRUNC_WRITE and O_CREAT arguments, eg. a2
:type position: str
+
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_rule_order(syscall, position) -%}}
Verify that rules for unsuccessful calls of the {{{ syscall }}} syscall are in the order shown below.
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index ce758f07667..307df197d98 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -3,6 +3,7 @@ Generates the :code:`