forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmacros.jinja
674 lines (486 loc) · 24.2 KB
/
macros.jinja
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
{{% macro ocil_clause_entry_sshd_option() -%}}
ocil_clause: "the required value is not set"
{{%- endmacro %}}
{{# Example usage: ocil_sshd_option(default="no", option="Banner", value="/etc/issue") #}}
{{% macro ocil_sshd_option(default, option, value) -%}}
To determine how the SSH daemon's <tt>{{{ option }}}</tt> option is set, run the following command:
<pre>$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config</pre>
{{% if default == "yes" -%}}
If no line, a commented line, or a line indicating the value <tt>{{{ value }}}</tt> is returned, then the required value is set.
{{%- else %}}
If a line indicating <tt>{{{ value }}}</tt> is returned, then the required value is set.
{{%- endif %}}
{{%- endmacro %}}
{{% macro complete_ocil_entry_sshd_option(default, option, value) -%}}
ocil: |
{{{ ocil_sshd_option(default, option, value) }}}
{{{ ocil_clause_entry_sshd_option() }}}
{{%- endmacro %}}
{{% macro ocil_mount_option(point, option) -%}}
To verify the <tt>{{{ option }}}</tt> option is configured for the <tt>{{{ point }}}</tt> mount point, run the following command:
<pre>$ mount | grep '\s{{{ point }}}\s'</pre>
The output should show the corresponding mount point along with the <tt>{{{ option }}}</tt> setting in parentheses.
{{%- endmacro %}}
{{% macro ocil_clause_entry_mount_option(point, option) -%}}
ocil_clause: "the {{{ option }}} is not present in the output line, or there is no output line at all"
{{%- endmacro %}}
{{% macro sub_var_value(varname) -%}}
<sub idref="{{{ varname }}}" />
{{%- endmacro %}}
{{% macro complete_ocil_entry_mount_option(point, option) -%}}
ocil: |
{{{ ocil_mount_option(point, option) | indent(4) }}}
{{{ ocil_clause_entry_mount_option() }}}
{{%- endmacro %}}
{{% macro _iptables_desc(traffic_action, how_to_do, proto, port) -%}}
To configure <tt>iptables</tt> {{{ traffic_action }}} port {{{ port }}} traffic, one must edit
<tt>/etc/sysconfig/iptables</tt> and
<tt>/etc/sysconfig/ip6tables</tt> (if IPv6 is in use).
{{{ how_to_do }}}
<pre>-A INPUT -m state --state NEW -p {{{ proto }}} --dport {{{ port }}} -j ACCEPT</pre>
{{%- endmacro %}}
{{% macro describe_iptables_block(proto, port) -%}}
{{{ _iptables_desc(
traffic_action="to block",
how_to_do="Remove the following line, ensuring that it does not appear the INPUT chain:",
proto=proto,
port=port
) }}}
{{%- endmacro %}}
{{% macro describe_iptables_allow(proto, port) -%}}
{{{ _iptables_desc(
traffic_action="to allow",
how_to_do="Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:",
proto=proto,
port=port
) }}}
{{%- endmacro %}}
{{% macro partition_check(part) -%}}
Run the following command to determine if <code>{{{ part }}}</code>
is on its own partition or logical volume:
<pre>$ mount | grep "on {{{ part }}}"</pre>
If <code>{{{ part }}}</code> has its own partition or volume group, a line will be returned.
{{%- endmacro %}}
{{% macro complete_ocil_entry_separate_partition(part) -%}}
ocil: |
{{{ partition_check(part) }}}
ocil_clause: "no line is returned"
{{%- endmacro %}}
{{% macro ocil_audit_syscall(syscall) -%}}
To determine if the system is configured to audit calls to the
<code>{{{ syscall }}}</code> system call, run the following command:
<pre space="preserve">$ sudo grep "{{{ syscall }}}" /etc/audit/audit.*</pre>
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{% macro ocil_clause_entry_audit_syscall() -%}}
ocil_clause: "no line is returned"
{{%- endmacro %}}
{{% macro complete_ocil_entry_audit_syscall(syscall) -%}}
ocil: |
{{{ ocil_audit_syscall(syscall) }}}
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
{{% macro ocil_audit_successful_syscall(syscall) -%}}
To determine if the system is configured to audit successful calls
to the <code>{{{ syscall }}}</code> system call, run the following command:
<pre space="preserve">$ sudo grep "{{{ syscall }}}" /etc/audit.*</pre>
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{% macro complete_ocil_entry_audit_successful_syscall(syscall) -%}}
ocil: |
{{{ ocil_audit_successful_syscall(syscall) }}}
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
{{%- macro _firewalld_check(access_action, port, proto, service) %}}
To determine if <code>firewalld</code> is configured to {{{ access_action }}} to <code>{{{ service }}}</code>
on port <code>{{{ port }}}/{{{ proto }}}</code>, run the following command(s):
{{% if port %}}
<code>firewall-cmd --list-ports</code>
{{% endif %}}
{{% if service %}}
<code>firewall-cmd --list-services</code>
{{% endif %}}
{{%- endmacro %}}
{{%- macro ocil_firewalld_allow_access(port, proto, service) %}}
{{{ _firewalld_check("allow access", port, proto, service) }}}
If <code>firewalld</code> is configured to allow access through the firewall, something similar to the following will be output:
{{% if service %}}
If it is a service:
<code>{{{ service }}}</code>
{{% endif %}}
{{% if port %}}
If it is a port:
<code>{{{ port }}}/{{{ proto }}}</code>
{{% endif %}}
{{%- endmacro %}}
{{%- macro ocil_firewalld_prevent_access(port, proto, service) %}}
{{{ _firewalld_check("prevent access", port, proto, service) }}}
If <code>firewalld</code> is configured to prevent access, no output will be returned.
{{%- endmacro %}}
{{%- macro describe_firewalld_prevent(port, proto, service) %}}
To configure <code>firewalld</code> to prevent access, run the following command(s):
{{% if port %}}
<code>firewall-cmd --permanent --remove-port={{{ port }}}/{{{ proto }}}</code>
{{% endif %}}
{{% if service %}}
<code>firewall-cmd --permanent --remove-service={{{ service }}}</code>
{{% endif %}}
{{%- endmacro %}}
{{%- macro describe_firewalld_allow(port, proto, service) %}}
To configure <code>firewalld</code> to allow access, run the following command(s):
{{% if port %}}
<code>firewall-cmd --permanent --add-port={{{ port }}}/{{{ proto }}}</code>
{{% endif %}}
{{% if service %}}
<code>firewall-cmd --permanent --add-service={{{ service }}}</code>
{{% endif %}}
{{%- endmacro %}}
{{%- macro ocil_auditctl_syscall(syscall) %}}
To determine if the system is configured to audit calls to the <code>{{{ syscall }}}</code> system call, run the following command:
<pre space="preserve">$ sudo auditctl -l | grep syscall | grep {{{ syscall }}}</pre>
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{%- macro ocil_module_disable(module) %}}
If the system is configured to prevent the loading of the <code>{{{ module }}}</code> kernel module,
it will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code>/etc/modprobe.conf</code>.
These lines instruct the module loading system to run another program (such as <code>/bin/true</code>) upon a module <code>install</code> event.
Run the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:
<pre>$ grep -r {{{ module }}} /etc/modprobe.conf /etc/modprobe.d</pre>
{{%- endmacro %}}
{{%- macro complete_ocil_entry_module_disable(module) %}}
ocil: |-
{{{ ocil_module_disable(module) }}}
ocil_clause: "no line is returned"
{{%- endmacro %}}
{{%- macro describe_module_disable(module) %}}
To configure the system to prevent the <code>{{{ module }}}</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre>install {{{ module }}} /bin/true</pre>
{{%- endmacro %}}
{{%- macro xinetd_disabled_check_with_systemd(service) %}}
To check that the <code>{{{ service }}}</code> service is disabled in system boot configuration with xinetd, run the following command:
<pre>$ chkconfig <code>{{{ service }}}</code> --list</pre>
Output should indicate the <code>{{{ service }}}</code> service has either not been installed, or has been disabled, as shown in the example below:
<pre>$ chkconfig <code>{{{ service }}}</code> --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
<code>{{{ service }}}</code> off</pre>
{{%- endmacro %}}
{{%- macro socket_disabled_check_with_systemd(socket) %}}
To check that the <code>{{{ socket }}}</code> socket is disabled in system boot configuration with systemd, run the following command:
<pre>$ systemctl is-enabled <code>{{{ socket }}}</code></pre>
Output should indicate the <code>{{{ socket }}}</code> socket has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<pre>$ systemctl is-enabled <code>{{{ socket }}}</code><br/>disabled</pre>
Run the following command to verify <code>{{{ socket }}}</code> is not active (i.e. not running) through current runtime configuration:
<pre>systemctl is-active {{{ socket }}}</pre>
If the socket is not running the command will return the following output:
<pre>inactive</pre>
By default the socket will also be masked, to check that the <code>{{{ socket }}}</code> is masked, run the following command:
<pre>$ systemctl show <code>{{{ socket }}}</code> | grep "LoadState\|UnitFileState"</pre>
If the socket is masked the command will return the following outputs:
<pre>LoadState=masked</pre>
<pre>UnitFileState=masked</pre>
{{%- endmacro %}}
{{%- macro systemd_complete_ocil_entry_socket_and_service_disabled(name) %}}
ocil: |-
{{{ xinetd_disabled_check_with_systemd(name) }}}
{{{ socket_disabled_check_with_systemd(name) }}}
ocil_clause: "service and/or socket are running"
{{%- endmacro %}}
{{%- macro upstart_complete_ocil_entry_socket_and_service_disabled(name) %}}
ocil:
ocil_clause: "service and/or socket are running"
{{%- endmacro %}}
{{%- macro rpm_ocil_package(package) -%}}
Run the following command to determine if the <code>{{{ package }}}</code> package is installed:
<pre>$ rpm -q {{{ package }}}</pre>
{{%- endmacro -%}}
{{%- macro dpkg_ocil_package(package) %}}
Run the following command to determine if the <code>{{{ package }}}</code> package is installed:
<pre>$ dpkg -l {{{ package }}}</pre>
{{%- endmacro %}}
{{%- macro rpm_complete_ocil_entry_package(package) %}}
ocil: |-
{{{ rpm_ocil_package(package) }}}
ocil_clause: "the package is installed"
{{%- endmacro %}}
{{%- macro dpkg_complete_ocil_entry_package(package) %}}
ocil: |-
{{{ dpkg_ocil_package(package) }}}
ocil_clause: "the package is installed"
{{%- endmacro %}}
{{%- macro ocil_xinetd_service_disabled(service) %}}
To check that the <code>{{{ service }}}</code> service is disabled in system boot configuration, run the following command:
<pre>$ sudo chkconfig <code>{{{ service }}}</code> --list</pre>
Output should indicate the <code>{{{ service }}}</code> service has either not been installed, or has been disabled, as shown in the example below:
<pre>$ sudo chkconfig <code>{{{ service }}}</code> --list
<code>{{{ service }}}</code> off</pre>
{{%- endmacro %}}
{{%- macro systemd_ocil_service_disabled(service) %}}
To check that the <code>{{{ service }}}</code> service is disabled in system boot configuration, run the following command:
<pre>$ systemctl is-enabled <code>{{{ service }}}</code></pre>
Output should indicate the <code>{{{ service }}}</code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<pre>$ systemctl is-enabled <code>{{{ service }}}</code><br/> disabled</pre>
Run the following command to verify <code>{{{ service }}}</code> is not active (i.e. not running) through current runtime configuration:
<pre>$ systemctl is-active {{{ service }}}</pre>
If the service is not running the command will return the following output:
<pre>inactive</pre>
By default the service will also be masked, to check that the <code>{{{ service }}}</code> is masked, run the following command:
<pre>$ systemctl show <code>{{{ service }}}</code> | grep "LoadState\|UnitFileState"</pre>
If the service is masked the command will return the following outputs:
<pre>LoadState=masked</pre>
<pre>UnitFileState=masked</pre>
{{%- endmacro %}}
{{%- macro systemd_ocil_service_enabled(service) %}}
Run the following command to determine the current status of the
<code>{{{ service }}}</code> service:
<pre>$ systemctl is-active {{{ service }}}</pre>
If the service is running, it should return the following: <pre>active</pre>
{{%- endmacro %}}
{{%- macro upstart_ocil_service_disabled(service) %}}
To check that the <code>{{{ service }}}</code> service is disabled in system boot configuration, run the following command:
<pre>$ sudo chkconfig <code>{{{ service }}}</code> --list</pre>
Output should indicate the <code>{{{ service }}}</code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<pre>$ sudo chkconfig <code>{{{ service }}}</code> --list
<code>{{{ service }}}</code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre>
Run the following command to verify <code>{{{ service }}}</code> is disabled through current runtime configuration:
<pre>$ sudo service {{{ service }}} status</pre>
If the service is disabled the command will return the following output:
<pre>{{{ service }}} is stopped</pre>
{{%- endmacro %}}
{{%- macro upstart_ocil_service_enabled(service) %}}
Run the following command to determine the current status of the
<code>{{{ service }}}</code> service:
<pre>$ sudo service {{{ service }}} status</pre>
If the service is enabled, it should return the following: <pre>{{{ service }}} is running...</pre>
{{%- endmacro %}}
{{%- macro systemd_describe_socket_disable(socket) %}}
The <code>{{{ socket }}}</code> socket can be disabled with the following command:
<pre>$ sudo systemctl disable {{{ socket }}}.socket</pre>
The <code>{{{ socket }}}</code> socket can be masked with the following command:
<pre>$ sudo systemctl mask {{{ service }}}.socket</pre>
{{%- endmacro %}}
{{%- macro upstart_describe_socket_disable(socket) %}}
{{%- endmacro %}}
{{%- macro systemd_describe_socket_enable(socket) %}}
The <code>{{{ socket }}}</code> socket can be enabled with the following command:
<pre>$ sudo systemctl enable {{{ socket }}}.socket</pre>
{{%- endmacro %}}
{{%- macro upstart_describe_socket_enable(socket) %}}
{{%- endmacro %}}
{{%- macro systemd_describe_service_disable(service) %}}
The <code>{{{ service }}}</code> service can be disabled with the following command:
<pre>$ sudo systemctl disable {{{ service }}}.service</pre>
The <code>{{{ service }}}</code> service can be masked with the following command:
<pre>$ sudo systemctl mask {{{ service }}}.service</pre>
{{%- endmacro %}}
{{%- macro systemd_describe_service_enable(service) %}}
The <code>{{{ service }}}</code> service can be enabled with the following command:
<pre>$ sudo systemctl enable {{{ service }}}.service</pre>
{{%- endmacro %}}
{{%- macro upstart_describe_service_disable(service) %}}
The <code>{{{ service }}}</code> service can be disabled with the following command:
<pre>$ sudo chkconfig {{{ service }}} off</pre>
{{%- endmacro %}}
{{%- macro upstart_describe_service_enable(service) %}}
The <code>{{{ service }}}</code> service can be enabled with the following command:
<pre>$ sudo chkconfig --level 2345 {{{ service }}} on</pre>
{{%- endmacro %}}
{{%- macro systemd_describe_timer_enable(timer) %}}
The <code>{{{ timer }}}</code> timer can be enabled with the following command:
<pre>$ sudo systemctl enable {{{ timer }}}.timer</pre>
{{%- endmacro %}}
{{%- macro systemd_ocil_timer_enabled(timer) %}}
Run the following command to determine the current status of the
<code>{{{ timer }}}</code> timer:
<pre>$ systemctl is-active {{{ timer }}}.timer</pre>
If the timer is running, it should return the following: <pre>active</pre>
{{%- endmacro %}}
{{%- macro describe_sebool_check_disabled(sebool) %}}
Run the following command to determine if the <code>{{{ sebool }}}</code> SELinux boolean is disabled:
<pre>$ getsebool {{{ sebool }}}</pre>
If properly configured, the output should show the following:
<code>{{{ sebool }}} --> off</code>
{{%- endmacro %}}
{{%- macro complete_ocil_entry_sebool_disabled(sebool) %}}
ocil: |-
{{{ describe_sebool_check_disabled(sebool) }}}
ocil_clause: "{{{ sebool }}} is not disabled"
{{%- endmacro %}}
{{%- macro describe_sebool_check_enabled(sebool) %}}
Run the following command to determine if the <code>{{{ sebool }}}</code> SELinux boolean is enabled:
<pre>$ getsebool {{{ sebool }}}</pre>
If properly configured, the output should show the following:
<code>{{{ sebool }}} --> on</code>
{{%- endmacro %}}
{{%- macro complete_ocil_entry_sebool_enabled(sebool) %}}
ocil: |-
{{{ describe_sebool_check_enabled(sebool) }}}
ocil_clause: "{{{ sebool }}} is not enabled"
{{%- endmacro %}}
{{%- macro describe_sebool_disable(sebool) %}}
To disable the <code>{{{ sebool }}}</code> SELinux boolean, run the following command:
<pre>$ sudo setsebool -P {{{ sebool }}} off</pre>
{{%- endmacro %}}
{{%- macro describe_sebool_enable(sebool) %}}
To enable the <code>{{{ sebool }}}</code> SELinux boolean, run the following command:
<pre>$ sudo setsebool -P {{{ sebool }}} on</pre>
{{%- endmacro %}}
{{%- macro apt_get_package_install(package) %}}
$ apt-get install {{{ package }}}
{{%- endmacro %}}
{{%- macro apt_get_package_remove(package) %}}
$ apt-get remove {{{ package }}}
{{%- endmacro %}}
{{%- macro dnf_package_install(package) %}}
$ sudo dnf install {{{ package }}}
{{%- endmacro %}}
{{%- macro dnf_package_remove(package) %}}
$ sudo dnf erase {{{ package }}}
{{%- endmacro %}}
{{%- macro yum_package_install(package) %}}
$ sudo yum install {{{ package }}}
{{%- endmacro %}}
{{%- macro yum_package_remove(package) %}}
$ sudo yum erase {{{ package }}}
{{%- endmacro %}}
{{%- macro zypper_package_install(package) %}}
$ sudo zypper install {{{ package }}}
{{%- endmacro %}}
{{%- macro zypper_package_remove(package) %}}
$ sudo zypper remove {{{ package }}}
{{%- endmacro %}}
{{%- macro describe_file_permissions(file, perms) %}}
To properly set the permissions of <code>{{{ file }}}</code>, run the command:
<pre>$ sudo chmod {{{ perms }}} {{{ file }}}</pre>
{{%- endmacro %}}
{{%- macro describe_file_owner(file, owner) %}}
To properly set the owner of <code>{{{ file }}}</code>, run the command:
<pre>$ sudo chown {{{ owner }}} {{{ file }}} </pre>
{{%- endmacro %}}
{{%- macro describe_file_group_owner(file, group) %}}
To properly set the group owner of <code>{{{ file }}}</code>, run the command:
<pre>$ sudo chgrp {{{ group }}} {{{ file }}}</pre>
{{%- endmacro %}}
{{%- macro ocil_file_permissions(file, perms) -%}}
To check the permissions of <code>{{{ file }}}</code>, run the command:
<pre>$ ls -l {{{ file }}}</pre>
If properly configured, the output should indicate the following permissions:
<code>{{{ perms }}}</code>
{{%- endmacro %}}
{{%- macro ocil_file_owner(file, owner) -%}}
To check the ownership of <code>{{{ file }}}</code>, run the command:
<pre>$ ls -lL {{{ file }}}</pre>
If properly configured, the output should indicate the following owner:
<code>{{{ owner }}}</code>
{{%- endmacro %}}
{{%- macro ocil_file_group_owner(file, group) -%}}
To check the group ownership of <code>{{{ file }}}</code>, run the command:
<pre>$ ls -lL {{{ file }}}</pre>
If properly configured, the output should indicate the following group-owner:
<code>{{{ group }}}</code>
{{%- endmacro %}}
{{%- macro ocil_clause_file_permissions(file, perms) -%}}
{{{ file }}} has unix mode {{{ perms }}}
{{%- endmacro %}}
{{%- macro ocil_clause_file_owner(file, owner) -%}}
{{{ file }}} has owner {{{ owner }}}
{{%- endmacro %}}
{{%- macro ocil_clause_file_group_owner(file, group) -%}}
{{{ file }}} has group owner {{{ group }}}
{{%- endmacro %}}
{{%- macro check_file_permissions(file, perms) %}}
To check the permissions of <code>{{{ file }}}</code>, run the command:
<pre>$ ls -l {{{ file }}}</pre>
If properly configured, the output should indicate the following permissions:
<code>{{{ perms }}}</code>
{{%- endmacro %}}
{{% macro describe_mount(option, part) -%}}
Add the <code>{{{ option }}}</code> option to the fourth column of
<tt>/etc/fstab</tt> for the line which controls mounting of
{{% if part.startswith('/') -%}}
<code>{{{ part }}}</code>.
{{%- else %}}
{{{ part }}}.
{{%- endif %}}
{{%- endmacro %}}
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
The runtime status of the <code>{{{ sysctl }}}</code> kernel parameter can be queried
by running the following command:
<pre>$ sysctl {{{ sysctl }}}</pre>
The output of the command should indicate a value of <code>{{{ value }}}</code>.
The preferable way how to assure the runtime compliance is to have
correct persistent configuration, and rebooting the system.
The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
Verify that there is not any existing incorrect configuration by executing the following command:
<pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
If any assignments other than
<pre>{{{ sysctl }}} = {{{ value }}}</pre>
are found, or the correct assignment is duplicated, remove those offending lines from respective files,
and make sure that exactly one file in
<code>/etc/sysctl.d</code> contains <code>{{{ sysctl }}} = {{{ value }}}</code>, and that one assignment
is returned when
<pre>$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d</pre>
is executed.
{{%- endmacro %}}
{{% macro complete_ocil_entry_sysctl_option_value(sysctl, value) -%}}
ocil: |
{{{ ocil_sysctl_option_value(sysctl, value) }}}
ocil_clause: "the correct value is not returned"
{{%- endmacro %}}
{{% macro describe_sysctl_option_value(sysctl, value) -%}}
To set the runtime status of the <code>{{{ sysctl }}}</code> kernel parameter,
run the following command:
<pre>$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}</pre>
To make sure that the setting is persistent,
add the following line to a file in the directory <tt>/etc/sysctl.d</tt>:
<pre>{{{ sysctl }}} = {{{ value }}}</pre>
{{%- endmacro %}}
{{% macro weblink(link, text=none) -%}}
{{% if text is not none -%}}
<a xmlns='http://www.w3.org/1999/xhtml' href='{{{ link }}}'>{{{ text }}}</a>
{{%- else %}}
<a xmlns='http://www.w3.org/1999/xhtml' href='{{{ link }}}'>{{{ link }}}</a>
{{%- endif %}}
{{%- endmacro %}}
{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
When selecting this rule in a profile,
{{%- if why %}}
make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
{{%- else %}}
rule <code>{{{ rule_id }}}</code> has to be selected as well.
{{%- endif %}}
{{% endmacro %}}
{{% macro openssl_strong_entropy_config_file() -%}}
# provide a default -rand /dev/random option to openssl commands that
# support it
# written inefficiently for maximum shell compatibility
openssl()
(
openssl_bin=/usr/bin/openssl
case "$*" in
# if user specified -rand, honor it
*\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
esac
cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
for i in `$openssl_bin list -commands`; do
if $openssl_bin list -options "$i" | grep -q '^rand '; then
cmds=" $i $cmds"
fi
done
case "$cmds" in
*\ "$1"\ *)
cmd="$1"; shift
exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
esac
exec $openssl_bin "$@"
)
{{%- endmacro %}}