From da0a661b8a5754feecab58a577783faa918172bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Fri, 4 Sep 2020 12:04:27 +0200 Subject: [PATCH 1/3] Replace XCCDF value substitution code by a macro. The macro hides the actual implementation of the substitution, it "just works", and it opens ways how to support variables even outside of the SCAP content, where there is no scanner to do the acutal substitution. Renamed the macro to xccdf_value, kept the old one for backward compatibility. --- .../rule.yml | 8 ++++---- .../rule.yml | 2 +- .../keystone/keystone_lockout_duration/rule.yml | 2 +- .../keystone_lockout_failure_attempts/rule.yml | 2 +- .../rule.yml | 2 +- .../container_keystone_lockout_duration/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 4 ++-- .../httpd_enable_loglevel/rule.yml | 4 ++-- .../postfix_client_configure_mail_alias/rule.yml | 2 +- .../postfix_client_configure_relayhost/rule.yml | 4 ++-- .../postfix_network_listening_disabled/rule.yml | 4 ++-- .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 6 +++--- .../ssh_server/sshd_disable_compression/rule.yml | 2 +- .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 4 ++-- .../ssh_server/sshd_set_idle_timeout/rule.yml | 4 ++-- .../ssh/ssh_server/sshd_set_keepalive/rule.yml | 4 ++-- .../ssh_server/sshd_set_max_auth_tries/rule.yml | 4 ++-- .../ssh_server/sshd_set_max_sessions/rule.yml | 4 ++-- .../sshd_use_approved_ciphers/rule.yml | 2 +- .../ssh_server/sshd_use_approved_macs/rule.yml | 2 +- .../ssh_server/sshd_use_priv_separation/rule.yml | 4 ++-- .../services/sssd/sssd_memcache_timeout/rule.yml | 8 ++++---- .../sssd/sssd_ssh_known_hosts_timeout/rule.yml | 8 ++++---- .../accounts_password_pam_unix_remember/rule.yml | 8 ++++---- .../rule.yml | 6 +++--- .../rule.yml | 4 ++-- .../rule.yml | 6 +++--- .../rule.yml | 4 ++-- .../rule.yml | 2 +- .../rule.yml | 6 +++--- .../rule.yml | 4 ++-- .../rule.yml | 4 ++-- .../rule.yml | 2 +- .../rule.yml | 2 +- .../accounts_password_pam_difok/rule.yml | 2 +- .../rule.yml | 4 ++-- .../accounts_password_pam_maxrepeat/rule.yml | 4 ++-- .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 4 ++-- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../accounts_password_pam_retry/rule.yml | 2 +- .../configure_opensc_card_drivers/rule.yml | 8 ++++---- .../force_opensc_card_drivers/rule.yml | 8 ++++---- .../account_disable_post_pw_expiration/rule.yml | 6 +++--- .../accounts_maximum_age_login_defs/rule.yml | 4 ++-- .../accounts_minimum_age_login_defs/rule.yml | 4 ++-- .../accounts_password_minlen_login_defs/rule.yml | 4 ++-- .../rule.yml | 4 ++-- .../accounts_logon_fail_delay/rule.yml | 4 ++-- .../rule.yml | 4 ++-- .../accounts-session/accounts_tmout/rule.yml | 4 ++-- .../accounts_umask_etc_bashrc/rule.yml | 6 +++--- .../accounts_umask_etc_csh_cshrc/rule.yml | 4 ++-- .../accounts_umask_etc_login_defs/rule.yml | 4 ++-- .../accounts_umask_etc_profile/rule.yml | 4 ++-- .../rule.yml | 4 ++-- .../rule.yml | 4 ++-- .../auditd_data_retention_flush/rule.yml | 2 +- .../auditd_data_retention_max_log_file/rule.yml | 2 +- .../auditd_data_retention_num_logs/rule.yml | 2 +- .../rsyslog_files_groupownership/rule.yml | 8 ++++---- .../rsyslog_files_ownership/rule.yml | 8 ++++---- .../rsyslog_remote_loghost/rule.yml | 16 ++++++++-------- .../rule.yml | 4 ++-- .../daemon_umask/umask_for_daemons/rule.yml | 4 ++-- .../system/selinux/selinux_policytype/rule.yml | 6 +++--- .../guide/system/selinux/selinux_state/rule.yml | 6 +++--- .../dconf_gnome_screensaver_idle_delay/rule.yml | 2 +- .../dconf_gnome_screensaver_lock_delay/rule.yml | 6 +++--- .../gconf_gnome_screensaver_idle_delay/rule.yml | 6 +++--- .../rule.yml | 6 +++--- .../crypto/configure_crypto_policy/rule.yml | 6 +++--- .../crypto/ssh_client_rekey_limit/rule.yml | 6 +++--- shared/macros.jinja | 7 ++++++- 75 files changed, 168 insertions(+), 163 deletions(-) diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml index 74da1f4c8b..91bd3ab560 100644 --- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml @@ -11,13 +11,13 @@ description: |- {{%- if product == "ocp4" %}} file /etc/kubernetes/kubernetes.conf on the kubelet node(s) and set the below parameter: - 
streamingConnectionIdleTimeout:
+ 
streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}
{{% else %}} file /etc/origin/node/node-config.yaml on the kubelet node(s) and set the below parameter: 
kubeletArguments:
       streaming-connection-idle-timeout:
-      - ''
+ - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}' {{%- endif %}} rationale: |- @@ -33,10 +33,10 @@ ocil: |- Run the following command on the kubelet node(s): {{%- if product == "ocp4" %}} 
$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf
- The output should return . + The output should return {{{ xccdf_value("var_streaming_connection_timeouts") }}}. {{% else %}} 
$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml
- The output should return . + The output should return {{{ xccdf_value("var_streaming_connection_timeouts") }}}. {{%- endif %}} identifiers: diff --git a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml index 6f8a7c9474..5a06f2984f 100644 --- a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml +++ b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml @@ -32,4 +32,4 @@ ocil: |- 
$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf

If properly configured, the output should be: - 
disable_user_account_days_inactive =
+ 
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}
diff --git a/applications/openstack/keystone/keystone_lockout_duration/rule.yml b/applications/openstack/keystone/keystone_lockout_duration/rule.yml index 30a823e0fe..50057c14d1 100644 --- a/applications/openstack/keystone/keystone_lockout_duration/rule.yml +++ b/applications/openstack/keystone/keystone_lockout_duration/rule.yml @@ -38,4 +38,4 @@ ocil: |- 
$ grep lockout_duration /etc/keystone/keystone.conf

If properly configured, the output should be: - 
lockout_duration=
+ 
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}
diff --git a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml index e77fb2d0c1..4927fb0abe 100644 --- a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml +++ b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml @@ -33,4 +33,4 @@ ocil: |- 
$ grep lockout_failure_attempts /etc/keystone/keystone.conf

If properly configured, the output should be: - 
lockout_failure_attempts=
+ 
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}
diff --git a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml index 9f98073edc..8bd564e66a 100644 --- a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml +++ b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml @@ -31,4 +31,4 @@ ocil: |- 
$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

If properly configured, the output should be: - 
disable_user_account_days_inactive =
+ 
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}
diff --git a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml index 98f33106c0..1c469e3e4f 100644 --- a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml +++ b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml @@ -37,4 +37,4 @@ ocil: |- 
$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

If properly configured, the output should be: - 
lockout_duration=
+ 
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}
diff --git a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml index d9de1aebf6..8d48304685 100644 --- a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml +++ b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml @@ -32,4 +32,4 @@ ocil: |- 
$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf

If properly configured, the output should be: - 
lockout_failure_attempts=
+ 
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}
diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml index aaf7e21583..3a9b317b75 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml @@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests' description: |- The MaxKeepAliveRequests directive should be set and configured to - or greater by setting the following + {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following in /etc/httpd/conf/httpd.conf: - 
MaxKeepAliveRequests
+ 
MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}
rationale: |- Resource exhaustion can occur when an unlimited number of concurrent requests diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml index 112039a2d8..e8bb96b214 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml @@ -5,9 +5,9 @@ prodtype: rhel7,rhel8 title: 'Enable HTTPD LogLevel' description: |- - LogLevel should be enabled and set to . + LogLevel should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}. Add or edit the following in /etc/httpd/conf/httpd.conf: - 
LogLevel
+ 
LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}
rationale: |- The server error logs are invaluable because they can also be used to identify diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 0650606bad..b86f6e7c98 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account' description: |- Set up an alias for root that forwards to a monitored email address: - 
$ sudo echo "root: " >> /etc/aliases
+    
$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" >> /etc/aliases
     $ sudo newaliases

 
 rationale: |-
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
index 0b4e2d2322..0faafeb0c2 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
@@ -6,7 +6,7 @@ description: |-
     Set up a relay host that will act as a gateway for all outbound email.
     Edit the file /etc/postfix/main.cf to ensure that only the following
     relayhost line appears:
-    
relayhost = 

+    
relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}

 
 rationale: |-
     A central outbound email location ensures messages sent from any network host
@@ -20,4 +20,4 @@ ocil_clause: 'it is not'
 ocil: |-
     Run the following command to ensure postfix routes mail to this system:
     
$ grep relayhost /etc/postfix/main.cf

-    If properly configured, the output should show only .
+    If properly configured, the output should show only {{{ xccdf_value("var_postfix_relayhost") }}}.
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
index 8deb83a2da..cba179b8d7 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening'
 description: |-
     Edit the file /etc/postfix/main.cf to ensure that only the following
     inet_interfaces line appears:
-    
inet_interfaces = 

+    
inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}

 
 
 rationale: |-
@@ -41,4 +41,4 @@ ocil_clause: 'it does not'
 ocil: |-
     Run the following command to ensure postfix accepts mail messages from only the local system:
     
$ grep inet_interfaces /etc/postfix/main.cf

-    If properly configured, the output should show only .
+    If properly configured, the output should show only {{{ xccdf_value("var_postfix_inet_interfaces") }}}.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index ba3772a5af..d5f8b9125e 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval'
 
 description: |-
     The maxpoll should be configured to
-     in /etc/ntp.conf or
+    {{{ xccdf_value("var_time_service_set_maxpoll") }}} in /etc/ntp.conf or
     /etc/chrony.conf to continuously poll time servers. To configure
     maxpoll in /etc/ntp.conf or /etc/chrony.conf
     add the following:
-    
maxpoll 

+    
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}

 
 rationale: |-
     Inaccurate time stamps make it more difficult to correlate
@@ -46,4 +46,4 @@ ocil: |-
     To verify that maxpoll has been set properly, perform the following:
     
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf

     The output should return
-    
maxpoll 
.
+    
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}
.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index e63866bb8b..fe7e67c1c2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -9,7 +9,7 @@ description: |-
     it should be disabled. To disable compression or delay compression until after
     a user has successfully authenticated, add or correct the following line in the
     /etc/ssh/sshd_config file:
-    
Compression 

+    
Compression {{{ xccdf_value("var_sshd_disable_compression") }}}

 
 rationale: |-
     If compression is allowed in an SSH connection prior to authentication,
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index ce191e48e7..d7941f9c0e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
     the session key of the is renegotiated, both in terms of
     amount of data that may be transmitted and the time
     elapsed. To decrease the default limits, put line
-    RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config.
+    RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config.
 
 rationale: |-
     By decreasing the limit based on the amount of data and enabling
@@ -30,4 +30,4 @@ ocil: |-
     following command:
     
$ sudo grep RekeyLimit /etc/ssh/sshd_config

     If configured properly, output should be
-    
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}

+    
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 250addfe2f..5149de069d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -8,7 +8,7 @@ description: |-
     


     To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
     follows:
-    
ClientAliveInterval 

+    
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}

     


     The timeout interval is given in seconds. For example, have a timeout
     of 10 minutes, set interval to 600.
@@ -61,4 +61,4 @@ ocil: |-
     Run the following command to see what the timeout interval is:
     
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config

     If properly configured, the output should be:
-    
ClientAliveInterval 

+    
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index 95628aac85..5354ff5b0c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count'
 description: |-
     To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set,
     edit /etc/ssh/sshd_config as follows:
-    
ClientAliveCountMax 

+    
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}

 
 rationale: |-
     This ensures a user login will be terminated as soon as the ClientAliveInterval
@@ -48,4 +48,4 @@ ocil: |-
     To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command:
     
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config

     If properly configured, output should be:
-    
ClientAliveCountMax 

+    
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 037bb1603d..d6e1f30b19 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -6,7 +6,7 @@ description: |-
     The MaxAuthTries parameter specifies the maximum number of authentication attempts
     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
     to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
-    
MaxAuthTries 

+    
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}

 
 rationale: |-
     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
@@ -31,4 +31,4 @@ ocil: |-
     To ensure the MaxAuthTries parameter is set, run the following command:
     
$ sudo grep MaxAuthTries /etc/ssh/sshd_config

     If properly configured, output should be:
-    
MaxAuthTries 

+    
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
index 3f74e662de..2782b71905 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit'
 description: |-
     The MaxSessions parameter specifies the maximum number of open sessions permitted
     from a given connection. To set MaxSessions edit
-    /etc/ssh/sshd_config as follows: 
MaxSessions 

+    /etc/ssh/sshd_config as follows: 
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}

 
 rationale: |-
     To protect a system from denial of service due to a large number of concurrent
@@ -27,4 +27,4 @@ ocil: |-
     Run the following command to see what the max sessions number is:
     
$ sudo grep MaxSessions /etc/ssh/sshd_config

     If properly configured, the output should be:
-    
MaxSessions 

+    
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index 985bbd0b8b..c2204193dc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -31,7 +31,7 @@ description: |-
     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
     {{% endif %}}
 {{% endif %}}
-    The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}.
+    The rule is parametrized to use the following ciphers: {{{ xccdf_value("sshd_approved_ciphers") }}}.
 
 rationale: |-
     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index 4b563de550..b7adaca34b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -32,7 +32,7 @@ description: |-
     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
     {{% endif %}}
 {{% endif %}}
-    The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}.
+    The rule is parametrized to use the following MACs: {{{ xccdf_value("sshd_approved_macs") }}}.
 
 rationale: |-
     DoD Information Systems are required to use FIPS-approved cryptographic hash
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index 60813a75a2..14d1acfd22 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -6,7 +6,7 @@ description: |-
     When enabled, SSH will create an unprivileged child process that
     has the privilege of the authenticated user. To enable privilege separation in
     SSH, add or correct the following line in the /etc/ssh/sshd_config file:
-    
UsePrivilegeSeparation 

+    
UsePrivilegeSeparation {{{ xccdf_value("var_sshd_priv_separation") }}}

 
 rationale: |-
     SSH daemon privilege separation causes the SSH process to drop root privileges
@@ -41,4 +41,4 @@ ocil: |-
     To check if UsePrivilegeSeparation is enabled or set correctly, run the
     following command:
     
$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config

-    If configured properly, output should be .
+    If configured properly, output should be {{{ xccdf_value("var_sshd_priv_separation") }}}.
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
index 00cda4f144..35ec8c497c 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
@@ -6,14 +6,14 @@ title: 'Configure SSSD''s Memory Cache to Expire'
 
 description: |-
     SSSD's memory cache should be configured to set to expire records after
-     seconds.
+    {{{ xccdf_value("var_sssd_memcache_timeout") }}} seconds.
     To configure SSSD to expire memory cache, set memcache_timeout to
-     under the
+    {{{ xccdf_value("var_sssd_memcache_timeout") }}} under the
     [nss] section in /etc/sssd/sssd.conf.
 
     For example:
     
[nss]
-    memcache_timeout = 
+    memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
     

 
 rationale: |-
@@ -46,4 +46,4 @@ ocil_clause: 'it does not exist or is not configured properly'
 ocil: |-
     To verify that SSSD's in-memory cache expires after a day, run the following command:
     
$ sudo grep memcache_timeout /etc/sssd/sssd.conf

-    If configured properly, output should be 
memcache_timeout = 
.
+    If configured properly, output should be 
memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
.
diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
index ce83991f57..00f1f3b485 100644
--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
@@ -6,12 +6,12 @@ title: 'Configure SSSD to Expire SSH Known Hosts'
 
 description: |-
     SSSD should be configured to expire keys from known SSH hosts after
-     seconds.
+    {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}} seconds.
     To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout
-    to  under the
+    to {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}} under the
     [ssh] section in /etc/sssd/sssd.conf. For example:
     
[ssh]
-    ssh_known_hosts_timeout = 
+    ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
     

 
 rationale: |-
@@ -44,4 +44,4 @@ ocil: |-
     To verify that SSSD expires known SSH host keys, run the following command:
     
$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf

     If configured properly, output should be
-    
ssh_known_hosts_timeout = 

+    
ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 7c7b14860c..f6857da463 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -9,14 +9,14 @@ description: |-
     accomplished by using the remember option for the pam_unix
     or pam_pwhistory PAM modules.
     


-    In the file /etc/pam.d/system-auth, append remember=
+    In the file /etc/pam.d/system-auth, append remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
     to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
     
    
     
  • for the pam_unix.so case:
-    
    password sufficient pam_unix.so ...existing_options... remember=
    
+    
    password sufficient pam_unix.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
    
     
    • 
     
  • for the pam_pwhistory.so case:
-    
    password requisite pam_pwhistory.so ...existing_options... remember=
    
+    
    password requisite pam_pwhistory.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
    
     
    • 
     

     The DoD STIG requirement is 5 passwords.
@@ -56,6 +56,6 @@ ocil: |-
     To verify the password reuse setting is compliant, run the following command:
     
$ grep remember /etc/pam.d/system-auth

     The output should show the following at the end of the line:
-    
remember=

+    
remember={{{ xccdf_value("var_password_pam_unix_remember") }}}

 
 platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 8eeb24a9c5..15eba70d6a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -11,9 +11,9 @@ description: |-
     


     
    
     
  •  add the following line immediately before the pam_unix.so statement in the AUTH section:
-    
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    • 
+    
    auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    
     
  •  add the following line immediately after the pam_unix.so statement in the AUTH section:
-    
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    • 
+    
    auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    
     
  •  add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
     
    account required pam_faillock.so
    • 
     

@@ -56,6 +56,6 @@ ocil_clause: 'that is not the case'
 ocil: |-
     To ensure the failed password attempt policy is configured correctly, run the following command:
     
$ grep pam_faillock /etc/pam.d/system-auth

-    The output should show deny=.
+    The output should show deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}.
 
 platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index 6f49ea9850..1780a66251 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -13,10 +13,10 @@ description: |-
     
    
     
  • Modify the following line in the AUTH section to add
     even_deny_root:
-    
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
    • 
+    
    auth required pam_faillock.so preauth silent even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    
     
  • Modify the following line in the AUTH section to add
     even_deny_root:
-    
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
    
+    
    auth [default=die] pam_faillock.so authfail even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    
     
    • 
     

 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index f891d8e600..708e98e7f3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -14,11 +14,11 @@ description: |-
     
    
     
  • Add the following line immediately before the
         pam_unix.so statement in the AUTH section:
-    
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    
+    
    auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    
     
    • 
     
  • Add the following line immediately after the
         pam_unix.so statement in the AUTH section:
-    
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
+    
    auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
     
    
     
    • 
     
  • Add the following line immediately before the
@@ -63,7 +63,7 @@ ocil: |-
     To ensure the failed password attempt policy is configured correctly,
     run the following command:
     
    $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
    
-    For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is  or greater.
+    For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater.
     If the fail_interval parameter is not set, the default setting
     of 900 seconds is acceptable.
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index c3c7fa1ccc..b992cf93bd 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -11,9 +11,9 @@ description: |-
     

    
     
      
     
    •  add the following line immediately before the pam_unix.so statement in the AUTH section:
-    
      auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
      • 
+    
      auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
      
     
    •  add the following line immediately after the pam_unix.so statement in the AUTH section:
-    
      auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
      • 
+    
      auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
      
     
    •  add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
     
      account required pam_faillock.so
      • 
     
    
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
index fde8c8a188..168960bd4e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
@@ -7,7 +7,7 @@ title: 'Set Password Strength Minimum Different Characters'
 description: |-
     The pam_cracklib module's difok parameter controls requirements for
     usage of different characters during a password change.
-    Add difok= after pam_cracklib.so to require differing
+    Add difok={{{ xccdf_value("var_password_pam_difok") }}} after pam_cracklib.so to require differing
     characters when changing passwords. The DoD requirement is 4.
 
 rationale: |-
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
index 8171db26bd..8865b29f36 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
@@ -7,9 +7,9 @@ title: 'Set Password to Maximum of Three Consecutive Repeating Characters'
 description: |-
     The pam_cracklib module's maxrepeat parameter controls requirements for
     consecutive repeating characters. When set to a positive number, it will reject passwords
-    which contain more than that number of consecutive characters. Add maxrepeat=
-    after pam_cracklib.so to prevent a run of ( + 1) or more identical characters:
    
-    
    password required pam_cracklib.so maxrepeat=
    
+    which contain more than that number of consecutive characters. Add maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}
+    after pam_cracklib.so to prevent a run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters:
    
+    
    password required pam_cracklib.so maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}
    
 
 rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.'
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
index 9723f28793..3c87a58cc6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
@@ -17,8 +17,8 @@ description: |-
     * Digits
     * Special characters (for example, punctuation)
- Add minclass= after pam_cracklib.so entry into the - /etc/pam.d/system-auth file in order to require differing categories of + Add minclass={{{ xccdf_value("var_password_pam_minclass") }}} after pam_cracklib.so entry into the + /etc/pam.d/system-auth file in order to require {{{ xccdf_value("var_password_pam_minclass") }}} differing categories of characters when changing passwords. For example to require at least three character classes to be used in password, use minclass=3. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml index cb902bccd7..1088af68ee 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml @@ -6,7 +6,7 @@ title: 'Set Password Minimum Length' description: |- The pam_cracklib module's minlen parameter controls requirements for - minimum characters required in a password. Add minlen= + minimum characters required in a password. Add minlen={{{ xccdf_value("var_password_pam_minlen") }}} after pam_pwquality to set minimum password length requirements. rationale: |- @@ -38,4 +38,4 @@ ocil_clause: 'minlen is not found or not set to the required value (or higher)' ocil: |- To check how many characters are required in a password, run the following command: 
$ grep cracklib /etc/pam.d/system-auth
- Your output should contain minlen= + Your output should contain minlen={{{ xccdf_value("var_password_pam_minlen") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index 9c6d8a5b31..f8cb083106 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -9,7 +9,7 @@ description: |- usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. - Add ocredit= after pam_cracklib.so to require use of a special character in passwords. + Add ocredit={{{ xccdf_value("var_password_pam_ocredit") }}} after pam_cracklib.so to require use of a special character in passwords. rationale: |- Requiring a minimum number of special characters makes password guessing attacks diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml index e0555d7224..cc1a9f72c7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml @@ -9,7 +9,7 @@ description: |-

Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to show - retry=, or a lower value + retry={{{ xccdf_value("var_password_pam_retry") }}}, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml index 965b10a57a..fb64b61520 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -9,7 +9,7 @@ description: |- in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf - to equal to require differing characters + to equal {{{ xccdf_value("var_password_pam_difok") }}} to require differing characters when changing passwords. rationale: |- diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml index 0d59eefef9..d449c97950 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml @@ -8,8 +8,8 @@ description: |- The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the - maxclassrepeat setting in /etc/security/pwquality.conf to equal - to prevent a run of ( + 1) or more identical characters. + maxclassrepeat setting in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + to prevent a run of ({{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + 1) or more identical characters. rationale: |- Use of a complex password helps to increase the time and resources required to comrpomise the password. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml index 59637552ae..cb2755b255 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml @@ -8,8 +8,8 @@ description: |- The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting - in /etc/security/pwquality.conf to equal to prevent a - run of ( + 1) or more identical characters. + in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a + run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters. rationale: |- Use of a complex password helps to increase the time and resources required to compromise the password. diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index 7dc06b20e9..c6ac4e654b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -19,7 +19,7 @@ description: |- * Special characters (for example, punctuation) Modify the minclass setting in /etc/security/pwquality.conf entry - to require + to require {{{ xccdf_value("var_password_pam_minclass") }}} differing categories of characters when changing passwords. rationale: |- diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index c507413b67..0c1066a550 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure PAM Enforces Password Requirements - Minimum Length' description: |- The pam_pwquality module's minlen parameter controls requirements for - minimum characters required in a password. Add minlen= + minimum characters required in a password. Add minlen={{{ xccdf_value("var_password_pam_minlen") }}} after pam_pwquality to set minimum password length requirements. rationale: |- @@ -49,7 +49,7 @@ ocil_clause: 'minlen is not found, or not equal to or greater than the required ocil: |- To check how many characters are required in a password, run the following command: 
$ grep minlen /etc/security/pwquality.conf
- Your output should contain minlen = + Your output should contain minlen = {{{ xccdf_value("var_password_pam_minlen") }}} platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index b9b93d69b1..cbc1ca50ee 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -10,7 +10,7 @@ description: |- any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting - in /etc/security/pwquality.conf to equal + in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_ocredit") }}} to require use of a special character in passwords. rationale: |- diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index a64ee575a1..6b1534adde 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -7,7 +7,7 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts description: |- To configure the number of retry prompts that are permitted per-session: Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to - show retry=, or a lower value if + show retry={{{ xccdf_value("var_password_pam_retry") }}}, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml index 57958bce13..476cffcd62 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml @@ -8,13 +8,13 @@ description: |- The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent users from using unauthorized smart cards. The default smart card driver for this - profile is . + profile is {{{ xccdf_value("var_smartcard_drivers") }}}. To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: 
# card_drivers = old, internal;
and change it to: - 
card_drivers = ;
+ 
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
rationale: |- Smart card login provides two-factor authentication stronger than @@ -45,9 +45,9 @@ references: ocil_clause: 'the smart card driver is not configured correctly' ocil: |- - To verify that is configured + To verify that {{{ xccdf_value("var_smartcard_drivers") }}} is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: 
$ grep card_drivers /etc/opensc-ARCH
The output should return something similar to: - 
card_drivers = ;
+ 
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml index ad65316007..261698320c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml @@ -9,13 +9,13 @@ description: |- forcing the smart card driver in use by your organization, opensc will no longer autodetect or use other drivers unless specified. This helps to prevent users from using unauthorized smart cards. The default smart card driver for this - profile is . + profile is {{{ xccdf_value("var_smartcard_drivers") }}}. To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where ARCH is the architecture of your operating system) file. Look for a line similar to: 
# force_card_driver = customcos;
and change it to: - 
force_card_driver = ;
+ 
force_card_driver = {{{ xccdf_value("var_smartcard_drivers") }}};
rationale: |- Smart card login provides two-factor authentication stronger than @@ -46,9 +46,9 @@ references: ocil_clause: 'the smart card driver is not configured correctly' ocil: |- - To verify that is configured + To verify that {{{ xccdf_value("var_smartcard_drivers") }}} is configured as the smart card driver, run the following command changing ARCH for the architecture of your operating system: 
$ grep force_card_driver /etc/opensc-ARCH
The output should return something similar to: - 
force_card_drivers = ;
+ 
force_card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 45c199ad4a..cfa59edd38 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -9,9 +9,9 @@ description: |- signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: - 
INACTIVE=
+ 
INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}}
A value of 35 is recommended; however, this profile expects that the value is set to - . + {{{ xccdf_value("var_account_disable_post_pw_expiration") }}}. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 @@ -63,6 +63,6 @@ ocil: |- The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: 
$ grep "INACTIVE" /etc/default/useradd
-    INACTIVE=
+ INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}} platform: login_defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 0619423d0c..ccf95260dc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -6,10 +6,10 @@ description: |- To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line: - 
PASS_MAX_DAYS
+ 
PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}
A value of 180 days is sufficient for many environments. The DoD requirement is 60. - The profile requirement is . + The profile requirement is {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}. rationale: |- Any password, no matter how complex, can eventually be cracked. Therefore, passwords diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 543e88e822..ceca9550a7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -6,10 +6,10 @@ description: |- To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: - 
PASS_MIN_DAYS
+ 
PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. - The profile requirement is . + The profile requirement is {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}. rationale: |- Enforcing a minimum password lifetime helps to prevent repeated password diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 2f18ce638a..39864bb79d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -5,12 +5,12 @@ title: 'Set Password Minimum Length in login.defs' description: |- To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line: - 
PASS_MIN_LEN
+ 
PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is - . + {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}. If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml index 1048b7c143..3ba2a7049f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml @@ -7,9 +7,9 @@ description: |- expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: - 
PASS_WARN_AGE
+ 
PASS_WARN_AGE {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}
The DoD requirement is 7. - The profile requirement is . + The profile requirement is {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}. rationale: |- Setting the password warning age enables users to diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 9a359b22c5..08f81100f4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs' description: |- To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: - 
FAIL_DELAY
+ 
FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}
rationale: |- Increasing the time between a failed authentication attempt and re-prompting to @@ -37,6 +37,6 @@ ocil: |- 
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
All output must show the value of FAIL_DELAY set as shown in the below: 
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-    FAIL_DELAY
+ FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}} platform: login_defs diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index 3486578e66..2fc9427ce3 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -8,7 +8,7 @@ description: |- concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/: - 
* hard maxlogins
+ 
* hard maxlogins {{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}
rationale: |- Limiting simultaneous user logins can insulate the system from denial of service @@ -46,6 +46,6 @@ ocil: |- configured for all users on the system: 
# grep "maxlogins" /etc/security/limits.conf
You should receive output similar to the following: - 
*\t\thard\tmaxlogins\t
+ 
*\t\thard\tmaxlogins\t{{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}
platform: pam diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index 6e21f653c7..eb64b12e51 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -8,7 +8,7 @@ description: |- Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: - 
TMOUT=
+ 
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
rationale: |- Terminating an idle session within a short time period reduces @@ -48,4 +48,4 @@ ocil: |- on the system: 
$ sudo grep TMOUT /etc/profile
The output should return the following: - 
TMOUT=
+ 
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 391a2bcc42..e9beb8f4bd 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -8,7 +8,7 @@ description: |- To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: - 
umask
+ 
umask {{{ xccdf_value("var_accounts_user_umask") }}}
rationale: |- The umask value influences the permissions assigned to files when they are created. @@ -44,5 +44,5 @@ ocil: |- 
# grep "umask" /etc/bashrc
All output must show the value of umask set as shown below: 
# grep "umask" /etc/bashrc
-    umask 
-    umask
+ umask {{{ xccdf_value("var_accounts_user_umask") }}} + umask {{{ xccdf_value("var_accounts_user_umask") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml index 5b8bc81ab3..347e881d5e 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml @@ -7,7 +7,7 @@ title: 'Ensure the Default C Shell Umask is Set Correctly' description: |- To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: - 
umask
+ 
umask {{{ xccdf_value("var_accounts_user_umask") }}}
rationale: |- The umask value influences the permissions assigned to files when they are created. @@ -42,4 +42,4 @@ ocil: |- 
# grep "umask" /etc/csh.cshrc
All output must show the value of umask set as shown in the below: 
# grep "umask" /etc/csh.cshrc
-    umask
+ umask {{{ xccdf_value("var_accounts_user_umask") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index ecb2dfb1f1..088e9ce2a8 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in login.defs' description: |- To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: - 
UMASK
+ 
UMASK {{{ xccdf_value("var_accounts_user_umask") }}}
rationale: |- The umask value influences the permissions assigned to files when they are created. @@ -42,6 +42,6 @@ ocil: |- 
# grep -i "UMASK" /etc/login.defs
All output must show the value of umask set as shown in the below: 
# grep -i "UMASK" /etc/login.defs
-    umask
+ umask {{{ xccdf_value("var_accounts_user_umask") }}} platform: login_defs diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml index bf48d81899..43ab898b5d 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in /etc/profile' description: |- To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: - 
umask
+ 
umask {{{ xccdf_value("var_accounts_user_umask") }}}
rationale: |- The umask value influences the permissions assigned to files when they are created. @@ -42,4 +42,4 @@ ocil: |- 
# grep "umask" /etc/profile
All output must show the value of umask set as shown in the below: 
# grep "umask" /etc/profile
-    umask
+ umask {{{ xccdf_value("var_accounts_user_umask") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml index c317700e71..c19af71bb5 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml @@ -16,7 +16,7 @@ description: |- with an IP address or hostname of the system that the audispd plugin should send audit records to. For example - 
remote_server =
+ 
remote_server = {{{ xccdf_value("var_audispd_remote_server") }}}
rationale: |- Information stored in one location is vulnerable to accidental or incidental @@ -48,5 +48,5 @@ ocil: |- 
$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf
{{% endif %}} The output should return something similar to - 
remote_server =
+ 
remote_server = {{{ xccdf_value("var_audispd_remote_server") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml index a071e6dda5..66de6e73a5 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml @@ -7,7 +7,7 @@ description: |- a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: - 
action_mail_acct =
+ 
action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
rationale: |- Email sent to the root account is typically aliased to the @@ -49,5 +49,5 @@ ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: - 
action_mail_acct =
+ 
action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml index b4038d13bd..1db8b82dda 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml @@ -9,7 +9,7 @@ description: |- synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: - 
flush =
+ 
flush = {{{ xccdf_value("var_auditd_flush") }}}
rationale: |- Audit data should be synchronously written to disk to ensure diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml index 73107df695..1bdafa9215 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml @@ -6,7 +6,7 @@ description: |- Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting - the correct value of for STOREMB: + the correct value of {{{ xccdf_value("var_auditd_max_log_file") }}} for STOREMB: 
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml index 01bb0ad7a2..34e2a2b60f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml @@ -6,7 +6,7 @@ description: |- Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following - line, substituting NUMLOGS with the correct value of : + line, substituting NUMLOGS with the correct value of {{{ xccdf_value("var_auditd_num_logs") }}}: 
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml index 3331f5188a..74a87bb659 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml @@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' description: |- The group-owner of all log files written by - rsyslog should be . + rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
- If the owner is not , run the following command to + If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to correct this: - 
$ sudo chgrp  LOGFILE
+ 
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system @@ -43,7 +43,7 @@ references: ocil_clause: 'the group-owner is not correct' ocil: |- - The group-owner of all log files written by rsyslog should be . + The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml index a034c0a193..506b6457ca 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml @@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate User' description: |- The owner of all log files written by - rsyslog should be . + rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
- If the owner is not , run the following command to + If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to correct this: - 
$ sudo chown  LOGFILE
+ 
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system @@ -43,7 +43,7 @@ references: ocil_clause: 'the owner is not correct' ocil: |- - The owner of all log files written by rsyslog should be . + The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index 642bf1ee0e..c27707569f 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -10,21 +10,21 @@ description: |- Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, - substituting appropriately. + substituting {{{ xccdf_value("rsyslog_remote_loghost_address") }}} appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: - 
*.* @
+ 
*.* @{{{ xccdf_value("rsyslog_remote_loghost_address") }}}

To use TCP for log message delivery: - 
*.* @@
+ 
*.* @@{{{ xccdf_value("rsyslog_remote_loghost_address") }}}

To use RELP for log message delivery: - 
*.* :omrelp:
+ 
*.* :omrelp:{{{ xccdf_value("rsyslog_remote_loghost_address") }}}

- There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + There must be a resolvable DNS CNAME or Alias record set to "{{{ xccdf_value("rsyslog_remote_loghost_address") }}}" for logs to be sent correctly to the centralized logging utility. rationale: |- A log server (loghost) receives syslog messages from one or more @@ -67,8 +67,8 @@ ocil: |- To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: - 
 *.* @
+ 
 *.* @{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
If using TCP, a line similar to the following should be present: - 
 *.* @@
+ 
 *.* @@{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
If using RELP, a line similar to the following should be present: - 
 *.* :omrelp:
+ 
 *.* :omrelp:{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml index 7e96bbd35d..e68faf00ca 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml @@ -15,7 +15,7 @@ description: |- Set the system to implement rate-limiting measures by adding the following line to /etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - 
net.ipv4.tcp_invalid_ratelimit =
+ 
net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}
Issue the following command to make the changes take effect: 
# sysctl --system
@@ -51,7 +51,7 @@ ocil: |- on impacted network interfaces, run the following command: 
# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*
The command should output the following line: - 
/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit =
+ 
/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}
The file where the line has been found can differ, but it must be either /etc/sysctl.conf or a file located under the /etc/sysctl.d/ directory. diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml index a14fc555af..64c6c3668d 100644 --- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml @@ -11,7 +11,7 @@ description: |- a umask of 077 in their own init scripts. By default, the umask of 022 is set which prevents creation of group- or world-writable files. To set the umask for daemons expected by the profile, edit the following line: - 
umask
+ 
umask {{{ xccdf_value("var_umask_for_daemons") }}}
rationale: |- The umask influences the permissions assigned to files created by a @@ -40,7 +40,7 @@ ocil_clause: 'it does not' ocil: |- To check the value of the umask, run the following command: 
$ grep umask /etc/init.d/functions
- The output should show . + The output should show {{{ xccdf_value("var_umask_for_daemons") }}}. warnings: - functionality: |- diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index bbc6b3a992..d861f5f9e2 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -9,7 +9,7 @@ description: |- general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: - 
SELINUXTYPE=
+ 
SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. @@ -23,7 +23,7 @@ rationale: |- temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to - . + {{{ xccdf_value("var_selinux_policy_name") }}}. severity: high @@ -57,4 +57,4 @@ ocil_clause: 'it does not' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: - 
SELINUXTYPE=
+ 
SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index 2c90aadbd1..66c5fd65f8 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -5,10 +5,10 @@ prodtype: fedora,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019 title: 'Ensure SELinux State is Enforcing' description: |- - The SELinux state should be set to at + The SELinux state should be set to {{{ xccdf_value("var_selinux_state") }}} at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: - 
SELINUX=
+ 
SELINUX={{{ xccdf_value("var_selinux_state") }}}
rationale: |- Setting the SELinux state to enforcing ensures SELinux is able to confine @@ -49,4 +49,4 @@ ocil_clause: 'SELINUX is not set to enforcing' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: - 
SELINUX=
+ 
SELINUX={{{ xccdf_value("var_selinux_state") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index d2feba00b4..bec17bc68b 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -54,7 +54,7 @@ ocil_clause: 'idle-delay is not equal to or less than the expected value' ocil: |- To check the current idle time-out value, run the following command: 
$ gsettings get org.gnome.desktop.session idle-delay
- If properly configured, the output should be 'uint32 '. + If properly configured, the output should be 'uint32 {{{ xccdf_value("inactivity_timeout_value") }}}'. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: 
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml index c0a8de72c9..d8a596554c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -6,10 +6,10 @@ title: 'Set GNOME3 Screensaver Lock Delay After Activation Period' description: |- To activate the locking delay of the screensaver in the GNOME3 desktop when - the screensaver is activated, add or set lock-delay to uint32 in + the screensaver is activated, add or set lock-delay to uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}} in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
-    lock-delay=uint32 
+    lock-delay=uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. @@ -48,7 +48,7 @@ ocil_clause: 'the screensaver lock delay is missing, or is set to a value greate ocil: |- To check that the screen locks immediately when activated, run the following command: 
$ gsettings get org.gnome.desktop.screensaver lock-delay
- If properly configured, the output should be 'uint32 '. + If properly configured, the output should be 'uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}'.

To ensure that users cannot change how long until the the screensaver locks, run the following: 
$ grep lock-delay /etc/dconf/db/local.d/locks/*
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml index 34eb02abf7..5525337fc6 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml @@ -4,12 +4,12 @@ title: 'Set GNOME Login Inactivity Timeout' description: |- Run the following command to set the idle time-out value for - inactivity in the GNOME desktop to minutes: + inactivity in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes: 
$ sudo gconftool-2 \
       --direct \
       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
       --type int \
-      --set /desktop/gnome/session/idle_delay
+ --set /desktop/gnome/session/idle_delay {{{ xccdf_value("inactivity_timeout_value") }}} rationale: |- Setting the idle delay controls when the @@ -39,4 +39,4 @@ ocil_clause: 'it is not' ocil: |- To check the current idle time-out value, run the following command: 
$ gconftool-2 -g /desktop/gnome/session/idle_delay
- If properly configured, the output should be . + If properly configured, the output should be {{{ xccdf_value("inactivity_timeout_value") }}}. diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml index 99eaf236f7..17fffec0ed 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml @@ -4,12 +4,12 @@ title: 'Set GNOME Login Maximum Allowed Inactivity' description: |- Run the following command to set the maximum allowed period of inactivity for an - inactive user in the GNOME desktop to minutes: + inactive user in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes: 
$ sudo gconftool-2 \
       --direct \
       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
       --type int \
-      --set /desktop/gnome/session/max_idle_time
+ --set /desktop/gnome/session/max_idle_time {{{ xccdf_value("inactivity_timeout_value") }}} rationale: |- Terminating an idle session within a short time period reduces the window of @@ -23,4 +23,4 @@ ocil_clause: 'it is not' ocil: |- To check the current idle time-out value, run the following command: 
$ gconftool-2 -g /desktop/gnome/session/max_idle_time
- If properly configured, the output should be . + If properly configured, the output should be {{{ xccdf_value("idle_timeout_value") }}}. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index 0f9a919b16..243f079cc3 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -5,9 +5,9 @@ prodtype: fedora,rhcos4,ol8,rhel8,rhv4 title: 'Configure System Cryptography Policy' description: |- - To configure the system cryptography policy to use ciphers only from the + To configure the system cryptography policy to use ciphers only from the {{{ xccdf_value("var_system_crypto_policy") }}} policy, run the following command: - 
$ sudo update-crypto-policies --set
+ 
$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. @@ -34,7 +34,7 @@ ocil: |- To verify that cryptography policy has been configured correctly, run the following command: 
$ update-crypto-policies --show
- The output should return
. + The output should return 
{{{ xccdf_value("var_system_crypto_policy") }}}
. Run the command to check if the policy is correctly applied: 
$ update-crypto-policies --is-applied
The output should be 
The configured policy is applied
. diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml index 89725a33c3..735a68b264 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml @@ -9,7 +9,7 @@ description: |- the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line - RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. + RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in @@ -37,8 +37,8 @@ ocil: |- To check if RekeyLimit is set correctly, run the following command: 
$
     sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured properly, output should be 
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
-    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
-    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the + RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} + {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}} Check also the main configuration file with the following command: 
sudo grep
     RekeyLimit /etc/ssh/ssh_config
The command should not return any output. diff --git a/shared/macros.jinja b/shared/macros.jinja index c3bfcaff2f..e670423a9e 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -5,7 +5,7 @@ ocil_clause: "the required value is not set" {{% macro openshift_cluster_setting(endpoint) -%}} This rule's check operates on the cluster configuration dump. -Therefore, you need to use a tool that can query the OCP API, retreive the {{{ endpoint }}} API endpoint to the local {{{ sub_var_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file. +Therefore, you need to use a tool that can query the OCP API, retreive the {{{ endpoint }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file. {{%- endmacro %}} @@ -42,6 +42,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is {{% macro sub_var_value(varname) -%}} +{{{ xccdf_value(varname) }}} +{{%- endmacro %}} + + +{{% macro xccdf_value(varname) -%}} {{%- endmacro %}} From b3d3c2619b44e391f96a1741ac3f116cf6e1b6c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Fri, 4 Sep 2020 12:21:18 +0200 Subject: [PATCH 2/3] Replaced XCCDF value instantiation in Bash by a macro call. The former populate ... mechanism is not Bash, it is a special trick perforemd by our build system. This trick is confusing, its support in the build system is implemented as a complex code, and it doesnt support multiple values per remediation intuitively. This makes the build system involvement explicit, and it opens possibilities to perform implementation changes without breaking backward compatibility. --- .../postfix_client_configure_mail_alias/bash/shared.sh | 2 +- .../services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 2 +- .../ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh | 2 +- .../ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh | 2 +- .../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_disable_compression/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh | 2 +- .../services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh | 2 +- .../ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh | 2 +- .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh | 1 - .../guide/services/sssd/sssd_memcache_timeout/bash/shared.sh | 2 +- .../services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh | 2 +- .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- .../accounts/accounts-banners/banner_etc_motd/bash/shared.sh | 2 +- .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- .../gconf_gdm_set_login_banner_text/bash/rhel6.sh | 2 +- .../accounts_password_pam_unix_remember/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_deny/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_interval/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh | 2 +- .../accounts_password_pam_retry/bash/shared.sh | 2 +- .../configure_opensc_card_drivers/bash/shared.sh | 2 +- .../smart_card_login/force_opensc_card_drivers/bash/shared.sh | 2 +- .../account_disable_post_pw_expiration/bash/shared.sh | 2 +- .../accounts_maximum_age_login_defs/bash/shared.sh | 2 +- .../accounts_minimum_age_login_defs/bash/fedora.sh | 2 +- .../accounts_minimum_age_login_defs/bash/rhel6.sh | 2 +- .../accounts_minimum_age_login_defs/bash/shared.sh | 2 +- .../accounts_password_minlen_login_defs/bash/shared.sh | 2 +- .../accounts_password_warn_age_login_defs/bash/fedora.sh | 2 +- .../accounts_password_warn_age_login_defs/bash/rhel6.sh | 2 +- .../accounts_password_warn_age_login_defs/bash/shared.sh | 2 +- .../accounts_password_warn_age_login_defs/bash/wrlinux.sh | 2 +- .../accounts-session/accounts_logon_fail_delay/bash/shared.sh | 2 +- .../accounts_max_concurrent_login_sessions/bash/shared.sh | 2 +- .../accounts/accounts-session/accounts_tmout/bash/shared.sh | 2 +- .../user_umask/accounts_umask_etc_bashrc/bash/shared.sh | 2 +- .../user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh | 2 +- .../user_umask/accounts_umask_etc_login_defs/bash/shared.sh | 2 +- .../user_umask/accounts_umask_etc_profile/bash/shared.sh | 2 +- .../auditd_audispd_configure_remote_server/bash/shared.sh | 2 +- .../auditd_data_disk_error_action/bash/shared.sh | 2 +- .../auditd_data_disk_full_action/bash/shared.sh | 2 +- .../auditd_data_retention_action_mail_acct/bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- .../auditd_data_retention_flush/bash/shared.sh | 2 +- .../auditd_data_retention_max_log_file/bash/shared.sh | 2 +- .../auditd_data_retention_max_log_file_action/bash/shared.sh | 2 +- .../auditd_data_retention_num_logs/bash/shared.sh | 2 +- .../auditd_data_retention_space_left/bash/shared.sh | 2 +- .../auditd_data_retention_space_left_action/bash/shared.sh | 2 +- .../rsyslog_remote_loghost/bash/shared.sh | 2 +- .../configure_firewalld_ports/bash/shared.sh | 2 +- .../restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh | 2 +- .../restrictions/daemon_umask/umask_for_daemons/bash/shared.sh | 2 +- linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh | 2 +- linux_os/guide/system/selinux/selinux_state/bash/shared.sh | 2 +- .../dconf_gnome_screensaver_idle_delay/bash/shared.sh | 2 +- .../dconf_gnome_screensaver_lock_delay/bash/shared.sh | 2 +- .../gconf_gnome_screensaver_idle_delay/bash/rhel6.sh | 2 +- .../integrity/crypto/configure_crypto_policy/bash/shared.sh | 2 +- .../sap_host/accounts_authorized_local_users/bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- shared/templates/template_BASH_accounts_password | 2 +- .../templates/template_BASH_mount_option_removable_partitions | 2 +- shared/templates/template_BASH_sebool | 2 +- shared/templates/template_BASH_sysctl | 2 +- 71 files changed, 70 insertions(+), 71 deletions(-) diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh index 12f7b5d693..5324e1c382 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_sle . /usr/share/scap-security-guide/remediation_functions -populate var_postfix_root_mail_alias +{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}} replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '@CCENUM@' '%s: %s' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh index 56db8f5d17..b23deffb09 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_time_service_set_maxpoll +{{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}} config_file="/etc/ntp.conf" diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh index 2297f4fb5a..9add69d367 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_multiple_time_servers +{{{ bash_instantiate_variables("var_multiple_time_servers") }}} config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh index c11c443785..0a3f63640c 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_multiple_time_servers +{{{ bash_instantiate_variables("var_multiple_time_servers") }}} config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh index e566219788..571a339d48 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all . /usr/share/scap-security-guide/remediation_functions -populate var_multiple_time_servers +{{{ bash_instantiate_variables("var_multiple_time_servers") }}} config_file="/etc/chrony.conf" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh index 396445b908..408c97d45a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sshd_disable_compression +{{{ bash_instantiate_variables("var_sshd_disable_compression") }}} replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh index 06dfd3492a..0ff698a54c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle . /usr/share/scap-security-guide/remediation_functions -populate sshd_idle_timeout_value +{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}} replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh index cbfb0f367e..f0be6ea6ce 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sshd_set_keepalive +{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}} {{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh index eebe07158c..2451c164cb 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate sshd_max_auth_tries_value +{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}} {{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh index fc0a1d8b42..2fecde6a96 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh @@ -7,6 +7,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sshd_max_sessions +{{{ bash_instantiate_variables("var_sshd_max_sessions") }}} {{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh index 6d3bb06047..5facd9aa14 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate sshd_approved_ciphers +{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh index 2972022b52..ec475c186d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate sshd_approved_macs +{{{ bash_instantiate_variables("sshd_approved_macs") }}} replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh index bf702ac80c..62180a1f83 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh @@ -6,6 +6,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sshd_priv_separation +{{{ bash_instantiate_variables("var_sshd_priv_separation") }}} {{{ bash_sshd_config_set(parameter="UsePrivilegeSeparation", value="$var_sshd_priv_separation") }}} diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh index f390b7be88..8bc689dae9 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh @@ -3,7 +3,7 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sssd_memcache_timeout +{{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}} SSSD_CONF="/etc/sssd/sssd.conf" MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh index 4d1a14efdf..e957d1c689 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh @@ -3,7 +3,7 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_sssd_ssh_known_hosts_timeout +{{{ bash_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} SSSD_CONF="/etc/sssd/sssd.conf" SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh index 30449d5e9d..f6d5f1603b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate login_banner_text +{{{ bash_instantiate_variables("login_banner_text") }}} # Multiple regexes transform the banner regex into a usable banner # 0 - Remove anchors around the banner text diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh index d731063b5a..4a3844a7eb 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate login_banner_text +{{{ bash_instantiate_variables("login_banner_text") }}} # Multiple regexes transform the banner regex into a usable banner # 0 - Remove anchors around the banner text diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh index 85ddd893c6..0f60c14e36 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate login_banner_text +{{{ bash_instantiate_variables("login_banner_text") }}} # Multiple regexes transform the banner regex into a usable banner # 0 - Remove anchors around the banner text diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh index d24dacb81c..15a5d79ebf 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions -populate login_banner_text +{{{ bash_instantiate_variables("login_banner_text") }}} # Install GConf2 package if not installed if ! rpm -q GConf2; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh index 1456d0f371..e0dabe67e0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate var_password_pam_unix_remember +{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh index 58ea0f37af..3157d341cb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_passwords_pam_faillock_deny +{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} {{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh index b03dd30d13..87310288c1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh @@ -3,6 +3,6 @@ # include our remediation functions library . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_passwords_pam_faillock_fail_interval +{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} {{{ bash_set_faillock_option("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh index daaab487f6..7e36721d5f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_passwords_pam_faillock_unlock_time +{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} {{{ bash_set_faillock_option("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh index a4e1c47a89..f69152b225 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_password_pam_retry +{{{ bash_instantiate_variables("var_password_pam_retry") }}} if grep -q "retry=" /etc/pam.d/system-auth ; then sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh index 5a63a4258d..4e80be4faf 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh @@ -5,7 +5,7 @@ # disruption = low . /usr/share/scap-security-guide/remediation_functions -populate var_smartcard_drivers +{{{ bash_instantiate_variables("var_smartcard_drivers") }}} OPENSC_TOOL="/usr/bin/opensc-tool" diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh index 421ec55598..7c763a8778 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh @@ -5,7 +5,7 @@ # disruption = low . /usr/share/scap-security-guide/remediation_functions -populate var_smartcard_drivers +{{{ bash_instantiate_variables("var_smartcard_drivers") }}} OPENSC_TOOL="/usr/bin/opensc-tool" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh index 299a519e24..c8c2a90e4c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate var_account_disable_post_pw_expiration +{{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}} replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '@CCENUM@' '%s=%s' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh index 9c61548d3a..135eb49d78 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_maximum_age_login_defs +{{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}} grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh index ad2d515949..b9c6aade42 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh @@ -1,7 +1,7 @@ # platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_minimum_age_login_defs -populate var_accounts_minimum_age_login_defs +{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh index 4221a32e15..8e28c756bf 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_minimum_age_login_defs +{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh index 403a40ccb2..870b5b1c7c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_minimum_age_login_defs +{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh index 688cf2d04f..eb4121394c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions declare var_accounts_password_minlen_login_defs -populate var_accounts_password_minlen_login_defs +{{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}} grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh index 8289cbffd8..98a6381af4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh @@ -1,7 +1,7 @@ # platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_password_warn_age_login_defs -populate var_accounts_password_warn_age_login_defs +{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh index 155a12d534..922158064b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_password_warn_age_login_defs +{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh index eaf461d0cd..800eecc802 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_password_warn_age_login_defs +{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh index 8f3524312c..fed1c7bafa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh @@ -1,7 +1,7 @@ # platform = multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions declare var_accounts_password_warn_age_login_defs -populate var_accounts_password_warn_age_login_defs +{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh index 2a06038be4..a8a77c12b8 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh @@ -4,6 +4,6 @@ . /usr/share/scap-security-guide/remediation_functions # Set variables -populate var_accounts_fail_delay +{{{ bash_instantiate_variables("var_accounts_fail_delay") }}} replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh index 0d2f103b31..65066e77ce 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_max_concurrent_login_sessions +{{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} if grep -q '^[^#]*\' /etc/security/limits.d/*.conf; then sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh index 93c34fb59f..31b2872628 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_tmout +{{{ bash_instantiate_variables("var_accounts_tmout") }}} if grep --silent ^TMOUT /etc/profile ; then sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh index c707ec31c7..a83016964e 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_user_umask +{{{ bash_instantiate_variables("var_accounts_user_umask") }}} grep -q umask /etc/bashrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh index 0289a93c96..716dede405 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_user_umask +{{{ bash_instantiate_variables("var_accounts_user_umask") }}} grep -q umask /etc/csh.cshrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh index 0fcc273705..f74cbfe5af 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh @@ -1,5 +1,5 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_user_umask +{{{ bash_instantiate_variables("var_accounts_user_umask") }}} replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh index 198cba5772..12acd6e90f 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_user_umask +{{{ bash_instantiate_variables("var_accounts_user_umask") }}} grep -q umask /etc/profile && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh index 517f384f22..0e3d32fd36 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_audispd_remote_server +{{{ bash_instantiate_variables("var_audispd_remote_server") }}} {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} AUDITCONFIG=/etc/audit/audisp-remote.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh index 6b953f8d96..2b17ddd89b 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_disk_error_action +{{{ bash_instantiate_variables("var_auditd_disk_error_action") }}} # # If disk_error_action present in /etc/audit/auditd.conf, change value diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh index 3092d92076..adc4c21e5f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh @@ -3,6 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_disk_full_action +{{{ bash_instantiate_variables("var_auditd_disk_full_action") }}} replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "@CCENUM@" diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh index b81a26fef3..ab056b0e54 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_action_mail_acct +{{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh index c9435c91ec..0c23a906ea 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_admin_space_left_action +{{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh index 17dea67b36..efe151c683 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_flush +{{{ bash_instantiate_variables("var_auditd_flush") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh index d1e044e5b6..9f40589027 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_max_log_file +{{{ bash_instantiate_variables("var_auditd_max_log_file") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh index 1b51d54b5d..42f987dde4 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_max_log_file_action +{{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh index 6d671e1b8d..797c28a0f8 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_num_logs +{{{ bash_instantiate_variables("var_auditd_num_logs") }}} AUDITCONFIG=/etc/audit/auditd.conf diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh index 8dc69e8313..77e622c1ac 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_space_left +{{{ bash_instantiate_variables("var_auditd_space_left") }}} grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh index e5f45efcf2..1d2b211cdf 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions -populate var_auditd_space_left_action +{{{ bash_instantiate_variables("var_auditd_space_left_action") }}} # # If space_left_action present in /etc/audit/auditd.conf, change value diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh index 2557815651..836f0af279 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh @@ -2,6 +2,6 @@ . /usr/share/scap-security-guide/remediation_functions -populate rsyslog_remote_loghost_address +{{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh index fcf387e592..0a698d3c9f 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh @@ -8,7 +8,7 @@ {{{ bash_package_install("firewalld") }}} -populate firewalld_sshd_zone +{{{ bash_instantiate_variables("firewalld_sshd_zone") }}} # This assumes that firewalld_sshd_zone is one of the pre-defined zones if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh index 947872bb21..1a15167ab0 100644 --- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh +++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions -populate var_umask_for_daemons +{{{ bash_instantiate_variables("var_umask_for_daemons") }}} grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh index 175e10c24c..f689f4b2a1 100644 --- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 . /usr/share/scap-security-guide/remediation_functions -populate var_umask_for_daemons +{{{ bash_instantiate_variables("var_umask_for_daemons") }}} grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh index b4f79c97f9..d84c8acc3f 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh @@ -7,6 +7,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_selinux_policy_name +{{{ bash_instantiate_variables("var_selinux_policy_name") }}} {{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh index 645a7acab4..ad53e52aac 100644 --- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh @@ -7,7 +7,7 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_selinux_state +{{{ bash_instantiate_variables("var_selinux_state") }}} {{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh index ef8af07aa0..ab0462e53f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate inactivity_timeout_value +{{{ bash_instantiate_variables("inactivity_timeout_value") }}} {{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings") }}} {{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh index 124c14737e..5c37b1d913 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_screensaver_lock_delay +{{{ bash_instantiate_variables("var_screensaver_lock_delay") }}} {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", "local.d", "00-security-settings") }}} {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh index e1947f3df0..77b8a647ca 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh @@ -1,6 +1,6 @@ # platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions -populate inactivity_timeout_value +{{{ bash_instantiate_variables("inactivity_timeout_value") }}} # Install GConf2 package if not installed if ! rpm -q GConf2; then diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh index fb3ed9fe76..d37f1263d2 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh @@ -3,7 +3,7 @@ # include remediation functions library . /usr/share/scap-security-guide/remediation_functions -populate var_system_crypto_policy +{{{ bash_instantiate_variables("var_system_crypto_policy") }}} stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) rc=$? diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh index 80193ae1e5..c342acf36d 100644 --- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh +++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_authorized_local_users_regex +{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}} # never delete the root user default_os_user="root" diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh index c361e4c766..9d444d297d 100644 --- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh +++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_ol . /usr/share/scap-security-guide/remediation_functions -populate var_accounts_authorized_local_users_regex +{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}} # never delete the root user default_os_user="root" diff --git a/shared/templates/template_BASH_accounts_password b/shared/templates/template_BASH_accounts_password index 688185365c..2de2652881 100644 --- a/shared/templates/template_BASH_accounts_password +++ b/shared/templates/template_BASH_accounts_password @@ -4,7 +4,7 @@ # complexity = low # disruption = low . /usr/share/scap-security-guide/remediation_functions -populate var_password_pam_{{{ VARIABLE }}} +{{{ bash_instantiate_variables("var_password_pam_" + VARIABLE) }}} {{% if product == "rhel6" %}} {{# There is no package libpwquality for RHEL6 #}} diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions index 5293bffc1a..5b0e8161c6 100644 --- a/shared/templates/template_BASH_mount_option_removable_partitions +++ b/shared/templates/template_BASH_mount_option_removable_partitions @@ -4,7 +4,7 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -populate var_removable_partition +{{{ bash_instantiate_variables("var_removable_partition") }}} device_regex="^\s*$var_removable_partition\s\+" mount_option="{{{ MOUNTOPTION }}}" diff --git a/shared/templates/template_BASH_sebool b/shared/templates/template_BASH_sebool index 96b71ba726..e9aab9d981 100644 --- a/shared/templates/template_BASH_sebool +++ b/shared/templates/template_BASH_sebool @@ -9,7 +9,7 @@ {{% if SEBOOL_BOOL %}} setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}} {{% else %}} -populate var_{{{ SEBOOLID }}} +{{{ bash_instantiate_variables("var_" + SEBOOLID) }}} setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}} {{% endif %}} diff --git a/shared/templates/template_BASH_sysctl b/shared/templates/template_BASH_sysctl index 4ee57967dc..a87d63d038 100644 --- a/shared/templates/template_BASH_sysctl +++ b/shared/templates/template_BASH_sysctl @@ -5,7 +5,7 @@ # disruption = medium . /usr/share/scap-security-guide/remediation_functions {{%- if SYSCTLVAL == "" %}} -populate sysctl_{{{ SYSCTLID }}}_value +{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} # # Set runtime for {{{ SYSCTLVAR }}} From 359c54f7b59ad70a9ce9a1053a28ee91ec4a6fa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Fri, 4 Sep 2020 12:30:45 +0200 Subject: [PATCH 3/3] Replaced XCCDF value instantiation in Ansible by a macro call. The former - (xccdf-var ...) mechanism is not Ansible, and jinja is well-established in our project as an interface between user input and final content. --- .../postfix_network_listening_disabled/ansible/shared.yml | 2 +- .../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +- .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml | 2 +- .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 2 +- .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 2 +- .../accounts-banners/banner_etc_issue/ansible/shared.yml | 2 +- .../accounts-banners/banner_etc_motd/ansible/shared.yml | 2 +- .../dconf_gnome_login_banner_text/ansible/shared.yml | 2 +- .../accounts_password_pam_unix_remember/ansible/shared.yml | 2 +- .../accounts_passwords_pam_faillock_deny/ansible/shared.yml | 2 +- .../accounts_passwords_pam_faillock_interval/ansible/shared.yml | 2 +- .../ansible/shared.yml | 2 +- .../accounts_password_pam_retry/ansible/shared.yml | 2 +- .../configure_opensc_card_drivers/ansible/shared.yml | 2 +- .../force_opensc_card_drivers/ansible/shared.yml | 2 +- .../account_disable_post_pw_expiration/ansible/shared.yml | 2 +- .../accounts_maximum_age_login_defs/ansible/shared.yml | 2 +- .../accounts_minimum_age_login_defs/ansible/shared.yml | 2 +- .../accounts_password_minlen_login_defs/ansible/shared.yml | 2 +- .../accounts_password_warn_age_login_defs/ansible/shared.yml | 2 +- .../accounts_logon_fail_delay/ansible/shared.yml | 2 +- .../accounts/accounts-session/accounts_tmout/ansible/shared.yml | 2 +- .../user_umask/accounts_umask_etc_bashrc/ansible/shared.yml | 2 +- .../user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml | 2 +- .../user_umask/accounts_umask_etc_login_defs/ansible/shared.yml | 2 +- .../user_umask/accounts_umask_etc_profile/ansible/shared.yml | 2 +- .../auditd_audispd_configure_remote_server/ansible/shared.yml | 2 +- .../auditd_data_disk_error_action/ansible/shared.yml | 2 +- .../auditd_data_disk_full_action/ansible/shared.yml | 2 +- .../auditd_data_retention_action_mail_acct/ansible/shared.yml | 2 +- .../ansible/shared.yml | 2 +- .../auditd_data_retention_flush/ansible/shared.yml | 2 +- .../auditd_data_retention_max_log_file/ansible/shared.yml | 2 +- .../ansible/shared.yml | 2 +- .../auditd_data_retention_num_logs/ansible/shared.yml | 2 +- .../auditd_data_retention_space_left/ansible/shared.yml | 2 +- .../auditd_data_retention_space_left_action/ansible/shared.yml | 2 +- .../rsyslog_remote_loghost/ansible/shared.yml | 2 +- .../dconf_gnome_screensaver_idle_delay/ansible/shared.yml | 2 +- .../integrity/crypto/configure_crypto_policy/ansible/shared.yml | 2 +- .../template_ANSIBLE_mount_option_removable_partitions | 2 +- 47 files changed, 47 insertions(+), 47 deletions(-) diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml index f3d2af7614..e1c9d00d20 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_postfix_inet_interfaces) +{{{ ansible_instantiate_variables("var_postfix_inet_interfaces") }}} - name: "Gather list of packages" package_facts: diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml index 0c812bdc2a..37cc359263 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = low -- (xccdf-var var_multiple_time_servers) +{{{ ansible_instantiate_variables("var_multiple_time_servers") }}} - name: "Detect if chrony is already configured with pools or servers" find: diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml index 3985d03542..2553a4d2e5 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml @@ -11,7 +11,7 @@ with_items: - firewalld -- (xccdf-var sshd_listening_port) +{{{ ansible_instantiate_variables("sshd_listening_port") }}} - name: Enable SSHD in firewalld (custom port) firewalld: diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml index affc65e2f5..2fdc9a2f22 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var sshd_idle_timeout_value) +{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}} {{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml index 52600fd46e..9ce28bafc7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_sshd_set_keepalive) +{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}} {{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml index 28f3ef0cd2..16e3130240 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var sshd_max_auth_tries_value) +{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}} {{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml index 6612c6a485..3f8b6f6013 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = configure # complexity = low # disruption = low -- (xccdf-var var_sshd_max_sessions) +{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}} {{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml index 1ec8f045e8..89ac2df9db 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var sshd_approved_ciphers) +{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml index 1a09a3197c..1a9b6990e9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var sshd_approved_macs) +{{{ ansible_instantiate_variables("sshd_approved_macs") }}} {{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_approved_macs }}") }}} diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index a2213508a1..dd89d1f443 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var var_sssd_memcache_timeout) +{{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}} - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index ea487c60b3..5bbe0ecef8 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var var_sssd_ssh_known_hosts_timeout) +{{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 21f0925268..f3a0c85ea5 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var login_banner_text) +{{{ ansible_instantiate_variables("login_banner_text") }}} - name: "{{{ rule_title }}} - remove incorrect banner" file: diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml index dfc1c519b7..15eb3cc1cb 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var login_banner_text) +{{{ ansible_instantiate_variables("login_banner_text") }}} - name: "{{{ rule_title }}} - remove incorrect banner" file: diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml index 40cce05fbc..993916287c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var login_banner_text) +{{{ ansible_instantiate_variables("login_banner_text") }}} - name: "{{{ rule_title }}}" file: diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml index 4198e524e8..75787c429d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = medium -- (xccdf-var var_password_pam_unix_remember) +{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} - name: "Do not allow users to reuse recent passwords - system-auth (change)" replace: diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml index d2b08c0e14..0622ae769c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_passwords_pam_faillock_deny) +{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} - name: Add auth pam_faillock preauth deny before pam_unix.so pamd: diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml index 7961a9eb54..96adcef63d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_passwords_pam_faillock_fail_interval) +{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} - name: Add auth pam_faillock preauth fail_interval before pam_unix.so pamd: diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml index 9b49e56ba8..db44ce4f63 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_passwords_pam_faillock_unlock_time) +{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} - name: Add auth pam_faillock preauth unlock_time before pam_unix.so pamd: diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml index 6795f08939..ab351a26e5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = medium -- (xccdf-var var_password_pam_retry) +{{{ ansible_instantiate_variables("var_password_pam_retry") }}} - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" replace: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml index 904d62c517..376027543b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = low -- (xccdf-var var_smartcard_drivers) +{{{ ansible_instantiate_variables("var_smartcard_drivers") }}} - name: Check existence of opensc conf stat: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml index 13058a7ad6..f05423c0cb 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = low -- (xccdf-var var_smartcard_drivers) +{{{ ansible_instantiate_variables("var_smartcard_drivers") }}} - name: Check existence of opensc conf stat: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml index fe4826baed..11a6bc5467 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_account_disable_post_pw_expiration) +{{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}} - name: Set Account Expiration Following Inactivity lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml index 452ff3bb41..a85f9fc6fa 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_maximum_age_login_defs) +{{{ ansible_instantiate_variables("var_accounts_maximum_age_login_defs") }}} - name: Set Password Maximum Age lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml index 5c94bc8028..e394f26d7a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_minimum_age_login_defs) +{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}} - name: Set Password Minimum Age lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml index 247aee3bff..eee37bda68 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_password_minlen_login_defs) +{{{ ansible_instantiate_variables("var_accounts_password_minlen_login_defs") }}} - name: "Set Password Minimum Length in login.defs" lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml index b5eb75ecf9..1091f8c854 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_password_warn_age_login_defs) +{{{ ansible_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} - name: "Set Password Warning Age" lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml index d3e4742c79..0b45abb25d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # reboot = true -- (xccdf-var var_accounts_fail_delay) +{{{ ansible_instantiate_variables("var_accounts_fail_delay") }}} - name: Set accounts logon fail delay lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml index d17154b57e..2c3049006d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml @@ -3,6 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_tmout) +{{{ ansible_instantiate_variables("var_accounts_tmout") }}} {{{ ansible_etc_profile_set(parameter='TMOUT', value='{{ var_accounts_tmout }}') }}} diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml index 43e03834a4..0255963a14 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_user_umask) +{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} - name: Set user umask in /etc/bashrc replace: diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml index 7c6b465f83..fa956cff6a 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_user_umask) +{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} - name: Set user umask in /etc/csh.cshrc replace: diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml index 449364f304..309b68a58f 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_user_umask) +{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} - name: Ensure the Default UMASK is Set Correctly lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml index 1b7d188c9e..fe12edac8b 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_accounts_user_umask) +{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} - name: Set user umask in /etc/profile replace: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml index 3296b9deb2..b3f245c998 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = low -- (xccdf-var var_audispd_remote_server) +{{{ ansible_instantiate_variables("var_audispd_remote_server") }}} {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} {{% set audisp_config_file_path = "/etc/audit/audisp-remote.conf" %}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml index beba66af07..06f4a10c6f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_disk_error_action) +{{{ ansible_instantiate_variables("var_auditd_disk_error_action") }}} - name: Configure auditd Disk Error Action on Disk Error lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml index 2b72085912..60b1e912ce 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_disk_full_action) +{{{ ansible_instantiate_variables("var_auditd_disk_full_action") }}} - name: Configure auditd Disk Full Action when Disk Space Is Full lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml index 6a6d0ce4a4..48fe7aced4 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_action_mail_acct) +{{{ ansible_instantiate_variables("var_auditd_action_mail_acct") }}} - name: Configure auditd mail_acct Action on Low Disk Space lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml index ff63a15de8..93d076fa6f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_admin_space_left_action) +{{{ ansible_instantiate_variables("var_auditd_admin_space_left_action") }}} - name: Configure auditd admin_space_left Action on Low Disk Space lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml index 4a5f45c14b..f909e5ec22 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_flush) +{{{ ansible_instantiate_variables("var_auditd_flush") }}} - name: Configure auditd Flush Priority lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml index d497d27e20..65c77aa3cd 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_max_log_file) +{{{ ansible_instantiate_variables("var_auditd_max_log_file") }}} - name: Configure auditd Max Log File Size lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml index 48df854986..595959e029 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_max_log_file_action) +{{{ ansible_instantiate_variables("var_auditd_max_log_file_action") }}} - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml index 8dfa5ce0cd..6fe9e0145e 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_num_logs) +{{{ ansible_instantiate_variables("var_auditd_num_logs") }}} - name: Configure auditd Number of Logs Retained lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml index f4af7a6aa9..6db7ffbd34 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_space_left) +{{{ ansible_instantiate_variables("var_auditd_space_left") }}} - name: Configure auditd space_left on Low Disk Space lineinfile: diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml index 5b4a101a1c..04062e34a6 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_auditd_space_left_action) +{{{ ansible_instantiate_variables("var_auditd_space_left_action") }}} - name: Configure auditd space_left Action on Low Disk Space lineinfile: diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml index 316171df9b..407e1be3ab 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var rsyslog_remote_loghost_address) +{{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}} - name: "Set rsyslog remote loghost" lineinfile: diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml index e8a802d48c..81270d1adb 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -- (xccdf-var inactivity_timeout_value) +{{{ ansible_instantiate_variables("inactivity_timeout_value") }}} - name: "Set GNOME3 Screensaver Inactivity Timeout" ini_file: diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml index 9d3f9c0c65..09b6dbc855 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = restrict # complexity = low # disruption = low -- (xccdf-var var_system_crypto_policy) +{{{ ansible_instantiate_variables("var_system_crypto_policy") }}} - name: "{{{ rule_title }}}" lineinfile: diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions index 374499261d..346f5fe3de 100644 --- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions +++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions @@ -3,7 +3,7 @@ # strategy = configure # complexity = low # disruption = high -- (xccdf-var var_removable_partition) +{{{ ansible_instantiate_variables("var_removable_partition") }}} - name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition lineinfile: