{{#
How to log in to a Red Hat CoreOS Node
#}}
{{% macro rhcos_node_login_instructions() -%}}
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
At the sh-4.4#
prompt, run:
# chroot /host
{{% endmacro %}}
{{# OC macros #}}
{{#
Macro that creates a check from :code:`oc` output
#}}
{{% macro ocil_oc_pipe_jq_filter(object, jqfilter, namespace=none, all_namespaces=false) -%}}
$ oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ namespace }}}{{% endif %}} {{{ object }}} -o json | jq '{{{ jqfilter }}}'
{{%- endmacro %}}
{{% macro sshd_config_file() %}}
{{% if sshd_distributed_config == "true" %}}
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
{{% else %}}
/etc/ssh/sshd_config:
{{% endif %}}
{{%- endmacro %}}
{{# Audit macros #}}
{{#
Standard audit OCIL clause
#}}
{{%- macro ocil_clause_audit() -%}}
the command does not return a line, or the line is commented out
{{%- endmacro %}}
{{#
OCIL and OCIL clause for ensuring that a privileged command is audited.
:param cmd: The command to audit
:type cmd: str
:param path_prefix: The directory the command is in
:type path_prefix: str
#}}
{{% macro complete_ocil_entry_audit_privileged_commands(cmd, path_prefix, key) %}}
ocil_clause: '{{{ ocil_clause_audit() }}}'
ocil: |-
Verify that {{{ full_name }}} is configured to audit the execution of the "{{{ cmd }}}" command with the following command:
$ sudo auditctl -l | grep {{{ cmd }}}
-a always,exit -F path={{{ path_prefix }}}{{{ cmd }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -k {{% if key %}}{{{ key }}}{{% else %}}privileged-{{{ cmd }}}{{% endif %}}
{{% endmacro %}}
{{#
OCIL for adding a syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro ocil_audit_syscall(syscall) -%}}
To determine if the system is configured to audit calls to the
{{{ syscall }}} system call, run the following command:
$ sudo grep "{{{ syscall }}}" /etc/audit/audit.*
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{#
OCIL clause for adding a syscall to audit logs
#}}
{{% macro ocil_clause_entry_audit_syscall() -%}}
ocil_clause: "no line is returned"
{{%- endmacro %}}
{{#
OCIL and OCIL clause for adding a syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro complete_ocil_entry_audit_syscall(syscall) -%}}
ocil: |
{{{ ocil_audit_syscall(syscall) }}}
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
{{#
OCIL for adding a successful syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro ocil_audit_successful_syscall(syscall) -%}}
To determine if the system is configured to audit successful calls
to the {{{ syscall }}} system call, run the following command:
$ sudo grep "{{{ syscall }}}" /etc/audit.*
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{#
OCIL for adding a unsuccessful syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro ocil_audit_unsuccessful_syscall(syscall) -%}}
To determine if the system is configured to audit unsuccessful calls
to the {{{ syscall }}} system call, run the following command:
$ sudo grep "{{{ syscall }}}" /etc/audit.*
If the system is configured to audit this activity, it will return a line.
{{%- endmacro %}}
{{#
OCIL and OCIL clause for adding a successful syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro complete_ocil_entry_audit_successful_syscall(syscall) -%}}
ocil: |
{{{ ocil_audit_successful_syscall(syscall) }}}
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
{{#
OCIL and OCIL clause for adding a unsuccessful syscall to audit logs
:param syscall: The syscall to audit
:type syscall: str
#}}
{{% macro complete_ocil_entry_audit_unsuccessful_syscall(syscall) -%}}
ocil: |
{{{ ocil_audit_unsuccessful_syscall(syscall) }}}
{{{ ocil_clause_entry_audit_syscall() }}}
{{%- endmacro %}}
{{# Package macros #}}
{{#
Describe how to check if a package is installed with rpm.
:param package: The package to check
:type package: str
#}}
{{%- macro rpm_ocil_package(package) -%}}
Run the following command to determine if the {{{ package }}} package is installed:
$ rpm -q {{{ package }}}
{{%- endmacro -%}}
{{#
Describe how to check if a package is installed with dpkg.
:param package: The package to check
:type package: str
#}}
{{%- macro dpkg_ocil_package(package) %}}
Run the following command to determine if the {{{ package }}} package is installed:
$ dpkg -l {{{ package }}}
{{%- endmacro %}}
{{#
Insert general ocil clause to check if a package is installed, substituting the
correct package management software.
:param package: Name of package
:type package: str
#}}
{{% macro ocil_package(package) -%}}
{{% if pkg_system is defined %}}
{{%- if pkg_system == "rpm" -%}}
{{{ rpm_ocil_package(package) }}}
{{%- elif pkg_system == "dpkg" -%}}
{{{ dpkg_ocil_package(package) }}}
{{%- else -%}}
JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{#
OCIL and OCIL clause how to check if a package is installed with rpm.
:param package: The package to check
:type package: str
#}}
{{%- macro rpm_complete_ocil_entry_package(package) %}}
ocil: |-
{{{ rpm_ocil_package(package) }}}
ocil_clause: "the package is installed"
{{%- endmacro %}}
{{#
OCIL and OCIL clause how to check if a package is installed with dpkg.
:param package: The package to check
:type package: str
#}}
{{%- macro dpkg_complete_ocil_entry_package(package) %}}
ocil: |-
{{{ dpkg_ocil_package(package) }}}
ocil_clause: "the package is installed"
{{%- endmacro %}}
{{#
Insert a complete OCIL block for a case when a package should be removed,
substituting the correct package management software.
:param package: Name of package
:type package: str
#}}
{{% macro complete_ocil_entry_package(package) -%}}
{{% if pkg_system is defined %}}
{{%- if pkg_system == "rpm" %}}
{{{ rpm_complete_ocil_entry_package(package) }}}
{{%- elif pkg_system == "dpkg" %}}
{{{ dpkg_complete_ocil_entry_package(package) }}}
{{%- else -%}}
ocil: |-
JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{# Service Enabled macros #}}
{{#
Describe how to check if a service is enabled via systemd.
:param service: The service to check
:type service: str
#}}
{{%- macro systemd_ocil_service_enabled(service) %}}
{{% if product == "rhcos4" -%}}
{{{ rhcos_node_login_instructions() }}}
{{%- endif %}}
Run the following command to determine the current status of the
{{{ service }}} service:
$ sudo systemctl is-active {{{ service }}}
If the service is running, it should return the following: active
{{%- endmacro %}}
{{#
Inserts an OCIL for a case when a service should be enabled,
substituting the correct init system.
:param service: Name of service
:type service: str
#}}
{{% macro ocil_service_enabled(service) -%}}
{{% if init_system is defined %}}
{{%- if init_system == "systemd" -%}}
{{{ systemd_ocil_service_enabled(service) }}}
{{%- else -%}}
JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{#
Inserts an OCIL Clause for a case when a service should be enabled.
:param service: Name of service
:type service: str
#}}
{{% macro ocil_clause_service_enabled(service) -%}}
the "{{{ service }}}" service is disabled, masked, or not started.
{{%- endmacro %}}
{{# Service Disabled macros #}}
{{#
Describe how to check if a service is disabled via systemd.
:param service: The service to check
:type service: str
#}}
{{%- macro systemd_ocil_service_disabled(service) -%}}
To check that the {{{ service }}} service is disabled in system boot configuration,
{{% if product == "rhcos4" -%}}
You'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Subsequently,
{{%- endif -%}}
run the following command:
$ sudo systemctl is-enabled {{{ service }}}
Output should indicate the {{{ service }}} service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled {{{ service }}}
disabled
Run the following command to verify {{{ service }}} is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active {{{ service }}}
If the service is not running the command will return the following output:
inactive
The service will also be masked, to check that the {{{ service }}} is masked, run the following command:
$ sudo systemctl show {{{ service }}} | grep "LoadState\|UnitFileState"
If the service is masked the command will return the following outputs:
LoadState=masked
UnitFileState=masked
{{%- endmacro %}}
{{#
Inserts an OCIL for a case when a service should be disabled,
substituting the correct init system.
:param service: Name of service
:type service: str
#}}
{{% macro ocil_service_disabled(service) -%}}
{{% if init_system is defined %}}
{{%- if init_system == "systemd" -%}}
{{{ systemd_ocil_service_disabled(service) }}}
{{%- else -%}}
JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{#
Inserts an OCIL Clause for a case when a service should be disabled.
:param service: Name of service
:type service: str
#}}
{{% macro ocil_clause_service_disabled(service) -%}}
the "{{{ service }}}" is loaded and not masked
{{%- endmacro %}}
{{# Socket and Service Disabled macros #}}
{{#
Describe how to check if service is disabled in system boot configuration with xinetd.
:param service: service to disable
:type service: str
#}}
{{%- macro xinetd_disabled_check_with_systemd(service) %}}
To check that the {{{ service }}} service is disabled in system boot configuration with xinetd, run the following command:
$ chkconfig {{{ service }}} --list
Output should indicate the {{{ service }}} service has either not been installed, or has been disabled, as shown in the example below:
$ chkconfig {{{ service }}} --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
{{{ service }}} off
{{%- endmacro %}}
{{#
Describe how to check if socket is disabled with systemd.
:param socket: The socket to check
:type socket: str
#}}
{{%- macro socket_disabled_check_with_systemd(socket) %}}
To check that the {{{ socket }}} socket is disabled in system boot configuration with systemd, run the following command:
$ systemctl is-enabled {{{ socket }}}
Output should indicate the {{{ socket }}} socket has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo systemctl is-enabled {{{ socket }}}
disabled
Run the following command to verify {{{ socket }}} is not active (i.e. not running) through current runtime configuration:
$ sudo systemctl is-active {{{ socket }}}
If the socket is not running the command will return the following output:
inactive
The socket will also be masked, to check that the {{{ socket }}} is masked, run the following command:
$ sudo systemctl show {{{ socket }}} | grep "LoadState\|UnitFileState"
If the socket is masked the command will return the following outputs:
LoadState=masked
UnitFileState=masked
{{%- endmacro %}}
{{#
OCIL and OCIL clause for ensure socket is disabled in systemd and xinetd.
:param name: The socket to check
:type name: str
#}}
{{%- macro systemd_complete_ocil_entry_socket_and_service_disabled(name) %}}
ocil: |-
{{{ xinetd_disabled_check_with_systemd(name) }}}
{{{ socket_disabled_check_with_systemd(name) }}}
ocil_clause: "service and/or socket are running"
{{%- endmacro %}}
{{#
Inserts an OCIL for a case when a service and a corresponding socket should be
disabled, substituting the correct init system.
:param service: Name of service
:type service: str
#}}
{{% macro complete_ocil_entry_socket_and_service_disabled(service) -%}}
{{% if init_system is defined %}}
{{%- if init_system == "systemd" -%}}
{{{ systemd_complete_ocil_entry_socket_and_service_disabled(service) }}}
{{%- else -%}}
ocil: |-
JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{# SSHD macros #}}
{{#
An OCIL clause for an sshd option
#}}
{{% macro ocil_clause_entry_sshd_option() -%}}
ocil_clause: "the required value is not set"
{{%- endmacro %}}
{{#
OCIL for an sshd option.
Example usage::
ocil_sshd_option(default="no", option="Banner", value="/etc/issue")
:param default: If set to yes the default value is accepted
:type default: str
:param option: The sshd option to configure
:type option: str
:param value: The value for the given option
:type value: str
#}}
{{% macro ocil_sshd_option(default, option, value) -%}}
To determine how the SSH daemon's {{{ option }}} option is set, run the following command:
{{% if sshd_distributed_config == "true" %}}
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
{{% if default == "yes" -%}}
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
{{%- endif %}}
{{% else %}}
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config
{{% endif %}}
If a line indicating {{{ value }}} is returned, then the required value is set.
{{%- endmacro %}}
{{#
OCIL and OCIL clause for and sshd option.
Example usage::
complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue")
:param default: If set to yes the default value is accepted
:type default: str
:param option: The sshd option to configure
:type option: str
:param value: The value for the given option
:type value: str
#}}
{{% macro complete_ocil_entry_sshd_option(default, option, value) -%}}
ocil: |
{{{ ocil_sshd_option(default, option, value) }}}
{{{ ocil_clause_entry_sshd_option() }}}
{{%- endmacro %}}
{{# Mount option macros #}}
{{#
The OCIL text for mount options.
:param point: The mount point to check
:type point: str
:param option: The options the mount point should have
:type option: str
#}}
{{% macro ocil_mount_option(point, option) -%}}
Verify the {{{ option }}} option is configured for the {{{ point }}} mount point,
{{% if product == "rhcos4" -%}}
You'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Subsequently,
{{%- endif -%}}
run the following command:
$ sudo mount | grep '\s{{{ point }}}\s'
. . . {{{ point }}} . . . {{{ option }}} . . .
{{%- endmacro %}}
{{#
The OCIL clause for mount options.
:param point: The mount point to check
:type point: str
:param option: The options the mount point should have
:type option: str
#}}
{{% macro ocil_clause_entry_mount_option(point, option) -%}}
ocil_clause: the "{{{ point }}}" file system does not have the "{{{ option }}}" option set
{{%- endmacro %}}
{{#
The OCIL and OCIL clause for mount options.
:param point: The mount point to check
:type point: str
:param option: The options the mount point should have
:type option: str
#}}
{{% macro complete_ocil_entry_mount_option(point, option) -%}}
ocil: |
{{{ ocil_mount_option(point, option) | indent(4) }}}
{{{ ocil_clause_entry_mount_option(point, option) }}}
{{%- endmacro %}}
{{# Partition macros #}}
{{#
Describe how to check if given path is on its own partition or logical volume.
:param part: Path to check
:type part: str
#}}
{{% macro partition_check(part) -%}}
{{% if product == "rhcos4" -%}}
You'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Subsequently,
{{%- endif -%}}
Verify that a separate file system/partition has been created for {{{ part }}} with the following command:
$ mountpoint {{{ part }}}
{{%- endmacro %}}
{{#
OCIL for how to check if given path is on its own partition or logical volume and the
correct OCIL clause.
:param part: Path to check
:type part: str
#}}
{{% macro complete_ocil_entry_separate_partition(part) -%}}
ocil: |
{{{ partition_check(part) }}}
ocil_clause: '"{{{ part }}} is not a mountpoint" is returned'
{{%- endmacro %}}
{{# Firewalld macros #}}
{{%- macro _firewalld_check(access_action, port, proto, service) %}}
To determine if firewalld is configured to {{{ access_action }}}
{{% if port is not none %}}
on port {{{ port }}}/{{{ proto }}}, run the following command(s):
firewall-cmd --list-ports
{{% endif %}}
{{% if service is not none %}}
to {{{ service }}}
firewall-cmd --list-services
{{% endif %}}
{{%- endmacro %}}
{{%- macro _firewalld_access_param_check(macroname, port, proto, service) %}}
{{%- if ((port is none) and (proto is not none)) or ((port is not none) and (proto is none)) %}}
{{{- raise(macroname ~ ": if you have proto/port you need respectively port/proto") }}}
{{%- endif %}}
{{%- if (service is none) and (port is none) %}}
{{{- raise(macroname ~ ": define either service, or port+proto") }}}
{{%- endif %}}
{{%- endmacro %}}
{{#
OCIL for allowing a port or service in firewalld. If the :code:`service` parameter is defined
it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect.
:param port: The port to allow
:type port: str
:param proto: The protocol to allow
:type proto: str
:param service: The service to allow
:type service: str
#}}
{{%- macro ocil_firewalld_allow_access(port=none, proto=none, service=none) %}}
{{{ _firewalld_access_param_check(name, port, proto, service) }}}
{{{ _firewalld_check("allow access", port, proto, service) }}}
If firewalld is configured to allow access through the firewall, something similar to the following will be output:
{{% if service is not none %}}
If it is a service:
{{{ service }}}
{{% endif %}}
{{% if port is not none %}}
If it is a port:
{{{ port }}}/{{{ proto }}}
{{% endif %}}
{{%- endmacro %}}
{{#
OCIL for preventing access a port or service in firewalld. If the :code:`service` parameter is defined
it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect.
:param port: The port to allow
:type port: int
:param proto: The protocol to allow
:type proto: str
:param service: The service to allow
:type service: str
#}}
{{%- macro ocil_firewalld_prevent_access(port=none, proto=none, service=none) %}}
{{{ _firewalld_access_param_check(name, port, proto, service) }}}
{{{ _firewalld_check("prevent access", port, proto, service) }}}
If firewalld is configured to prevent access, no output will be returned.
{{%- endmacro %}}
{{# Kernel modules macros #}}
{{#
OCIL for disabling a kernel module.
:param module: The module to disable.
:type module: str
#}}
{{%- macro ocil_module_disable(module) %}}
If the system is configured to prevent the loading of the {{{ module }}} kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event.
{{% if "ol" in families or product in ["rhel8"] %}}
These lines can also instruct the module loading system to ignore the {{{ module }}} kernel module via blacklist keyword.
{{% endif %}}
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r {{{ module }}} /etc/modprobe.conf /etc/modprobe.d
{{%- endmacro %}}
{{#
OCIL and OCIL clause for disabling a kernel module.
:param module: The module to disable.
:type module: str
#}}
{{%- macro complete_ocil_entry_module_disable(module) %}}
ocil: |-
{{{ ocil_module_disable(module) }}}
ocil_clause: "no line is returned"
{{%- endmacro %}}
{{# SELinux boolean macros #}}
{{#
OCIL and OCIL clause for how to check if given SELinux boolean is set depending on a variable.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro complete_ocil_entry_sebool_var(sebool) %}}
ocil: |-
{{{ describe_sebool_check_var(sebool) }}}
ocil_clause: "{{{ sebool }}} is not set as expected"
{{%- endmacro %}}
{{#
Describe how to check if given SELinux boolean is set depending on a variable.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro describe_sebool_check_var(sebool) %}}
Run the following command to get the current configured value for {{{ sebool }}}
SELinux boolean:
$ getsebool {{{ sebool }}}
The expected cofiguration is {{{ xccdf_value("var_" + sebool) }}}.
"on" means true, and "off" means false
{{%- endmacro %}}
{{# SELinux boolean macros #}}
{{#
Describe how to check if given SELinux boolean is disabled.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro describe_sebool_check_disabled(sebool) %}}
Run the following command to determine if the {{{ sebool }}} SELinux boolean is disabled:
$ getsebool {{{ sebool }}}
If properly configured, the output should show the following:
{{{ sebool }}} --> off
{{%- endmacro %}}
{{#
OCIL and OCIL clause for how to check if given SELinux boolean is disabled.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro complete_ocil_entry_sebool_disabled(sebool) %}}
ocil: |-
{{{ describe_sebool_check_disabled(sebool) }}}
ocil_clause: "{{{ sebool }}} is not disabled"
{{%- endmacro %}}
{{#
Describe how to check if given SELinux boolean is enabled.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro describe_sebool_check_enabled(sebool) %}}
Run the following command to determine if the {{{ sebool }}} SELinux boolean is enabled:
$ getsebool {{{ sebool }}}
If properly configured, the output should show the following:
{{{ sebool }}} --> on
{{%- endmacro %}}
{{#
OCIL and OCIL clause for how to check if given SELinux boolean is enabled.
:param sebool: The SELinux boolean to check
:type sebool: str
#}}
{{%- macro complete_ocil_entry_sebool_enabled(sebool) %}}
ocil: |-
{{{ describe_sebool_check_enabled(sebool) }}}
ocil_clause: "{{{ sebool }}} is not enabled"
{{%- endmacro %}}
{{# Timer enabled macros #}}
{{#
Describe how to check if timer is enabled in systemd.
:param timer: The timer to check
:type timer: str
#}}
{{%- macro systemd_ocil_timer_enabled(timer) %}}
Run the following command to determine the current status of the
{{{ timer }}} timer:
$ sudo systemctl is-active {{{ timer }}}.timer
If the timer is running, it should return the following: active
{{%- endmacro %}}
{{#
Inserts an OCIL for a case when a timer should be enabled,
substituting the correct init system.
:param timer: Name of timer
:type timer: str
#}}
{{% macro ocil_timer_enabled(timer) -%}}
{{% if init_system is defined %}}
{{%- if init_system == "systemd" -%}}
{{{ systemd_ocil_timer_enabled(timer) }}}
{{%- else -%}}
JINJA MACRO ERROR - Unknown init system '{{{ init_system }}}'.
{{%- endif -%}}
{{%- endif -%}}
{{%- endmacro %}}
{{# Mount unit enabled macros #}}
{{#
Describe how to check if mount unit is enabled in systemd.
:param mount: The mount unit to check
:type mount: str
#}}
{{%- macro ocil_systemd_mount_enabled(mount) %}}
Run the following command to determine the current status of the
{{{ mount }}} mount:
$ sudo systemctl is-active {{{ mount }}}.mount
If the mount unit is running, it should return the following: active
{{%- endmacro %}}
{{# File macros #}}
{{#
OCIL for how to check the permissions on a file.
:param file: File to change
:type file: str
:param perms: The permissions for the file
:type perms: str
#}}
{{%- macro ocil_file_permissions(file, perms) -%}}
To check the permissions of {{{ file }}},
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -l {{{ file }}}
If properly configured, the output should indicate the following permissions:
{{{ perms }}}
{{%- endmacro %}}
{{#
OCIL how to check permissions a directory
:param directory: Directory path
:type directory: str
:param perms: the permissions of the given directory
:type perms: str
#}}
{{%- macro ocil_directory_permissions(directory, perms) -%}}
To check the permissionsship of {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -ldL {{{ directory }}}
If properly configured, the output should indicate the following permissions:
{{{ perms }}}
{{%- endmacro %}}
{{#
OCIL how to check file permissions of files in a directory
:param directory: Directory path
:type directory: str
:param perms: the permissions for the files in the given directory
:type perms: str
#}}
{{%- macro ocil_files_in_directory_permissions(directory, perms) -%}}
To check the permissions of files in the {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -lL {{{ directory }}}
If properly configured, the output should indicate the following permissions:
{{{ perms }}}
{{%- endmacro %}}
{{#
OCIL clause for file permissions
:param file: File to change
:type file: str
:param perms: the permissions for the file
:type perms: str
#}}
{{%- macro ocil_clause_file_permissions(file, perms) -%}}
{{{ file }}} does not have unix mode {{{ perms }}}
{{%- endmacro %}}
{{#
OCIL clause for directory permissions
:param directory: Directory path
:type directory: str
:param perms: the permissions for the files
:type perms: str
#}}
{{%- macro ocil_clause_directory_permissions(directory, perms) -%}}
{{{ directory }}} directory does not have unix mode {{{ permms }}}
{{%- endmacro %}}
{{#
OCIL clause for file permissions of files in a directory
:param directory: Directory path
:type directory: str
:param perms: the permissions for the files
:type perms: str
#}}
{{%- macro ocil_clause_files_in_directory_permissions(directory, perms) -%}}
files in the {{{ directory }}} directory do not have unix mode {{{ perms }}}
{{%- endmacro %}}
{{#
OCIL how to check the file owner of a file.
:param file: File to change
:type file: str
:param owner: The owner for the file
:type owner: str
#}}
{{%- macro ocil_file_owner(file, owner) -%}}
To check the ownership of {{{ file }}},
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -lL {{{ file }}}
If properly configured, the output should indicate the following owner:
{{{ owner }}}
{{%- endmacro %}}
{{#
OCIL how to check owner a directory
:param directory: Directory path
:type directory: str
:param owner: the owner of the given directory
:type owner: str
#}}
{{%- macro ocil_directory_owner(directory, owner) -%}}
To check the ownership of {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -ldL {{{ directory }}}
If properly configured, the output should indicate the following owner:
{{{ owner }}}
{{%- endmacro %}}
{{#
OCIL how to check file owner of files in a directory
:param directory: Directory path
:type directory: str
:param owner: the owner for the files in the given directory
:type owner: str
#}}
{{%- macro ocil_files_in_directory_owner(directory, owner) -%}}
To check the ownership of files in the {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -lL {{{ directory }}}
If properly configured, the output should indicate the following owner:
{{{ owner }}}
{{%- endmacro %}}
{{#
OCIL clause for file owner
:param file: File to change
:type file: str
:param owner: the owner for the file
:type owner: str
#}}
{{%- macro ocil_clause_file_owner(file, owner) -%}}
{{{ file }}} does not have an owner of {{{ owner }}}
{{%- endmacro %}}
{{#
OCIL clause for directory owner
:param directory: Directory path
:type directory: str
:param owner: the owner for the files
:type owner: str
#}}
{{%- macro ocil_clause_directory_owner(directory, owner) -%}}
{{{ directory }}} directory does not have a owner owner of {{{ owner }}}
{{%- endmacro %}}
{{#
OCIL clause for file owner of files in a directory
:param directory: Directory path
:type directory: str
:param owner: the owner for the files
:type owner: str
#}}
{{%- macro ocil_clause_files_in_directory_owner(directory, owner) -%}}
files in the {{{ directory }}} directory do not have a owner of {{{ owner }}}
{{%- endmacro %}}
{{#
OCIL how to check the file group owner of a file.
:param file: File to change
:type file: str
:param group: the group owner for the file
:type group: str
#}}
{{%- macro ocil_file_group_owner(file, group) -%}}
To check the group ownership of {{{ file }}},
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -lL {{{ file }}}
If properly configured, the output should indicate the following group-owner:
{{% for grp in group.split("|") %}}
{{{ grp }}}
{{% if not loop.last %}} or {{% endif %}}
{{% endfor %}}
{{%- endmacro %}}
{{#
OCIL how to check file group owner a directory
:param directory: Directory path
:type directory: str
:param group: the group owner of the given directory
:type group: str
#}}
{{%- macro ocil_directory_group_owner(directory, group) -%}}
To check the group ownership of {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -ldL {{{ directory }}}
If properly configured, the output should indicate the following group-owner:
{{{ group }}}
{{%- endmacro %}}
{{#
OCIL how to check file group owner of files in a directory
:param directory: Directory path
:type directory: str
:param group: the group owner for the files in the given directory
:type group: str
#}}
{{%- macro ocil_files_in_directory_group_owner(directory, group) -%}}
To check the group ownership of files in the {{{ directory }}} directory,
{{% if product in ["ocp4", "rhcos4"] -%}}
you'll need to log into a node in the cluster.
{{{ rhcos_node_login_instructions() }}}
Then,
{{%- endif -%}}
run the command:
$ ls -lL {{{ directory }}}
If properly configured, the output should indicate the following group-owner:
{{{ group }}}
{{%- endmacro %}}
{{#
OCIL clause for file group owner
:param file: File to change
:type file: str
:param group: the group owner for the file
:type group: str
#}}
{{%- macro ocil_clause_file_group_owner(file, group) -%}}
{{{ file }}} does not have a group owner of
{{% for grp in group.split("|") %}}
{{{ grp }}}
{{% if not loop.last %}} or {{% endif %}}
{{% endfor %}}
{{%- endmacro %}}
{{#
OCIL clause for directory group owner of a directory
:param directory: Directory path
:type directory: str
:param group: the group owner for the files
:type group: str
#}}
{{%- macro ocil_clause_directory_group_owner(directory, group) -%}}
{{{ directory }}} directory does not have a group owner of {{{ group }}}
{{%- endmacro %}}
{{#
OCIL clause for file group owner of files in a directory
:param directory: Directory path
:type directory: str
:param group: the group owner for the files
:type group: str
#}}
{{%- macro ocil_clause_files_in_directory_group_owner(directory, group) -%}}
files in the {{{ directory }}} directory do not have a group owner of {{{ group }}}
{{%- endmacro %}}
{{# Sysctl option macros #}}
{{#
OCIL for a sysctl option
:param sysctl: The kernel parameter to change
:type sysctl: str
:param value: The value to be set
:type value: str
#}}
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
The runtime status of the {{{ sysctl }}} kernel parameter can be queried
by running the following command:
$ sysctl {{{ sysctl }}}
{{{ value }}}.
{{%- endmacro %}}
{{#
OCIL and OCIL clause for a sysctl option
:param sysctl: The kernel parameter to change
:type sysctl: str
:param value: The value to be set
:type value: str
#}}
{{% macro complete_ocil_entry_sysctl_option_value(sysctl, value) -%}}
ocil: |
{{{ ocil_sysctl_option_value(sysctl, value) }}}
ocil_clause: "the correct value is not returned"
{{%- endmacro %}}
{{# GRUB2 argument macros #}}
{{#
Provide OCIL for checking if an argument for kernel command line is configured with Grub2.
The parameter should have form `parameter=value`.
#}}
{{%- macro ocil_grub2_argument(arg_name_value) -%}}
{{%- if product in ["fedora", "ol7", "ol8", "ol9",] or 'ubuntu' in product or 'rhel' in product -%}}
Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If it includes {{{ arg_name_value }}},
then the parameter will be configured for newly installed kernels.
First check if the GRUB recovery is enabled:
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command:
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub
If the recovery is disabled, check the line with
$ sudo grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub.
{{%- if 'ubuntu' in product -%}}
Moreover, current Grub config file grub.cfg must be checked. The file can be found
either in {{{ grub2_boot_path }}} in case of legacy BIOS systems, or in {{{ grub2_uefi_boot_path }}} in case of UEFI systems.
If they include {{{ arg_name_value }}}, then the parameter
is configured at boot time.
$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'
Fill in GRUB_CFG_FILE_PATH based on information above.
This command should not return any output.
{{%- else -%}}
Moreover, command line parameters for currently installed kernels should be checked as well.
Run the following command:
$ sudo grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'
The command should not return any output.
{{%- endif -%}}
{{%- else -%}}
Inspect the form of default GRUB 2 command line for the Linux operating system
{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}}
in {{{ grub2_boot_path }}}/grubenv.
{{%- else -%}}
in grubenv that can be found either in {{{ grub2_boot_path }}} in case of legacy BIOS systems, or in {{{ grub2_uefi_boot_path }}} in case of UEFI systems.
{{%- endif %}}
If they include {{{ arg_name_value }}}, then the parameter
is configured at boot time.
$ sudo grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION
Fill in GRUBENV_FILE_LOCATION based on information above.
{{%- endif -%}}
{{%- endmacro -%}}
{{# Kernel build config macros #}}
{{#
OCIL for a kernel build config rule.
Example usage::
ocil_kernel_build_config(config="config_kernel_strict_rwx", value="y")
:param config: The kernel config parameter
:type config: str
:param value: The value for the given config
:type value: str
#}}
{{% macro ocil_kernel_build_config(config, value) -%}}
To determine the config value the kernel was built with, run the following command:
$ grep {{{ config }}} /boot/config.*
{{% if value == "n" %}}
Configs with value 'n' are not explicitly set in the file, so either commented lines or no
lines should be returned.
{{% else %}}
For each kernel installed, a line with value "{{{ value }}}" should be returned.
{{% endif %}}
{{%- endmacro %}}
{{# Firefox macros #}}
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification template
:param syscall: system call
:type syscall: str
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification(syscall, key) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to use the {{{ syscall }}} system call.
If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
$ sudo grep -r {{{ syscall }}} /etc/audit/rules.d
If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
$ sudo grep {{{ syscall }}} /etc/audit/audit.rules
The output should be the following:
-a always,exit -F arch=b32 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k {{{ key }}}
-a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k {{{ key }}}
-a always,exit -F arch=b32 -S {{{ syscall }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k {{{ key }}}
-a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k {{{ key }}}
{{%- endmacro %}}
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_creat template
:param syscall: system call
:type syscall: str
:param position: the position of the system call O_CREAT argument, eg. a2
:type position: str
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_o_creat(syscall, position) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to create files using the {{{ syscall }}} system call with O_CREAT flag.
If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
$ sudo grep -r {{{ syscall }}} /etc/audit/rules.d
If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
$ sudo grep {{{ syscall }}} /etc/audit/audit.rules
The output should be the following:
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
{{%- endmacro %}}
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_trunc_write template
:param syscall: system call
:type syscall: str
:param position: the position of the system call O_TRUNC_WRITE argument, eg. a2
:type position: str
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_o_trunc_write(syscall, position) -%}}
Verify {{{ full_name }}} generates an audit record for unsuccessful attempts to modify files using the {{{ syscall }}} system call with O_TRUNC_WRITE flag.
If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
$ sudo grep -r {{{ syscall }}} /etc/audit/rules.d
If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
$ sudo grep {{{ syscall }}} /etc/audit/audit.rules
The output should be the following:
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
{{%- endmacro %}}
{{#
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_rule_order template
:param syscall: system call
:type syscall: str
:param position: the position of the system call O_TRUNC_WRITE and O_CREAT arguments, eg. a2
:type position: str
#}}
{{% macro ocil_audit_rules_unsuccessful_file_modification_rule_order(syscall, position) -%}}
Verify that rules for unsuccessful calls of the {{{ syscall }}} syscall are in the order shown below.
If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d".
If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file.
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S {{{ syscall }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S {{{ syscall }}} -F {{{ position }}}&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S {{{ syscall }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
{{%- endmacro %}}
{{# OpenShift Logging Macros #}}
{{#
OCIL for how to check RBAC permissions for cluster logging
:param verb: The RBAC verb to check
:type verb: str
#}}
{{%- macro ocil_cluster_logging_rbac_review(verb) -%}}
Perform a check to list the users and groups who have permission to {{{ verb }}} the cluster logging configuration by running the following two commands.
> oc policy who-can {{{ verb }}} ClusterLogging -n openshift-logging
> oc policy who-can {{{ verb }}} ClusterLoggingForwarder -n openshift-logging
Review the list of users and groups who have {{{ verb }}} access to the cluster logging resources.
If any user or group listed should not have access to {{{ verb }}} the cluster logging resources, this is a finding.
{{%- endmacro %}}
{{# RBAC macros #}}
{{#
OCIL for how to check RBAC permissions for the cluster in general
#}}
{{%- macro ocil_rbac_least_privilege() -%}}
The administrator must verify that Openshift is configured with the necessary RBAC access controls.
Review the RBAC configuration.
As the cluster-admin, view the cluster roles and their associated rule sets by executing the following::
oc describe clusterrole.rbac
Now view the current set of cluster role bindings, which shows the users and groups that are bound to various roles by executing the following:
oc describe clusterrolebinding.rbac
Local roles and bindings can be determined using the follow commands by executing the following:
oc describe rolebinding.rbac
If these results show users with privileged access that do not require that access, this is a finding.
{{%- endmacro %}}
{{#
OCIL macro to check CIS requirements on command line warning banners.
The macro provides both check and clause.
:param filepath: filepath to be checked
:type filepath: str
#}}
{{%- macro ocil_cis_banner(filepath) -%}}
ocil_clause: any results are returned
ocil: |-
Run the following command and verify no results are returned:
$ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" {{{ filepath }}}
{{%- endmacro %}}
{{#
Create an OCIL text for rules that use the audit_rules_watch platform.
:param path: The path that should be watched by the watch.
:type path: str
:param key: The audit key.
:type key: str
#}}
{{% macro ocil_audit_rules_watch(path, key) %}}
Verify {{{ full_name }}} generates audit records for all events that affect "{{{ path }}}" with the following command:
$ sudo auditctl -l | grep {{{ path }}}
{{% if audit_watches_style == "modern" %}}
{{% if path.endswith("/") %}}
{{% set filter_type="dir" %}}
{{% else %}}
{{% set filter_type="path" %}}
{{% endif %}}
-a always,exit -F arch=b32 -F {{{ filter_type }}}={{{ path }}} -F perm=wa -F key={{{ key }}}
-a always,exit -F arch=b64 -F {{{ filter_type }}}={{{ path }}} -F perm=wa -F key={{{ key }}}
{{% else %}}
-w {{{ path }}} -p wa -k {{{ key }}}
{{% endif %}}
{{% endmacro %}}
{{#
Create an OCIL text for rules that use the crypto_sub_policies template.
:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
:type module_name: str
:param key: The entry key, eg. cipher@SSH
:type key: str
:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
:type value: str
#}}
{{% macro ocil_crypto_sub_policy(module_name, key, value) %}}
Verify that /etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod exists and has the following content:
{{{ key }}} = {{{ value }}}
{{% endmacro %}}