From da0a661b8a5754feecab58a577783faa918172bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 4 Sep 2020 12:04:27 +0200
Subject: [PATCH 1/3] Replace XCCDF value substitution code by a macro.
The macro hides the actual implementation of the substitution,
it "just works", and it opens ways how to support variables
even outside of the SCAP content, where there is no scanner
to do the acutal substitution.
Renamed the macro to xccdf_value, kept the old one for backward compatibility.
---
.../rule.yml | 8 ++++----
.../rule.yml | 2 +-
.../keystone/keystone_lockout_duration/rule.yml | 2 +-
.../keystone_lockout_failure_attempts/rule.yml | 2 +-
.../rule.yml | 2 +-
.../container_keystone_lockout_duration/rule.yml | 2 +-
.../rule.yml | 2 +-
.../rule.yml | 4 ++--
.../httpd_enable_loglevel/rule.yml | 4 ++--
.../postfix_client_configure_mail_alias/rule.yml | 2 +-
.../postfix_client_configure_relayhost/rule.yml | 4 ++--
.../postfix_network_listening_disabled/rule.yml | 4 ++--
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 6 +++---
.../ssh_server/sshd_disable_compression/rule.yml | 2 +-
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 4 ++--
.../ssh_server/sshd_set_idle_timeout/rule.yml | 4 ++--
.../ssh/ssh_server/sshd_set_keepalive/rule.yml | 4 ++--
.../ssh_server/sshd_set_max_auth_tries/rule.yml | 4 ++--
.../ssh_server/sshd_set_max_sessions/rule.yml | 4 ++--
.../sshd_use_approved_ciphers/rule.yml | 2 +-
.../ssh_server/sshd_use_approved_macs/rule.yml | 2 +-
.../ssh_server/sshd_use_priv_separation/rule.yml | 4 ++--
.../services/sssd/sssd_memcache_timeout/rule.yml | 8 ++++----
.../sssd/sssd_ssh_known_hosts_timeout/rule.yml | 8 ++++----
.../accounts_password_pam_unix_remember/rule.yml | 8 ++++----
.../rule.yml | 6 +++---
.../rule.yml | 4 ++--
.../rule.yml | 6 +++---
.../rule.yml | 4 ++--
.../rule.yml | 2 +-
.../rule.yml | 6 +++---
.../rule.yml | 4 ++--
.../rule.yml | 4 ++--
.../rule.yml | 2 +-
.../rule.yml | 2 +-
.../accounts_password_pam_difok/rule.yml | 2 +-
.../rule.yml | 4 ++--
.../accounts_password_pam_maxrepeat/rule.yml | 4 ++--
.../accounts_password_pam_minclass/rule.yml | 2 +-
.../accounts_password_pam_minlen/rule.yml | 4 ++--
.../accounts_password_pam_ocredit/rule.yml | 2 +-
.../accounts_password_pam_retry/rule.yml | 2 +-
.../configure_opensc_card_drivers/rule.yml | 8 ++++----
.../force_opensc_card_drivers/rule.yml | 8 ++++----
.../account_disable_post_pw_expiration/rule.yml | 6 +++---
.../accounts_maximum_age_login_defs/rule.yml | 4 ++--
.../accounts_minimum_age_login_defs/rule.yml | 4 ++--
.../accounts_password_minlen_login_defs/rule.yml | 4 ++--
.../rule.yml | 4 ++--
.../accounts_logon_fail_delay/rule.yml | 4 ++--
.../rule.yml | 4 ++--
.../accounts-session/accounts_tmout/rule.yml | 4 ++--
.../accounts_umask_etc_bashrc/rule.yml | 6 +++---
.../accounts_umask_etc_csh_cshrc/rule.yml | 4 ++--
.../accounts_umask_etc_login_defs/rule.yml | 4 ++--
.../accounts_umask_etc_profile/rule.yml | 4 ++--
.../rule.yml | 4 ++--
.../rule.yml | 4 ++--
.../auditd_data_retention_flush/rule.yml | 2 +-
.../auditd_data_retention_max_log_file/rule.yml | 2 +-
.../auditd_data_retention_num_logs/rule.yml | 2 +-
.../rsyslog_files_groupownership/rule.yml | 8 ++++----
.../rsyslog_files_ownership/rule.yml | 8 ++++----
.../rsyslog_remote_loghost/rule.yml | 16 ++++++++--------
.../rule.yml | 4 ++--
.../daemon_umask/umask_for_daemons/rule.yml | 4 ++--
.../system/selinux/selinux_policytype/rule.yml | 6 +++---
.../guide/system/selinux/selinux_state/rule.yml | 6 +++---
.../dconf_gnome_screensaver_idle_delay/rule.yml | 2 +-
.../dconf_gnome_screensaver_lock_delay/rule.yml | 6 +++---
.../gconf_gnome_screensaver_idle_delay/rule.yml | 6 +++---
.../rule.yml | 6 +++---
.../crypto/configure_crypto_policy/rule.yml | 6 +++---
.../crypto/ssh_client_rekey_limit/rule.yml | 6 +++---
shared/macros.jinja | 7 ++++++-
75 files changed, 168 insertions(+), 163 deletions(-)
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
index 74da1f4c8b..91bd3ab560 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
@@ -11,13 +11,13 @@ description: |-
{{%- if product == "ocp4" %}}
file <tt>/etc/kubernetes/kubernetes.conf</tt>
on the kubelet node(s) and set the below parameter:
- <pre>streamingConnectionIdleTimeout: <sub idref="var_streaming_connection_timeouts"/></pre>
+ <pre>streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}</pre>
{{% else %}}
file <tt>/etc/origin/node/node-config.yaml</tt>
on the kubelet node(s) and set the below parameter:
<pre>kubeletArguments:
streaming-connection-idle-timeout:
- - '<sub idref="var_streaming_connection_timeouts"/>'</pre>
+ - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}'</pre>
{{%- endif %}}
rationale: |-
@@ -33,10 +33,10 @@ ocil: |-
Run the following command on the kubelet node(s):
{{%- if product == "ocp4" %}}
<pre>$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf</pre>
- The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
+ The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
{{% else %}}
<pre>$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml</pre>
- The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
+ The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
{{%- endif %}}
identifiers:
diff --git a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
index 6f8a7c9474..5a06f2984f 100644
--- a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
+++ b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
@@ -32,4 +32,4 @@ ocil: |-
<pre>$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
+ <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>
diff --git a/applications/openstack/keystone/keystone_lockout_duration/rule.yml b/applications/openstack/keystone/keystone_lockout_duration/rule.yml
index 30a823e0fe..50057c14d1 100644
--- a/applications/openstack/keystone/keystone_lockout_duration/rule.yml
+++ b/applications/openstack/keystone/keystone_lockout_duration/rule.yml
@@ -38,4 +38,4 @@ ocil: |-
<pre>$ grep lockout_duration /etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
+ <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>
diff --git a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
index e77fb2d0c1..4927fb0abe 100644
--- a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
+++ b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
@@ -33,4 +33,4 @@ ocil: |-
<pre>$ grep lockout_failure_attempts /etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
+ <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>
diff --git a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
index 9f98073edc..8bd564e66a 100644
--- a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
+++ b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
@@ -31,4 +31,4 @@ ocil: |-
<pre>$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
+ <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>
diff --git a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
index 98f33106c0..1c469e3e4f 100644
--- a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
+++ b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
@@ -37,4 +37,4 @@ ocil: |-
<pre>$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
+ <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>
diff --git a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
index d9de1aebf6..8d48304685 100644
--- a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
+++ b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
@@ -32,4 +32,4 @@ ocil: |-
<pre>$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
<br />
If properly configured, the output should be:
- <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
+ <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
index aaf7e21583..3a9b317b75 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
@@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests'
description: |-
The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to
- <sub idref="var_max_keepalive_requests" /> or greater by setting the following
+ {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following
in <tt>/etc/httpd/conf/httpd.conf</tt>:
- <pre>MaxKeepAliveRequests <sub idref="var_max_keepalive_requests" /></pre>
+ <pre>MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}</pre>
rationale: |-
Resource exhaustion can occur when an unlimited number of concurrent requests
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
index 112039a2d8..e8bb96b214 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
+++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
@@ -5,9 +5,9 @@ prodtype: rhel7,rhel8
title: 'Enable HTTPD LogLevel'
description: |-
- <tt>LogLevel</tt> should be enabled and set to <sub idref="var_httpd_loglevel" />.
+ <tt>LogLevel</tt> should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}.
Add or edit the following in <tt>/etc/httpd/conf/httpd.conf</tt>:
- <pre>LogLevel <sub idref="var_httpd_loglevel" /></pre>
+ <pre>LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}</pre>
rationale: |-
The server error logs are invaluable because they can also be used to identify
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
index 0650606bad..b86f6e7c98 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account'
description: |-
Set up an alias for root that forwards to a monitored email address:
- <pre>$ sudo echo "root: <sub idref="var_postfix_root_mail_alias" />" >> /etc/aliases
+ <pre>$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" >> /etc/aliases
$ sudo newaliases</pre>
rationale: |-
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
index 0b4e2d2322..0faafeb0c2 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
@@ -6,7 +6,7 @@ description: |-
Set up a relay host that will act as a gateway for all outbound email.
Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
<tt>relayhost</tt> line appears:
- <pre>relayhost = <sub idref="var_postfix_relayhost" /></pre>
+ <pre>relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}</pre>
rationale: |-
A central outbound email location ensures messages sent from any network host
@@ -20,4 +20,4 @@ ocil_clause: 'it is not'
ocil: |-
Run the following command to ensure postfix routes mail to this system:
<pre>$ grep relayhost /etc/postfix/main.cf</pre>
- If properly configured, the output should show only <tt><sub idref="var_postfix_relayhost" /></tt>.
+ If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
index 8deb83a2da..cba179b8d7 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening'
description: |-
Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
<tt>inet_interfaces</tt> line appears:
- <pre>inet_interfaces = <sub idref="var_postfix_inet_interfaces" /></pre>
+ <pre>inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}</pre>
rationale: |-
@@ -41,4 +41,4 @@ ocil_clause: 'it does not'
ocil: |-
Run the following command to ensure postfix accepts mail messages from only the local system:
<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
- If properly configured, the output should show only <tt><sub idref="var_postfix_inet_interfaces" /></tt>.
+ If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index ba3772a5af..d5f8b9125e 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval'
description: |-
The <tt>maxpoll</tt> should be configured to
- <sub idref="var_time_service_set_maxpoll" /> in <tt>/etc/ntp.conf</tt> or
+ {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
<tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
add the following:
- <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>
+ <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
rationale: |-
Inaccurate time stamps make it more difficult to correlate
@@ -46,4 +46,4 @@ ocil: |-
To verify that <tt>maxpoll</tt> has been set properly, perform the following:
<pre>$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf</pre>
The output should return
- <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>.
+ <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index e63866bb8b..fe7e67c1c2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -9,7 +9,7 @@ description: |-
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
<tt>/etc/ssh/sshd_config</tt> file:
- <pre>Compression <sub idref="var_sshd_disable_compression"/></pre>
+ <pre>Compression {{{ xccdf_value("var_sshd_disable_compression") }}}</pre>
rationale: |-
If compression is allowed in an SSH connection prior to authentication,
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index ce191e48e7..d7941f9c0e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
- <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+ <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -30,4 +30,4 @@ ocil: |-
following command:
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
If configured properly, output should be
- <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
+ <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 250addfe2f..5149de069d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -8,7 +8,7 @@ description: |-
<br /><br />
To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
follows:
- <pre>ClientAliveInterval <b><sub idref="sshd_idle_timeout_value" /></b></pre>
+ <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
<br/><br/>
The timeout <b>interval</b> is given in seconds. For example, have a timeout
of 10 minutes, set <b>interval</b> to 600.
@@ -61,4 +61,4 @@ ocil: |-
Run the following command to see what the timeout interval is:
<pre>$ sudo grep ClientAliveInterval /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
- <pre>ClientAliveInterval <sub idref="sshd_idle_timeout_value" /></pre>
+ <pre>ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index 95628aac85..5354ff5b0c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count'
description: |-
To ensure the SSH idle timeout occurs precisely when the <tt>ClientAliveInterval</tt> is set,
edit <tt>/etc/ssh/sshd_config</tt> as follows:
- <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
+ <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
rationale: |-
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -48,4 +48,4 @@ ocil: |-
To ensure the SSH idle timeout will occur when the <tt>ClientAliveInterval</tt> is set, run the following command:
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
If properly configured, output should be:
- <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
+ <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 037bb1603d..d6e1f30b19 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -6,7 +6,7 @@ description: |-
The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:
- <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
+ <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
rationale: |-
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
@@ -31,4 +31,4 @@ ocil: |-
To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:
<pre>$ sudo grep MaxAuthTries /etc/ssh/sshd_config</pre>
If properly configured, output should be:
- <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
+ <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
index 3f74e662de..2782b71905 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit'
description: |-
The <tt>MaxSessions</tt> parameter specifies the maximum number of open sessions permitted
from a given connection. To set MaxSessions edit
- <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
+ <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
rationale: |-
To protect a system from denial of service due to a large number of concurrent
@@ -27,4 +27,4 @@ ocil: |-
Run the following command to see what the max sessions number is:
<pre>$ sudo grep MaxSessions /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
- <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
+ <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index 985bbd0b8b..c2204193dc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -31,7 +31,7 @@ description: |-
{{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
{{% endif %}}
{{% endif %}}
- The rule is parametrized to use the following ciphers: <code>{{{ sub_var_value("sshd_approved_ciphers") }}}</code>.
+ The rule is parametrized to use the following ciphers: <code>{{{ xccdf_value("sshd_approved_ciphers") }}}</code>.
rationale: |-
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index 4b563de550..b7adaca34b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -32,7 +32,7 @@ description: |-
{{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
{{% endif %}}
{{% endif %}}
- The rule is parametrized to use the following MACs: <code>{{{ sub_var_value("sshd_approved_macs") }}}</code>.
+ The rule is parametrized to use the following MACs: <code>{{{ xccdf_value("sshd_approved_macs") }}}</code>.
rationale: |-
DoD Information Systems are required to use FIPS-approved cryptographic hash
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index 60813a75a2..14d1acfd22 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -6,7 +6,7 @@ description: |-
When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the <tt>/etc/ssh/sshd_config</tt> file:
- <pre>UsePrivilegeSeparation <sub idref="var_sshd_priv_separation" /></pre>
+ <pre>UsePrivilegeSeparation {{{ xccdf_value("var_sshd_priv_separation") }}}</pre>
rationale: |-
SSH daemon privilege separation causes the SSH process to drop root privileges
@@ -41,4 +41,4 @@ ocil: |-
To check if UsePrivilegeSeparation is enabled or set correctly, run the
following command:
<pre>$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config</pre>
- If configured properly, output should be <tt><sub idref="var_sshd_priv_separation" /></tt>.
+ If configured properly, output should be <tt>{{{ xccdf_value("var_sshd_priv_separation") }}}</tt>.
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
index 00cda4f144..35ec8c497c 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
@@ -6,14 +6,14 @@ title: 'Configure SSSD''s Memory Cache to Expire'
description: |-
SSSD's memory cache should be configured to set to expire records after
- <tt><sub idref="var_sssd_memcache_timeout" /></tt> seconds.
+ <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> seconds.
To configure SSSD to expire memory cache, set <tt>memcache_timeout</tt> to
- <tt><sub idref="var_sssd_memcache_timeout" /></tt> under the
+ <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> under the
<tt>[nss]</tt> section in <tt>/etc/sssd/sssd.conf</tt>.
For example:
<pre>[nss]
- memcache_timeout = <sub idref="var_sssd_memcache_timeout" />
+ memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
</pre>
rationale: |-
@@ -46,4 +46,4 @@ ocil_clause: 'it does not exist or is not configured properly'
ocil: |-
To verify that SSSD's in-memory cache expires after a day, run the following command:
<pre>$ sudo grep memcache_timeout /etc/sssd/sssd.conf</pre>
- If configured properly, output should be <pre>memcache_timeout = <sub idref="var_sssd_memcache_timeout" /></pre>.
+ If configured properly, output should be <pre>memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}</pre>.
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
index ce83991f57..00f1f3b485 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
@@ -6,12 +6,12 @@ title: 'Configure SSSD to Expire SSH Known Hosts'
description: |-
SSSD should be configured to expire keys from known SSH hosts after
- <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> seconds.
+ <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> seconds.
To configure SSSD to known SSH hosts, set <tt>ssh_known_hosts_timeout</tt>
- to <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> under the
+ to <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> under the
<tt>[ssh]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:
<pre>[ssh]
- ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" />
+ ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
</pre>
rationale: |-
@@ -44,4 +44,4 @@ ocil: |-
To verify that SSSD expires known SSH host keys, run the following command:
<pre>$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf</pre>
If configured properly, output should be
- <pre>ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" /></pre>
+ <pre>ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</pre>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 7c7b14860c..f6857da463 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -9,14 +9,14 @@ description: |-
accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>
or <tt>pam_pwhistory</tt> PAM modules.
<br /><br />
- In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt>
+ In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</tt>
to the line which refers to the <tt>pam_unix.so</tt> or <tt>pam_pwhistory.so</tt>module, as shown below:
<ul>
<li>for the <tt>pam_unix.so</tt> case:
- <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
+ <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
</li>
<li>for the <tt>pam_pwhistory.so</tt> case:
- <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
+ <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
</li>
</ul>
The DoD STIG requirement is 5 passwords.
@@ -56,6 +56,6 @@ ocil: |-
To verify the password reuse setting is compliant, run the following command:
<pre>$ grep remember /etc/pam.d/system-auth</pre>
The output should show the following at the end of the line:
- <pre>remember=<sub idref="var_password_pam_unix_remember" /></pre>
+ <pre>remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 8eeb24a9c5..15eba70d6a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -11,9 +11,9 @@ description: |-
<br /><br />
<ul>
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
+ <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
+ <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
<pre>account required pam_faillock.so</pre></li>
</ul>
@@ -56,6 +56,6 @@ ocil_clause: 'that is not the case'
ocil: |-
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
- The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /></tt>.
+ The output should show <tt>deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}</tt>.
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index 6f49ea9850..1780a66251 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -13,10 +13,10 @@ description: |-
<ul>
<li>Modify the following line in the <tt>AUTH</tt> section to add
<tt>even_deny_root</tt>:
- <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
+ <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
<li>Modify the following line in the <tt>AUTH</tt> section to add
<tt>even_deny_root</tt>:
- <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+ <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre>
</li>
</ul>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index f891d8e600..708e98e7f3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -14,11 +14,11 @@ description: |-
<ul>
<li>Add the following line immediately <tt>before</tt> the
<tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+ <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre>
</li>
<li>Add the following line immediately <tt>after</tt> the
<tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
+ <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
</pre>
</li>
<li>Add the following line immediately <tt>before</tt> the
@@ -63,7 +63,7 @@ ocil: |-
To ensure the failed password attempt policy is configured correctly,
run the following command:
<pre>$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
- For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt><sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></tt> or greater.
+ For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt>{{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</tt> or greater.
If the <tt>fail_interval</tt> parameter is not set, the default setting
of 900 seconds is acceptable.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index c3c7fa1ccc..b992cf93bd 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -11,9 +11,9 @@ description: |-
<br /><br />
<ul>
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
+ <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
- <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
+ <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
<pre>account required pam_faillock.so</pre></li>
</ul>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
index fde8c8a188..168960bd4e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
@@ -7,7 +7,7 @@ title: 'Set Password Strength Minimum Different Characters'
description: |-
The pam_cracklib module's <tt>difok</tt> parameter controls requirements for
usage of different characters during a password change.
- Add <tt>difok=<i><sub idref="var_password_pam_difok" /></i></tt> after pam_cracklib.so to require differing
+ Add <tt>difok=<i>{{{ xccdf_value("var_password_pam_difok") }}}</i></tt> after pam_cracklib.so to require differing
characters when changing passwords. The DoD requirement is <tt>4</tt>.
rationale: |-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
index 8171db26bd..8865b29f36 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
@@ -7,9 +7,9 @@ title: 'Set Password to Maximum of Three Consecutive Repeating Characters'
description: |-
The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
- which contain more than that number of consecutive characters. Add <tt>maxrepeat=<sub idref="var_password_pam_maxrepeat" /></tt>
- after pam_cracklib.so to prevent a run of (<sub idref="var_password_pam_maxrepeat" /> + 1) or more identical characters:<br />
- <pre>password required pam_cracklib.so maxrepeat=<sub idref="var_password_pam_maxrepeat" /></pre>
+ which contain more than that number of consecutive characters. Add <tt>maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}</tt>
+ after pam_cracklib.so to prevent a run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters:<br />
+ <pre>password required pam_cracklib.so maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}</pre>
rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
index 9723f28793..3c87a58cc6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
@@ -17,8 +17,8 @@ description: |-
* Digits
* Special characters (for example, punctuation)
</pre>
- Add <tt>minclass=<i><sub idref="var_password_pam_minclass" /></i></tt> after pam_cracklib.so entry into the
- <tt>/etc/pam.d/system-auth</tt> file in order to require <sub idref="var_password_pam_minclass" /> differing categories of
+ Add <tt>minclass=<i>{{{ xccdf_value("var_password_pam_minclass") }}}</i></tt> after pam_cracklib.so entry into the
+ <tt>/etc/pam.d/system-auth</tt> file in order to require {{{ xccdf_value("var_password_pam_minclass") }}} differing categories of
characters when changing passwords.
For example to require at least three character classes to be used in password, use <tt>minclass=3</tt>.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
index cb902bccd7..1088af68ee 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
@@ -6,7 +6,7 @@ title: 'Set Password Minimum Length'
description: |-
The pam_cracklib module's <tt>minlen</tt> parameter controls requirements for
- minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
+ minimum characters required in a password. Add <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
after pam_pwquality to set minimum password length requirements.
rationale: |-
@@ -38,4 +38,4 @@ ocil_clause: 'minlen is not found or not set to the required value (or higher)'
ocil: |-
To check how many characters are required in a password, run the following command:
<pre>$ grep cracklib /etc/pam.d/system-auth</pre>
- Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
+ Your output should contain <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
index 9c6d8a5b31..f8cb083106 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
@@ -9,7 +9,7 @@ description: |-
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
- Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.
+ Add <tt>ocredit={{{ xccdf_value("var_password_pam_ocredit") }}}</tt> after pam_cracklib.so to require use of a special character in passwords.
rationale: |-
Requiring a minimum number of special characters makes password guessing attacks
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
index e0555d7224..cc1a9f72c7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
@@ -9,7 +9,7 @@ description: |-
<br /><br />
Edit the <tt>pam_cracklib.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt> to show
- <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value
+ <tt>retry={{{ xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value
if site policy is more restrictive.
<br /><br />
The DoD requirement is a maximum of 3 prompts per session.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
index 965b10a57a..fb64b61520 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -9,7 +9,7 @@ description: |-
in a password that must not be present in and old password during a password change.
<br /><br />
Modify the <tt>difok</tt> setting in <tt>/etc/security/pwquality.conf</tt>
- to equal <sub idref="var_password_pam_difok" /> to require differing characters
+ to equal {{{ xccdf_value("var_password_pam_difok") }}} to require differing characters
when changing passwords.
rationale: |-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index 0d59eefef9..d449c97950 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -8,8 +8,8 @@ description: |-
The pam_pwquality module's <tt>maxclassrepeat</tt> parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
- <tt>maxclassrepeat</tt> setting in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_maxclassrepeat" />
- to prevent a run of (<sub idref="var_password_pam_maxclassrepeat" /> + 1) or more identical characters.
+ <tt>maxclassrepeat</tt> setting in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
+ to prevent a run of ({{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + 1) or more identical characters.
rationale: |-
Use of a complex password helps to increase the time and resources required to comrpomise the password.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
index 59637552ae..cb2755b255 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -8,8 +8,8 @@ description: |-
The pam_pwquality module's <tt>maxrepeat</tt> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the <tt>maxrepeat</tt> setting
- in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_maxrepeat" /> to prevent a
- run of (<sub idref="var_password_pam_maxrepeat" /> + 1) or more identical characters.
+ in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a
+ run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters.
rationale: |-
Use of a complex password helps to increase the time and resources required to compromise the password.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index 7dc06b20e9..c6ac4e654b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -19,7 +19,7 @@ description: |-
* Special characters (for example, punctuation)
</pre>
Modify the <tt>minclass</tt> setting in <tt>/etc/security/pwquality.conf</tt> entry
- to require <sub idref="var_password_pam_minclass" />
+ to require {{{ xccdf_value("var_password_pam_minclass") }}}
differing categories of characters when changing passwords.
rationale: |-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index c507413b67..0c1066a550 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -6,7 +6,7 @@ title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
description: |-
The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for
- minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
+ minimum characters required in a password. Add <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
after pam_pwquality to set minimum password length requirements.
rationale: |-
@@ -49,7 +49,7 @@ ocil_clause: 'minlen is not found, or not equal to or greater than the required
ocil: |-
To check how many characters are required in a password, run the following command:
<pre>$ grep minlen /etc/security/pwquality.conf</pre>
- Your output should contain <tt>minlen = <sub idref="var_password_pam_minlen" /></tt>
+ Your output should contain <tt>minlen = {{{ xccdf_value("var_password_pam_minlen") }}}</tt>
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index b9b93d69b1..cbc1ca50ee 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -10,7 +10,7 @@ description: |-
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the <tt>ocredit</tt> setting
- in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_ocredit" />
+ in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_ocredit") }}}
to require use of a special character in passwords.
rationale: |-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index a64ee575a1..6b1534adde 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -7,7 +7,7 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
description: |-
To configure the number of retry prompts that are permitted per-session:
Edit the <tt>pam_pwquality.so</tt> statement in <tt>/etc/pam.d/system-auth</tt> to
- show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
+ show <tt>retry={{{ xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if
site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
index 57958bce13..476cffcd62 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
@@ -8,13 +8,13 @@ description: |-
The OpenSC smart card tool can auto-detect smart card drivers; however,
setting the smart card drivers in use by your organization helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
- profile is <tt><sub idref="var_smartcard_drivers" /></tt>.
+ profile is <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt>.
To configure the OpenSC driver, edit the <tt>/etc/opensc-<i>ARCH</i>.conf</tt> (where
<i>ARCH</i> is the architecture of your operating system) file. Look for a
line similar to:
<pre># card_drivers = old, internal;</pre>
and change it to:
- <pre>card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
+ <pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
rationale: |-
Smart card login provides two-factor authentication stronger than
@@ -45,9 +45,9 @@ references:
ocil_clause: 'the smart card driver is not configured correctly'
ocil: |-
- To verify that <tt><sub idref="var_smartcard_drivers" /></tt> is configured
+ To verify that <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt> is configured
as the smart card driver, run the following command changing <i>ARCH</i> for
the architecture of your operating system:
<pre>$ grep card_drivers /etc/opensc-<i>ARCH</i></pre>
The output should return something similar to:
- <pre>card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
+ <pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
index ad65316007..261698320c 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
@@ -9,13 +9,13 @@ description: |-
forcing the smart card driver in use by your organization, opensc will no longer
autodetect or use other drivers unless specified. This helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
- profile is <tt><sub idref="var_smartcard_drivers" /></tt>.
+ profile is <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt>.
To force the OpenSC driver, edit the <tt>/etc/opensc-<i>ARCH</i>.conf</tt> (where
<i>ARCH</i> is the architecture of your operating system) file. Look for a line
similar to:
<pre># force_card_driver = customcos;</pre>
and change it to:
- <pre>force_card_driver = <sub idref="var_smartcard_drivers" />;</pre>
+ <pre>force_card_driver = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
rationale: |-
Smart card login provides two-factor authentication stronger than
@@ -46,9 +46,9 @@ references:
ocil_clause: 'the smart card driver is not configured correctly'
ocil: |-
- To verify that <tt><sub idref="var_smartcard_drivers" /></tt> is configured
+ To verify that <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt> is configured
as the smart card driver, run the following command changing <i>ARCH</i> for
the architecture of your operating system:
<pre>$ grep force_card_driver /etc/opensc-<i>ARCH</i></pre>
The output should return something similar to:
- <pre>force_card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
+ <pre>force_card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
index 45c199ad4a..cfa59edd38 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
@@ -9,9 +9,9 @@ description: |-
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in <tt>/etc/default/useradd</tt>, substituting
<tt><i>NUM_DAYS</i></tt> appropriately:
- <pre>INACTIVE=<i><sub idref="var_account_disable_post_pw_expiration" /></i></pre>
+ <pre>INACTIVE=<i>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</i></pre>
A value of 35 is recommended; however, this profile expects that the value is set to
- <tt><sub idref="var_account_disable_post_pw_expiration" /></tt>.
+ <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
@@ -63,6 +63,6 @@ ocil: |-
The output should indicate the <tt>INACTIVE</tt> configuration option is set
to an appropriate integer as shown in the example below:
<pre>$ grep "INACTIVE" /etc/default/useradd
- INACTIVE=<sub idref="var_account_disable_post_pw_expiration" /></pre>
+ INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</pre>
platform: login_defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index 0619423d0c..ccf95260dc 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -6,10 +6,10 @@ description: |-
To specify password maximum age for new accounts,
edit the file <tt>/etc/login.defs</tt>
and add or correct the following line:
- <pre>PASS_MAX_DAYS <sub idref="var_accounts_maximum_age_login_defs" /></pre>
+ <pre>PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</pre>
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
- The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
+ The profile requirement is <tt>{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</tt>.
rationale: |-
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 543e88e822..ceca9550a7 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -6,10 +6,10 @@ description: |-
To specify password minimum age for new accounts,
edit the file <tt>/etc/login.defs</tt>
and add or correct the following line:
- <pre>PASS_MIN_DAYS <sub idref="var_accounts_minimum_age_login_defs" /></pre>
+ <pre>PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</pre>
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
- The profile requirement is <tt><sub idref="var_accounts_minimum_age_login_defs" /></tt>.
+ The profile requirement is <tt>{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</tt>.
rationale: |-
Enforcing a minimum password lifetime helps to prevent repeated password
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 2f18ce638a..39864bb79d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -5,12 +5,12 @@ title: 'Set Password Minimum Length in login.defs'
description: |-
To specify password length requirements for new accounts, edit the file
<tt>/etc/login.defs</tt> and add or correct the following line:
- <pre>PASS_MIN_LEN <sub idref="var_accounts_password_minlen_login_defs" /></pre>
+ <pre>PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</pre>
<br /><br />
The DoD requirement is <tt>15</tt>.
The FISMA requirement is <tt>12</tt>.
The profile requirement is
- <tt><sub idref="var_accounts_password_minlen_login_defs" /></tt>.
+ <tt>{{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</tt>.
If a program consults <tt>/etc/login.defs</tt> and also another PAM module
(such as <tt>pam_pwquality</tt>) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
index 1048b7c143..3ba2a7049f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
@@ -7,9 +7,9 @@ description: |-
expiration that a warning will be issued to users,
edit the file <tt>/etc/login.defs</tt> and add or correct
the following line:
- <pre>PASS_WARN_AGE <sub idref="var_accounts_password_warn_age_login_defs" /></pre>
+ <pre>PASS_WARN_AGE {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}</pre>
The DoD requirement is 7.
- The profile requirement is <tt><sub idref="var_accounts_password_warn_age_login_defs" /></tt>.
+ The profile requirement is <tt>{{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}</tt>.
rationale: |-
Setting the password warning age enables users to
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 9a359b22c5..08f81100f4 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs'
description: |-
To ensure the logon failure delay controlled by <tt>/etc/login.defs</tt> is set properly,
add or correct the <tt>FAIL_DELAY</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
- <pre>FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
+ <pre>FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>
rationale: |-
Increasing the time between a failed authentication attempt and re-prompting to
@@ -37,6 +37,6 @@ ocil: |-
<pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs</pre>
All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
<pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
- FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
+ FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>
platform: login_defs
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index 3486578e66..2fc9427ce3 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -8,7 +8,7 @@ description: |-
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in <tt>/etc/security/limits.conf</tt> or
a file under <tt>/etc/security/limits.d/</tt>:
- <pre>* hard maxlogins <sub idref="var_accounts_max_concurrent_login_sessions" /></pre>
+ <pre>* hard maxlogins {{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}</pre>
rationale: |-
Limiting simultaneous user logins can insulate the system from denial of service
@@ -46,6 +46,6 @@ ocil: |-
configured for all users on the system:
<pre># grep "maxlogins" /etc/security/limits.conf</pre>
You should receive output similar to the following:
- <pre>*\t\thard\tmaxlogins\t<sub idref="var_accounts_max_concurrent_login_sessions" /></pre>
+ <pre>*\t\thard\tmaxlogins\t{{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}</pre>
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index 6e21f653c7..eb64b12e51 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -8,7 +8,7 @@ description: |-
Setting the <tt>TMOUT</tt> option in <tt>/etc/profile</tt> ensures that
all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
setting in <tt>/etc/profile</tt> should read as follows:
- <pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
+ <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
rationale: |-
Terminating an idle session within a short time period reduces
@@ -48,4 +48,4 @@ ocil: |-
on the system:
<pre>$ sudo grep TMOUT /etc/profile</pre>
The output should return the following:
- <pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
+ <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 391a2bcc42..e9beb8f4bd 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -8,7 +8,7 @@ description: |-
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
- <pre>umask <sub idref="var_accounts_user_umask" /></pre>
+ <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
rationale: |-
The umask value influences the permissions assigned to files when they are created.
@@ -44,5 +44,5 @@ ocil: |-
<pre># grep "umask" /etc/bashrc</pre>
All output must show the value of <tt>umask</tt> set as shown below:
<pre># grep "umask" /etc/bashrc
- umask <sub idref="var_accounts_user_umask" />
- umask <sub idref="var_accounts_user_umask" /></pre>
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 5b8bc81ab3..347e881d5e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -7,7 +7,7 @@ title: 'Ensure the Default C Shell Umask is Set Correctly'
description: |-
To ensure the default umask for users of the C shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as follows:
- <pre>umask <sub idref="var_accounts_user_umask" /></pre>
+ <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
rationale: |-
The umask value influences the permissions assigned to files when they are created.
@@ -42,4 +42,4 @@ ocil: |-
<pre># grep "umask" /etc/csh.cshrc</pre>
All output must show the value of <tt>umask</tt> set as shown in the below:
<pre># grep "umask" /etc/csh.cshrc
- umask <sub idref="var_accounts_user_umask" /></pre>
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index ecb2dfb1f1..088e9ce2a8 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in login.defs'
description: |-
To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set properly,
add or correct the <tt>UMASK</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
- <pre>UMASK <sub idref="var_accounts_user_umask" /></pre>
+ <pre>UMASK {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
rationale: |-
The umask value influences the permissions assigned to files when they are created.
@@ -42,6 +42,6 @@ ocil: |-
<pre># grep -i "UMASK" /etc/login.defs</pre>
All output must show the value of <tt>umask</tt> set as shown in the below:
<pre># grep -i "UMASK" /etc/login.defs
- umask <sub idref="var_accounts_user_umask" /></pre>
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
platform: login_defs
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
index bf48d81899..43ab898b5d 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in /etc/profile'
description: |-
To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:
- <pre>umask <sub idref="var_accounts_user_umask" /></pre>
+ <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
rationale: |-
The umask value influences the permissions assigned to files when they are created.
@@ -42,4 +42,4 @@ ocil: |-
<pre># grep "umask" /etc/profile</pre>
All output must show the value of <tt>umask</tt> set as shown in the below:
<pre># grep "umask" /etc/profile
- umask <sub idref="var_accounts_user_umask" /></pre>
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
index c317700e71..c19af71bb5 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
@@ -16,7 +16,7 @@ description: |-
</pre>
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
- <pre>remote_server = <i><sub idref="var_audispd_remote_server" /></i></pre>
+ <pre>remote_server = <i>{{{ xccdf_value("var_audispd_remote_server") }}}</i></pre>
rationale: |-
Information stored in one location is vulnerable to accidental or incidental
@@ -48,5 +48,5 @@ ocil: |-
<pre>$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf</pre>
{{% endif %}}
The output should return something similar to
- <pre>remote_server = <i><sub idref="var_audispd_remote_server" /></i></pre>
+ <pre>remote_server = <i>{{{ xccdf_value("var_audispd_remote_server") }}}</i></pre>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
index a071e6dda5..66de6e73a5 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
@@ -7,7 +7,7 @@ description: |-
a designated account in certain situations. Add or correct the following line
in <tt>/etc/audit/auditd.conf</tt> to ensure that administrators are notified
via email for those situations:
- <pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre>
+ <pre>action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}</pre>
rationale: |-
Email sent to the root account is typically aliased to the
@@ -49,5 +49,5 @@ ocil: |-
Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
determine if the system is configured to send email to an
account when it needs to notify an administrator:
- <pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre>
+ <pre>action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}</pre>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
index b4038d13bd..1db8b82dda 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
@@ -9,7 +9,7 @@ description: |-
synchronously write audit event data to disk. Add or correct the following
line in <tt>/etc/audit/auditd.conf</tt> to ensure that audit event data is
fully synchronized with the log files on the disk:
- <pre>flush = <sub idref="var_auditd_flush" /></pre>
+ <pre>flush = {{{ xccdf_value("var_auditd_flush") }}}</pre>
rationale: |-
Audit data should be synchronously written to disk to ensure
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
index 73107df695..1bdafa9215 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
@@ -6,7 +6,7 @@ description: |-
Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
<tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting
- the correct value of <sub idref="var_auditd_max_log_file" /> for <i>STOREMB</i>:
+ the correct value of {{{ xccdf_value("var_auditd_max_log_file") }}} for <i>STOREMB</i>:
<pre>max_log_file = <i>STOREMB</i></pre>
Set the value to <tt>6</tt> (MB) or higher for general-purpose systems.
Larger values, of course,
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
index 01bb0ad7a2..34e2a2b60f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
@@ -6,7 +6,7 @@ description: |-
Determine how many log files
<tt>auditd</tt> should retain when it rotates logs.
Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following
- line, substituting <i>NUMLOGS</i> with the correct value of <sub idref="var_auditd_num_logs" />:
+ line, substituting <i>NUMLOGS</i> with the correct value of {{{ xccdf_value("var_auditd_num_logs") }}}:
<pre>num_logs = <i>NUMLOGS</i></pre>
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
index 3331f5188a..74a87bb659 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate Group'
description: |-
The group-owner of all log files written by
- <tt>rsyslog</tt> should be <tt><sub idref="file_groupowner_logfiles_value" /></tt>.
+ <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
run the following command to inspect the file's group owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
- If the owner is not <tt><sub idref="file_groupowner_logfiles_value" /></tt>, run the following command to
+ If the owner is not <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>, run the following command to
correct this:
- <pre>$ sudo chgrp <sub idref="file_groupowner_logfiles_value" /> <i>LOGFILE</i></pre>
+ <pre>$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} <i>LOGFILE</i></pre>
rationale: |-
The log files generated by rsyslog contain valuable information regarding system
@@ -43,7 +43,7 @@ references:
ocil_clause: 'the group-owner is not correct'
ocil: |-
- The group-owner of all log files written by <tt>rsyslog</tt> should be <tt><sub idref="file_groupowner_logfiles_value" /></tt>.
+ The group-owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
To see the group-owner of a given log file, run the following command:
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
index a034c0a193..506b6457ca 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate User'
description: |-
The owner of all log files written by
- <tt>rsyslog</tt> should be <tt><sub idref="file_owner_logfiles_value" /></tt>.
+ <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
run the following command to inspect the file's owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
- If the owner is not <tt><sub idref="file_owner_logfiles_value" /></tt>, run the following command to
+ If the owner is not <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>, run the following command to
correct this:
- <pre>$ sudo chown <sub idref="file_owner_logfiles_value" /> <i>LOGFILE</i></pre>
+ <pre>$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} <i>LOGFILE</i></pre>
rationale: |-
The log files generated by rsyslog contain valuable information regarding system
@@ -43,7 +43,7 @@ references:
ocil_clause: 'the owner is not correct'
ocil: |-
- The owner of all log files written by <tt>rsyslog</tt> should be <tt><sub idref="file_owner_logfiles_value" /></tt>.
+ The owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
To see the owner of a given log file, run the following command:
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 642bf1ee0e..c27707569f 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -10,21 +10,21 @@ description: |-
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
- substituting <tt><i><sub idref="rsyslog_remote_loghost_address" /></i></tt> appropriately.
+ substituting <tt><i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></tt> appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
<br />
To use UDP for log message delivery:
- <pre>*.* @<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre>*.* @<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
<br />
To use TCP for log message delivery:
- <pre>*.* @@<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre>*.* @@<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
<br />
To use RELP for log message delivery:
- <pre>*.* :omrelp:<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre>*.* :omrelp:<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
<br />
- There must be a resolvable DNS CNAME or Alias record set to "<sub idref="rsyslog_remote_loghost_address" />" for logs to be sent correctly to the centralized logging utility.
+ There must be a resolvable DNS CNAME or Alias record set to "{{{ xccdf_value("rsyslog_remote_loghost_address") }}}" for logs to be sent correctly to the centralized logging utility.
rationale: |-
A log server (loghost) receives syslog messages from one or more
@@ -67,8 +67,8 @@ ocil: |-
To ensure logs are sent to a remote host, examine the file
<tt>/etc/rsyslog.conf</tt>.
If using UDP, a line similar to the following should be present:
- <pre> *.* @<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre> *.* @<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
If using TCP, a line similar to the following should be present:
- <pre> *.* @@<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre> *.* @@<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
If using RELP, a line similar to the following should be present:
- <pre> *.* :omrelp:<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
+ <pre> *.* :omrelp:<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
index 7e96bbd35d..e68faf00ca 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
@@ -15,7 +15,7 @@ description: |-
Set the system to implement rate-limiting measures by adding the following line to
<tt>/etc/sysctl.conf</tt> or a configuration file in the <tt>/etc/sysctl.d/</tt> directory
(or modify the line to have the required value):
- <pre>net.ipv4.tcp_invalid_ratelimit = <sub idref="sysctl_net_ipv4_tcp_invalid_ratelimit_value" /></pre>
+ <pre>net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}</pre>
Issue the following command to make the changes take effect:
<pre># sysctl --system</pre>
@@ -51,7 +51,7 @@ ocil: |-
on impacted network interfaces, run the following command:
<pre># grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*</pre>
The command should output the following line:
- <pre>/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = <sub idref="sysctl_net_ipv4_tcp_invalid_ratelimit_value" /></pre>
+ <pre>/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}</pre>
The file where the line has been found can differ, but it must be either <tt>/etc/sysctl.conf</tt>
or a file located under the <tt>/etc/sysctl.d/</tt> directory.
diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
index a14fc555af..64c6c3668d 100644
--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
@@ -11,7 +11,7 @@ description: |-
a umask of <tt>077</tt> in their own init scripts. By default, the umask of
<tt>022</tt> is set which prevents creation of group- or world-writable files.
To set the umask for daemons expected by the profile, edit the following line:
- <pre>umask <i><sub idref="var_umask_for_daemons" /></i></pre>
+ <pre>umask <i>{{{ xccdf_value("var_umask_for_daemons") }}}</i></pre>
rationale: |-
The umask influences the permissions assigned to files created by a
@@ -40,7 +40,7 @@ ocil_clause: 'it does not'
ocil: |-
To check the value of the <tt>umask</tt>, run the following command:
<pre>$ grep umask /etc/init.d/functions</pre>
- The output should show <tt><sub idref="var_umask_for_daemons" /></tt>.
+ The output should show <tt>{{{ xccdf_value("var_umask_for_daemons") }}}</tt>.
warnings:
- functionality: |-
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
index bbc6b3a992..d861f5f9e2 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -9,7 +9,7 @@ description: |-
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in <tt>/etc/selinux/config</tt>:
- <pre>SELINUXTYPE=<sub idref="var_selinux_policy_name" /></pre>
+ <pre>SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}</pre>
Other policies, such as <tt>mls</tt>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
@@ -23,7 +23,7 @@ rationale: |-
temporarily place non-production systems in <tt>permissive</tt> mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
- <tt><sub idref="var_selinux_policy_name" /></tt>.
+ <tt>{{{ xccdf_value("var_selinux_policy_name") }}}</tt>.
severity: high
@@ -57,4 +57,4 @@ ocil_clause: 'it does not'
ocil: |-
Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
- <pre>SELINUXTYPE=<sub idref="var_selinux_policy_name" /></pre>
+ <pre>SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}</pre>
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
index 2c90aadbd1..66c5fd65f8 100644
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -5,10 +5,10 @@ prodtype: fedora,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019
title: 'Ensure SELinux State is Enforcing'
description: |-
- The SELinux state should be set to <tt><sub idref="var_selinux_state" /></tt> at
+ The SELinux state should be set to <tt>{{{ xccdf_value("var_selinux_state") }}}</tt> at
system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct the
following line to configure the system to boot into enforcing mode:
- <pre>SELINUX=<sub idref="var_selinux_state" /></pre>
+ <pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
rationale: |-
Setting the SELinux state to enforcing ensures SELinux is able to confine
@@ -49,4 +49,4 @@ ocil_clause: 'SELINUX is not set to enforcing'
ocil: |-
Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
- <pre>SELINUX=<sub idref="var_selinux_state" /></pre>
+ <pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
index d2feba00b4..bec17bc68b 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
@@ -54,7 +54,7 @@ ocil_clause: 'idle-delay is not equal to or less than the expected value'
ocil: |-
To check the current idle time-out value, run the following command:
<pre>$ gsettings get org.gnome.desktop.session idle-delay</pre>
- If properly configured, the output should be <tt>'uint32 <sub idref="inactivity_timeout_value" />'</tt>.
+ If properly configured, the output should be <tt>'uint32 {{{ xccdf_value("inactivity_timeout_value") }}}'</tt>.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
<pre>$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <tt>/org/gnome/desktop/session/idle-delay</tt>
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
index c0a8de72c9..d8a596554c 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
@@ -6,10 +6,10 @@ title: 'Set GNOME3 Screensaver Lock Delay After Activation Period'
description: |-
To activate the locking delay of the screensaver in the GNOME3 desktop when
- the screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 <sub idref="var_screensaver_lock_delay" /></tt> in
+ the screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}</tt> in
<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
<pre>[org/gnome/desktop/screensaver]
- lock-delay=uint32 <sub idref="var_screensaver_lock_delay" />
+ lock-delay=uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}
</pre>
Once the setting has been added, add a lock to
<tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
@@ -48,7 +48,7 @@ ocil_clause: 'the screensaver lock delay is missing, or is set to a value greate
ocil: |-
To check that the screen locks immediately when activated, run the following command:
<pre>$ gsettings get org.gnome.desktop.screensaver lock-delay</pre>
- If properly configured, the output should be <tt>'uint32 <sub idref="var_screensaver_lock_delay" />'</tt>.
+ If properly configured, the output should be <tt>'uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}'</tt>.
<br /><br />
To ensure that users cannot change how long until the the screensaver locks, run the following:
<pre>$ grep lock-delay /etc/dconf/db/local.d/locks/*</pre>
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
index 34eb02abf7..5525337fc6 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
@@ -4,12 +4,12 @@ title: 'Set GNOME Login Inactivity Timeout'
description: |-
Run the following command to set the idle time-out value for
- inactivity in the GNOME desktop to <sub idref="inactivity_timeout_value" /> minutes:
+ inactivity in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes:
<pre>$ sudo gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
- --set /desktop/gnome/session/idle_delay <sub idref="inactivity_timeout_value" /></pre>
+ --set /desktop/gnome/session/idle_delay {{{ xccdf_value("inactivity_timeout_value") }}}</pre>
rationale: |-
Setting the idle delay controls when the
@@ -39,4 +39,4 @@ ocil_clause: 'it is not'
ocil: |-
To check the current idle time-out value, run the following command:
<pre>$ gconftool-2 -g /desktop/gnome/session/idle_delay</pre>
- If properly configured, the output should be <tt><sub idref="inactivity_timeout_value" /></tt>.
+ If properly configured, the output should be <tt>{{{ xccdf_value("inactivity_timeout_value") }}}</tt>.
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
index 99eaf236f7..17fffec0ed 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
@@ -4,12 +4,12 @@ title: 'Set GNOME Login Maximum Allowed Inactivity'
description: |-
Run the following command to set the maximum allowed period of inactivity for an
- inactive user in the GNOME desktop to <sub idref="inactivity_timeout_value" /> minutes:
+ inactive user in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes:
<pre>$ sudo gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
- --set /desktop/gnome/session/max_idle_time <sub idref="inactivity_timeout_value" /></pre>
+ --set /desktop/gnome/session/max_idle_time {{{ xccdf_value("inactivity_timeout_value") }}}</pre>
rationale: |-
Terminating an idle session within a short time period reduces the window of
@@ -23,4 +23,4 @@ ocil_clause: 'it is not'
ocil: |-
To check the current idle time-out value, run the following command:
<pre>$ gconftool-2 -g /desktop/gnome/session/max_idle_time</pre>
- If properly configured, the output should be <tt><sub idref="idle_timeout_value" /></tt>.
+ If properly configured, the output should be <tt>{{{ xccdf_value("idle_timeout_value") }}}</tt>.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 0f9a919b16..243f079cc3 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -5,9 +5,9 @@ prodtype: fedora,rhcos4,ol8,rhel8,rhv4
title: 'Configure System Cryptography Policy'
description: |-
- To configure the system cryptography policy to use ciphers only from the <tt><sub idref="var_system_crypto_policy" /></tt>
+ To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
policy, run the following command:
- <pre>$ sudo update-crypto-policies --set <sub idref="var_system_crypto_policy" /></pre>
+ <pre>$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
@@ -34,7 +34,7 @@ ocil: |-
To verify that cryptography policy has been configured correctly, run the
following command:
<pre>$ update-crypto-policies --show</pre>
- The output should return <pre><sub idref="var_system_crypto_policy" /></pre>.
+ The output should return <pre>{{{ xccdf_value("var_system_crypto_policy") }}}</pre>.
Run the command to check if the policy is correctly applied:
<pre>$ update-crypto-policies --is-applied</pre>
The output should be <pre>The configured policy is applied</pre>.
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index 89725a33c3..735a68b264 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -9,7 +9,7 @@ description: |-
the session key is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
- <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+ <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
the <tt>include</tt> directive in the main config file
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
@@ -37,8 +37,8 @@ ocil: |-
To check if RekeyLimit is set correctly, run the following command: <pre>$
sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
- RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
- sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
+ RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}}
+ {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
main configuration file with the following command: <pre>sudo grep
RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
output.
diff --git a/shared/macros.jinja b/shared/macros.jinja
index c3bfcaff2f..e670423a9e 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -5,7 +5,7 @@ ocil_clause: "the required value is not set"
{{% macro openshift_cluster_setting(endpoint) -%}}
This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retreive the <code class="ocp-api-endpoint">{{{ endpoint }}}</code> API endpoint to the local <code class="ocp-dump-location">{{{ sub_var_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}}</code> file.
+Therefore, you need to use a tool that can query the OCP API, retreive the <code class="ocp-api-endpoint">{{{ endpoint }}}</code> API endpoint to the local <code class="ocp-dump-location">{{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}}</code> file.
{{%- endmacro %}}
@@ -42,6 +42,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is
{{% macro sub_var_value(varname) -%}}
+{{{ xccdf_value(varname) }}}
+{{%- endmacro %}}
+
+
+{{% macro xccdf_value(varname) -%}}
<sub idref="{{{ varname }}}" />
{{%- endmacro %}}
From b3d3c2619b44e391f96a1741ac3f116cf6e1b6c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 4 Sep 2020 12:21:18 +0200
Subject: [PATCH 2/3] Replaced XCCDF value instantiation in Bash by a macro
call.
The former populate ... mechanism is not Bash, it is a special trick perforemd by our build system.
This trick is confusing, its support in the build system is implemented as a complex code, and
it doesnt support multiple values per remediation intuitively.
This makes the build system involvement explicit, and it opens possibilities to perform implementation
changes without breaking backward compatibility.
---
.../postfix_client_configure_mail_alias/bash/shared.sh | 2 +-
.../services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 2 +-
.../ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh | 2 +-
.../ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh | 2 +-
.../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_disable_compression/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh | 2 +-
.../services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh | 2 +-
.../ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh | 2 +-
.../sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh | 1 -
.../guide/services/sssd/sssd_memcache_timeout/bash/shared.sh | 2 +-
.../services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh | 2 +-
.../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +-
.../accounts/accounts-banners/banner_etc_motd/bash/shared.sh | 2 +-
.../dconf_gnome_login_banner_text/bash/shared.sh | 2 +-
.../gconf_gdm_set_login_banner_text/bash/rhel6.sh | 2 +-
.../accounts_password_pam_unix_remember/bash/shared.sh | 2 +-
.../accounts_passwords_pam_faillock_deny/bash/shared.sh | 2 +-
.../accounts_passwords_pam_faillock_interval/bash/shared.sh | 2 +-
.../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh | 2 +-
.../accounts_password_pam_retry/bash/shared.sh | 2 +-
.../configure_opensc_card_drivers/bash/shared.sh | 2 +-
.../smart_card_login/force_opensc_card_drivers/bash/shared.sh | 2 +-
.../account_disable_post_pw_expiration/bash/shared.sh | 2 +-
.../accounts_maximum_age_login_defs/bash/shared.sh | 2 +-
.../accounts_minimum_age_login_defs/bash/fedora.sh | 2 +-
.../accounts_minimum_age_login_defs/bash/rhel6.sh | 2 +-
.../accounts_minimum_age_login_defs/bash/shared.sh | 2 +-
.../accounts_password_minlen_login_defs/bash/shared.sh | 2 +-
.../accounts_password_warn_age_login_defs/bash/fedora.sh | 2 +-
.../accounts_password_warn_age_login_defs/bash/rhel6.sh | 2 +-
.../accounts_password_warn_age_login_defs/bash/shared.sh | 2 +-
.../accounts_password_warn_age_login_defs/bash/wrlinux.sh | 2 +-
.../accounts-session/accounts_logon_fail_delay/bash/shared.sh | 2 +-
.../accounts_max_concurrent_login_sessions/bash/shared.sh | 2 +-
.../accounts/accounts-session/accounts_tmout/bash/shared.sh | 2 +-
.../user_umask/accounts_umask_etc_bashrc/bash/shared.sh | 2 +-
.../user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh | 2 +-
.../user_umask/accounts_umask_etc_login_defs/bash/shared.sh | 2 +-
.../user_umask/accounts_umask_etc_profile/bash/shared.sh | 2 +-
.../auditd_audispd_configure_remote_server/bash/shared.sh | 2 +-
.../auditd_data_disk_error_action/bash/shared.sh | 2 +-
.../auditd_data_disk_full_action/bash/shared.sh | 2 +-
.../auditd_data_retention_action_mail_acct/bash/shared.sh | 2 +-
.../bash/shared.sh | 2 +-
.../auditd_data_retention_flush/bash/shared.sh | 2 +-
.../auditd_data_retention_max_log_file/bash/shared.sh | 2 +-
.../auditd_data_retention_max_log_file_action/bash/shared.sh | 2 +-
.../auditd_data_retention_num_logs/bash/shared.sh | 2 +-
.../auditd_data_retention_space_left/bash/shared.sh | 2 +-
.../auditd_data_retention_space_left_action/bash/shared.sh | 2 +-
.../rsyslog_remote_loghost/bash/shared.sh | 2 +-
.../configure_firewalld_ports/bash/shared.sh | 2 +-
.../restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh | 2 +-
.../restrictions/daemon_umask/umask_for_daemons/bash/shared.sh | 2 +-
linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh | 2 +-
linux_os/guide/system/selinux/selinux_state/bash/shared.sh | 2 +-
.../dconf_gnome_screensaver_idle_delay/bash/shared.sh | 2 +-
.../dconf_gnome_screensaver_lock_delay/bash/shared.sh | 2 +-
.../gconf_gnome_screensaver_idle_delay/bash/rhel6.sh | 2 +-
.../integrity/crypto/configure_crypto_policy/bash/shared.sh | 2 +-
.../sap_host/accounts_authorized_local_users/bash/shared.sh | 2 +-
.../bash/shared.sh | 2 +-
shared/templates/template_BASH_accounts_password | 2 +-
.../templates/template_BASH_mount_option_removable_partitions | 2 +-
shared/templates/template_BASH_sebool | 2 +-
shared/templates/template_BASH_sysctl | 2 +-
71 files changed, 70 insertions(+), 71 deletions(-)
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
index 12f7b5d693..5324e1c382 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_sle
. /usr/share/scap-security-guide/remediation_functions
-populate var_postfix_root_mail_alias
+{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '@CCENUM@' '%s: %s'
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
index 56db8f5d17..b23deffb09 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_time_service_set_maxpoll
+{{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}}
config_file="/etc/ntp.conf"
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
index 2297f4fb5a..9add69d367 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
index c11c443785..0a3f63640c 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
index e566219788..571a339d48 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_all
. /usr/share/scap-security-guide/remediation_functions
-populate var_multiple_time_servers
+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
config_file="/etc/chrony.conf"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
index 396445b908..408c97d45a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sshd_disable_compression
+{{{ bash_instantiate_variables("var_sshd_disable_compression") }}}
replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
index 06dfd3492a..0ff698a54c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
. /usr/share/scap-security-guide/remediation_functions
-populate sshd_idle_timeout_value
+{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}}
replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
index cbfb0f367e..f0be6ea6ce 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sshd_set_keepalive
+{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
{{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
index eebe07158c..2451c164cb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate sshd_max_auth_tries_value
+{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}}
{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
index fc0a1d8b42..2fecde6a96 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
@@ -7,6 +7,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sshd_max_sessions
+{{{ bash_instantiate_variables("var_sshd_max_sessions") }}}
{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
index 6d3bb06047..5facd9aa14 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate sshd_approved_ciphers
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
index 2972022b52..ec475c186d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate sshd_approved_macs
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
index bf702ac80c..62180a1f83 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
@@ -6,6 +6,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sshd_priv_separation
+{{{ bash_instantiate_variables("var_sshd_priv_separation") }}}
{{{ bash_sshd_config_set(parameter="UsePrivilegeSeparation", value="$var_sshd_priv_separation") }}}
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
index f390b7be88..8bc689dae9 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
@@ -3,7 +3,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sssd_memcache_timeout
+{{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}}
SSSD_CONF="/etc/sssd/sssd.conf"
MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout"
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
index 4d1a14efdf..e957d1c689 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
@@ -3,7 +3,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sssd_ssh_known_hosts_timeout
+{{{ bash_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}}
SSSD_CONF="/etc/sssd/sssd.conf"
SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout"
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
index 30449d5e9d..f6d5f1603b 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate login_banner_text
+{{{ bash_instantiate_variables("login_banner_text") }}}
# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
index d731063b5a..4a3844a7eb 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate login_banner_text
+{{{ bash_instantiate_variables("login_banner_text") }}}
# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
index 85ddd893c6..0f60c14e36 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate login_banner_text
+{{{ bash_instantiate_variables("login_banner_text") }}}
# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
index d24dacb81c..15a5d79ebf 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 6
. /usr/share/scap-security-guide/remediation_functions
-populate login_banner_text
+{{{ bash_instantiate_variables("login_banner_text") }}}
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index 1456d0f371..e0dabe67e0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate var_password_pam_unix_remember
+{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
index 58ea0f37af..3157d341cb 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_passwords_pam_faillock_deny
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
{{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
index b03dd30d13..87310288c1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
@@ -3,6 +3,6 @@
# include our remediation functions library
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_passwords_pam_faillock_fail_interval
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
{{{ bash_set_faillock_option("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
index daaab487f6..7e36721d5f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_passwords_pam_faillock_unlock_time
+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
{{{ bash_set_faillock_option("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
index a4e1c47a89..f69152b225 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_password_pam_retry
+{{{ bash_instantiate_variables("var_password_pam_retry") }}}
if grep -q "retry=" /etc/pam.d/system-auth ; then
sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
index 5a63a4258d..4e80be4faf 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
@@ -5,7 +5,7 @@
# disruption = low
. /usr/share/scap-security-guide/remediation_functions
-populate var_smartcard_drivers
+{{{ bash_instantiate_variables("var_smartcard_drivers") }}}
OPENSC_TOOL="/usr/bin/opensc-tool"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
index 421ec55598..7c763a8778 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
@@ -5,7 +5,7 @@
# disruption = low
. /usr/share/scap-security-guide/remediation_functions
-populate var_smartcard_drivers
+{{{ bash_instantiate_variables("var_smartcard_drivers") }}}
OPENSC_TOOL="/usr/bin/opensc-tool"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
index 299a519e24..c8c2a90e4c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate var_account_disable_post_pw_expiration
+{{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}}
replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '@CCENUM@' '%s=%s'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
index 9c61548d3a..135eb49d78 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_maximum_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
index ad2d515949..b9c6aade42 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
@@ -1,7 +1,7 @@
# platform = multi_platform_fedora
. /usr/share/scap-security-guide/remediation_functions
declare var_accounts_minimum_age_login_defs
-populate var_accounts_minimum_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
index 4221a32e15..8e28c756bf 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 6
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_minimum_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
index 403a40ccb2..870b5b1c7c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_minimum_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
index 688cf2d04f..eb4121394c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
@@ -1,7 +1,7 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
declare var_accounts_password_minlen_login_defs
-populate var_accounts_password_minlen_login_defs
+{{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}}
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
index 8289cbffd8..98a6381af4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
@@ -1,7 +1,7 @@
# platform = multi_platform_fedora
. /usr/share/scap-security-guide/remediation_functions
declare var_accounts_password_warn_age_login_defs
-populate var_accounts_password_warn_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
index 155a12d534..922158064b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 6
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_password_warn_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
index eaf461d0cd..800eecc802 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_password_warn_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
index 8f3524312c..fed1c7bafa 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
@@ -1,7 +1,7 @@
# platform = multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
declare var_accounts_password_warn_age_login_defs
-populate var_accounts_password_warn_age_login_defs
+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
index 2a06038be4..a8a77c12b8 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
@@ -4,6 +4,6 @@
. /usr/share/scap-security-guide/remediation_functions
# Set variables
-populate var_accounts_fail_delay
+{{{ bash_instantiate_variables("var_accounts_fail_delay") }}}
replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
index 0d2f103b31..65066e77ce 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_max_concurrent_login_sessions
+{{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
index 93c34fb59f..31b2872628 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_tmout
+{{{ bash_instantiate_variables("var_accounts_tmout") }}}
if grep --silent ^TMOUT /etc/profile ; then
sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
index c707ec31c7..a83016964e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_user_umask
+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
grep -q umask /etc/bashrc && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
index 0289a93c96..716dede405 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_user_umask
+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
grep -q umask /etc/csh.cshrc && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
index 0fcc273705..f74cbfe5af 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_user_umask
+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
index 198cba5772..12acd6e90f 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_user_umask
+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
grep -q umask /etc/profile && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
index 517f384f22..0e3d32fd36 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_audispd_remote_server
+{{{ bash_instantiate_variables("var_audispd_remote_server") }}}
{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
AUDITCONFIG=/etc/audit/audisp-remote.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
index 6b953f8d96..2b17ddd89b 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_disk_error_action
+{{{ bash_instantiate_variables("var_auditd_disk_error_action") }}}
#
# If disk_error_action present in /etc/audit/auditd.conf, change value
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
index 3092d92076..adc4c21e5f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
@@ -3,6 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_disk_full_action
+{{{ bash_instantiate_variables("var_auditd_disk_full_action") }}}
replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "@CCENUM@"
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
index b81a26fef3..ab056b0e54 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_action_mail_acct
+{{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
index c9435c91ec..0c23a906ea 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
@@ -1,7 +1,7 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_admin_space_left_action
+{{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
index 17dea67b36..efe151c683 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_flush
+{{{ bash_instantiate_variables("var_auditd_flush") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
index d1e044e5b6..9f40589027 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_max_log_file
+{{{ bash_instantiate_variables("var_auditd_max_log_file") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
index 1b51d54b5d..42f987dde4 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_max_log_file_action
+{{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
index 6d671e1b8d..797c28a0f8 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_all
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_num_logs
+{{{ bash_instantiate_variables("var_auditd_num_logs") }}}
AUDITCONFIG=/etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
index 8dc69e8313..77e622c1ac 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_space_left
+{{{ bash_instantiate_variables("var_auditd_space_left") }}}
grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
index e5f45efcf2..1d2b211cdf 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
-populate var_auditd_space_left_action
+{{{ bash_instantiate_variables("var_auditd_space_left_action") }}}
#
# If space_left_action present in /etc/audit/auditd.conf, change value
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
index 2557815651..836f0af279 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
@@ -2,6 +2,6 @@
. /usr/share/scap-security-guide/remediation_functions
-populate rsyslog_remote_loghost_address
+{{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}}
replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
index fcf387e592..0a698d3c9f 100644
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
@@ -8,7 +8,7 @@
{{{ bash_package_install("firewalld") }}}
-populate firewalld_sshd_zone
+{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
# This assumes that firewalld_sshd_zone is one of the pre-defined zones
if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then
diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
index 947872bb21..1a15167ab0 100644
--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 6
. /usr/share/scap-security-guide/remediation_functions
-populate var_umask_for_daemons
+{{{ bash_instantiate_variables("var_umask_for_daemons") }}}
grep -q ^umask /etc/init.d/functions && \
sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
index 175e10c24c..f689f4b2a1 100644
--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
. /usr/share/scap-security-guide/remediation_functions
-populate var_umask_for_daemons
+{{{ bash_instantiate_variables("var_umask_for_daemons") }}}
grep -q ^umask /etc/init.d/functions && \
sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index b4f79c97f9..d84c8acc3f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -7,6 +7,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_selinux_policy_name
+{{{ bash_instantiate_variables("var_selinux_policy_name") }}}
{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 645a7acab4..ad53e52aac 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -7,7 +7,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_selinux_state
+{{{ bash_instantiate_variables("var_selinux_state") }}}
{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
index ef8af07aa0..ab0462e53f 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate inactivity_timeout_value
+{{{ bash_instantiate_variables("inactivity_timeout_value") }}}
{{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
index 124c14737e..5c37b1d913 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_screensaver_lock_delay
+{{{ bash_instantiate_variables("var_screensaver_lock_delay") }}}
{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", "local.d", "00-security-settings") }}}
{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
index e1947f3df0..77b8a647ca 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
@@ -1,6 +1,6 @@
# platform = Red Hat Enterprise Linux 6
. /usr/share/scap-security-guide/remediation_functions
-populate inactivity_timeout_value
+{{{ bash_instantiate_variables("inactivity_timeout_value") }}}
# Install GConf2 package if not installed
if ! rpm -q GConf2; then
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
index fb3ed9fe76..d37f1263d2 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
@@ -3,7 +3,7 @@
# include remediation functions library
. /usr/share/scap-security-guide/remediation_functions
-populate var_system_crypto_policy
+{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
rc=$?
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
index 80193ae1e5..c342acf36d 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_authorized_local_users_regex
+{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}}
# never delete the root user
default_os_user="root"
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
index c361e4c766..9d444d297d 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_ol
. /usr/share/scap-security-guide/remediation_functions
-populate var_accounts_authorized_local_users_regex
+{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}}
# never delete the root user
default_os_user="root"
diff --git a/shared/templates/template_BASH_accounts_password b/shared/templates/template_BASH_accounts_password
index 688185365c..2de2652881 100644
--- a/shared/templates/template_BASH_accounts_password
+++ b/shared/templates/template_BASH_accounts_password
@@ -4,7 +4,7 @@
# complexity = low
# disruption = low
. /usr/share/scap-security-guide/remediation_functions
-populate var_password_pam_{{{ VARIABLE }}}
+{{{ bash_instantiate_variables("var_password_pam_" + VARIABLE) }}}
{{% if product == "rhel6" %}}
{{# There is no package libpwquality for RHEL6 #}}
diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions
index 5293bffc1a..5b0e8161c6 100644
--- a/shared/templates/template_BASH_mount_option_removable_partitions
+++ b/shared/templates/template_BASH_mount_option_removable_partitions
@@ -4,7 +4,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_removable_partition
+{{{ bash_instantiate_variables("var_removable_partition") }}}
device_regex="^\s*$var_removable_partition\s\+"
mount_option="{{{ MOUNTOPTION }}}"
diff --git a/shared/templates/template_BASH_sebool b/shared/templates/template_BASH_sebool
index 96b71ba726..e9aab9d981 100644
--- a/shared/templates/template_BASH_sebool
+++ b/shared/templates/template_BASH_sebool
@@ -9,7 +9,7 @@
{{% if SEBOOL_BOOL %}}
setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
{{% else %}}
-populate var_{{{ SEBOOLID }}}
+{{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
{{% endif %}}
diff --git a/shared/templates/template_BASH_sysctl b/shared/templates/template_BASH_sysctl
index 4ee57967dc..a87d63d038 100644
--- a/shared/templates/template_BASH_sysctl
+++ b/shared/templates/template_BASH_sysctl
@@ -5,7 +5,7 @@
# disruption = medium
. /usr/share/scap-security-guide/remediation_functions
{{%- if SYSCTLVAL == "" %}}
-populate sysctl_{{{ SYSCTLID }}}_value
+{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
#
# Set runtime for {{{ SYSCTLVAR }}}
From 359c54f7b59ad70a9ce9a1053a28ee91ec4a6fa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 4 Sep 2020 12:30:45 +0200
Subject: [PATCH 3/3] Replaced XCCDF value instantiation in Ansible by a macro
call.
The former - (xccdf-var ...) mechanism is not Ansible, and jinja is well-established
in our project as an interface between user input and final content.
---
.../postfix_network_listening_disabled/ansible/shared.yml | 2 +-
.../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +-
.../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml | 2 +-
.../ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml | 2 +-
.../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 2 +-
.../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 2 +-
.../accounts-banners/banner_etc_issue/ansible/shared.yml | 2 +-
.../accounts-banners/banner_etc_motd/ansible/shared.yml | 2 +-
.../dconf_gnome_login_banner_text/ansible/shared.yml | 2 +-
.../accounts_password_pam_unix_remember/ansible/shared.yml | 2 +-
.../accounts_passwords_pam_faillock_deny/ansible/shared.yml | 2 +-
.../accounts_passwords_pam_faillock_interval/ansible/shared.yml | 2 +-
.../ansible/shared.yml | 2 +-
.../accounts_password_pam_retry/ansible/shared.yml | 2 +-
.../configure_opensc_card_drivers/ansible/shared.yml | 2 +-
.../force_opensc_card_drivers/ansible/shared.yml | 2 +-
.../account_disable_post_pw_expiration/ansible/shared.yml | 2 +-
.../accounts_maximum_age_login_defs/ansible/shared.yml | 2 +-
.../accounts_minimum_age_login_defs/ansible/shared.yml | 2 +-
.../accounts_password_minlen_login_defs/ansible/shared.yml | 2 +-
.../accounts_password_warn_age_login_defs/ansible/shared.yml | 2 +-
.../accounts_logon_fail_delay/ansible/shared.yml | 2 +-
.../accounts/accounts-session/accounts_tmout/ansible/shared.yml | 2 +-
.../user_umask/accounts_umask_etc_bashrc/ansible/shared.yml | 2 +-
.../user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml | 2 +-
.../user_umask/accounts_umask_etc_login_defs/ansible/shared.yml | 2 +-
.../user_umask/accounts_umask_etc_profile/ansible/shared.yml | 2 +-
.../auditd_audispd_configure_remote_server/ansible/shared.yml | 2 +-
.../auditd_data_disk_error_action/ansible/shared.yml | 2 +-
.../auditd_data_disk_full_action/ansible/shared.yml | 2 +-
.../auditd_data_retention_action_mail_acct/ansible/shared.yml | 2 +-
.../ansible/shared.yml | 2 +-
.../auditd_data_retention_flush/ansible/shared.yml | 2 +-
.../auditd_data_retention_max_log_file/ansible/shared.yml | 2 +-
.../ansible/shared.yml | 2 +-
.../auditd_data_retention_num_logs/ansible/shared.yml | 2 +-
.../auditd_data_retention_space_left/ansible/shared.yml | 2 +-
.../auditd_data_retention_space_left_action/ansible/shared.yml | 2 +-
.../rsyslog_remote_loghost/ansible/shared.yml | 2 +-
.../dconf_gnome_screensaver_idle_delay/ansible/shared.yml | 2 +-
.../integrity/crypto/configure_crypto_policy/ansible/shared.yml | 2 +-
.../template_ANSIBLE_mount_option_removable_partitions | 2 +-
47 files changed, 47 insertions(+), 47 deletions(-)
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
index f3d2af7614..e1c9d00d20 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_postfix_inet_interfaces)
+{{{ ansible_instantiate_variables("var_postfix_inet_interfaces") }}}
- name: "Gather list of packages"
package_facts:
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
index 0c812bdc2a..37cc359263 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = low
-- (xccdf-var var_multiple_time_servers)
+{{{ ansible_instantiate_variables("var_multiple_time_servers") }}}
- name: "Detect if chrony is already configured with pools or servers"
find:
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
index 3985d03542..2553a4d2e5 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
@@ -11,7 +11,7 @@
with_items:
- firewalld
-- (xccdf-var sshd_listening_port)
+{{{ ansible_instantiate_variables("sshd_listening_port") }}}
- name: Enable SSHD in firewalld (custom port)
firewalld:
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
index affc65e2f5..2fdc9a2f22 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var sshd_idle_timeout_value)
+{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}}
{{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
index 52600fd46e..9ce28bafc7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_sshd_set_keepalive)
+{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}}
{{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
index 28f3ef0cd2..16e3130240 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var sshd_max_auth_tries_value)
+{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}}
{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
index 6612c6a485..3f8b6f6013 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = configure
# complexity = low
# disruption = low
-- (xccdf-var var_sshd_max_sessions)
+{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}}
{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
index 1ec8f045e8..89ac2df9db 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var sshd_approved_ciphers)
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
index 1a09a3197c..1a9b6990e9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var sshd_approved_macs)
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
{{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_approved_macs }}") }}}
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
index a2213508a1..dd89d1f443 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var var_sssd_memcache_timeout)
+{{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}}
- name: "Test for domain group"
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
index ea487c60b3..5bbe0ecef8 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var var_sssd_ssh_known_hosts_timeout)
+{{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}}
- name: "Test for domain group"
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index 21f0925268..f3a0c85ea5 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var login_banner_text)
+{{{ ansible_instantiate_variables("login_banner_text") }}}
- name: "{{{ rule_title }}} - remove incorrect banner"
file:
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
index dfc1c519b7..15eb3cc1cb 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var login_banner_text)
+{{{ ansible_instantiate_variables("login_banner_text") }}}
- name: "{{{ rule_title }}} - remove incorrect banner"
file:
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
index 40cce05fbc..993916287c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var login_banner_text)
+{{{ ansible_instantiate_variables("login_banner_text") }}}
- name: "{{{ rule_title }}}"
file:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
index 4198e524e8..75787c429d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = medium
-- (xccdf-var var_password_pam_unix_remember)
+{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
- name: "Do not allow users to reuse recent passwords - system-auth (change)"
replace:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
index d2b08c0e14..0622ae769c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_passwords_pam_faillock_deny)
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
- name: Add auth pam_faillock preauth deny before pam_unix.so
pamd:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
index 7961a9eb54..96adcef63d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_passwords_pam_faillock_fail_interval)
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
- name: Add auth pam_faillock preauth fail_interval before pam_unix.so
pamd:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
index 9b49e56ba8..db44ce4f63 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_passwords_pam_faillock_unlock_time)
+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
- name: Add auth pam_faillock preauth unlock_time before pam_unix.so
pamd:
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
index 6795f08939..ab351a26e5 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = medium
-- (xccdf-var var_password_pam_retry)
+{{{ ansible_instantiate_variables("var_password_pam_retry") }}}
- name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)"
replace:
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
index 904d62c517..376027543b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = low
-- (xccdf-var var_smartcard_drivers)
+{{{ ansible_instantiate_variables("var_smartcard_drivers") }}}
- name: Check existence of opensc conf
stat:
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
index 13058a7ad6..f05423c0cb 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = low
-- (xccdf-var var_smartcard_drivers)
+{{{ ansible_instantiate_variables("var_smartcard_drivers") }}}
- name: Check existence of opensc conf
stat:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
index fe4826baed..11a6bc5467 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_account_disable_post_pw_expiration)
+{{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}}
- name: Set Account Expiration Following Inactivity
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
index 452ff3bb41..a85f9fc6fa 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_maximum_age_login_defs)
+{{{ ansible_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
- name: Set Password Maximum Age
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
index 5c94bc8028..e394f26d7a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_minimum_age_login_defs)
+{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
- name: Set Password Minimum Age
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
index 247aee3bff..eee37bda68 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_password_minlen_login_defs)
+{{{ ansible_instantiate_variables("var_accounts_password_minlen_login_defs") }}}
- name: "Set Password Minimum Length in login.defs"
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
index b5eb75ecf9..1091f8c854 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_password_warn_age_login_defs)
+{{{ ansible_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- name: "Set Password Warning Age"
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
index d3e4742c79..0b45abb25d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# reboot = true
-- (xccdf-var var_accounts_fail_delay)
+{{{ ansible_instantiate_variables("var_accounts_fail_delay") }}}
- name: Set accounts logon fail delay
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
index d17154b57e..2c3049006d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
@@ -3,6 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_tmout)
+{{{ ansible_instantiate_variables("var_accounts_tmout") }}}
{{{ ansible_etc_profile_set(parameter='TMOUT', value='{{ var_accounts_tmout }}') }}}
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
index 43e03834a4..0255963a14 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_user_umask)
+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- name: Set user umask in /etc/bashrc
replace:
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
index 7c6b465f83..fa956cff6a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_user_umask)
+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- name: Set user umask in /etc/csh.cshrc
replace:
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
index 449364f304..309b68a58f 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_user_umask)
+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- name: Ensure the Default UMASK is Set Correctly
lineinfile:
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
index 1b7d188c9e..fe12edac8b 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_user_umask)
+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- name: Set user umask in /etc/profile
replace:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
index 3296b9deb2..b3f245c998 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = low
-- (xccdf-var var_audispd_remote_server)
+{{{ ansible_instantiate_variables("var_audispd_remote_server") }}}
{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
{{% set audisp_config_file_path = "/etc/audit/audisp-remote.conf" %}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
index beba66af07..06f4a10c6f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_disk_error_action)
+{{{ ansible_instantiate_variables("var_auditd_disk_error_action") }}}
- name: Configure auditd Disk Error Action on Disk Error
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
index 2b72085912..60b1e912ce 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_disk_full_action)
+{{{ ansible_instantiate_variables("var_auditd_disk_full_action") }}}
- name: Configure auditd Disk Full Action when Disk Space Is Full
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
index 6a6d0ce4a4..48fe7aced4 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_action_mail_acct)
+{{{ ansible_instantiate_variables("var_auditd_action_mail_acct") }}}
- name: Configure auditd mail_acct Action on Low Disk Space
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
index ff63a15de8..93d076fa6f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_admin_space_left_action)
+{{{ ansible_instantiate_variables("var_auditd_admin_space_left_action") }}}
- name: Configure auditd admin_space_left Action on Low Disk Space
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
index 4a5f45c14b..f909e5ec22 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_flush)
+{{{ ansible_instantiate_variables("var_auditd_flush") }}}
- name: Configure auditd Flush Priority
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
index d497d27e20..65c77aa3cd 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_max_log_file)
+{{{ ansible_instantiate_variables("var_auditd_max_log_file") }}}
- name: Configure auditd Max Log File Size
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
index 48df854986..595959e029 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_max_log_file_action)
+{{{ ansible_instantiate_variables("var_auditd_max_log_file_action") }}}
- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
index 8dfa5ce0cd..6fe9e0145e 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_num_logs)
+{{{ ansible_instantiate_variables("var_auditd_num_logs") }}}
- name: Configure auditd Number of Logs Retained
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
index f4af7a6aa9..6db7ffbd34 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_space_left)
+{{{ ansible_instantiate_variables("var_auditd_space_left") }}}
- name: Configure auditd space_left on Low Disk Space
lineinfile:
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
index 5b4a101a1c..04062e34a6 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_auditd_space_left_action)
+{{{ ansible_instantiate_variables("var_auditd_space_left_action") }}}
- name: Configure auditd space_left Action on Low Disk Space
lineinfile:
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
index 316171df9b..407e1be3ab 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var rsyslog_remote_loghost_address)
+{{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}}
- name: "Set rsyslog remote loghost"
lineinfile:
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
index e8a802d48c..81270d1adb 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var inactivity_timeout_value)
+{{{ ansible_instantiate_variables("inactivity_timeout_value") }}}
- name: "Set GNOME3 Screensaver Inactivity Timeout"
ini_file:
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
index 9d3f9c0c65..09b6dbc855 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_system_crypto_policy)
+{{{ ansible_instantiate_variables("var_system_crypto_policy") }}}
- name: "{{{ rule_title }}}"
lineinfile:
diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions
index 374499261d..346f5fe3de 100644
--- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions
+++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions
@@ -3,7 +3,7 @@
# strategy = configure
# complexity = low
# disruption = high
-- (xccdf-var var_removable_partition)
+{{{ ansible_instantiate_variables("var_removable_partition") }}}
- name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition
lineinfile: