From b49f4ce0990f2629d64899c3991a76e8e1d0fef9 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:26:09 +0300
Subject: [PATCH 01/21] Add oval macro to check external variable vs expected
value
---
shared/macros/10-oval.jinja | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 0fd0f07bf94..5763cf1b91b 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1760,3 +1760,31 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL
{{%- endmacro -%}}
+
+{{#
+Macro to check if external variable is set to value
+ :param variable: Name of the external variable to check
+ :type variable: str
+ :param value: Value of the external variable
+ :type value: str
+ :param test_id: Suffix of the Ids in test, obj, and state elements
+ :type test_id: str
+ :param operation: Value operation
+ :type operation: str
+#}}
+{{%- macro oval_test_external_variable_value(variable,value,test_id='',operation='equals') -%}}
+
+
+
+
+
+
+ {{{ variable }}}
+
+
+ {{{ value }}}
+
+
+
+{{%- endmacro -%}}
From 660e7f886e68e6215d6f8075c3f379f9acc9ff54 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:27:28 +0300
Subject: [PATCH 02/21] Add variable to set default firewall technology used
---
.../network/var_network_filtering_service.var | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
create mode 100644 linux_os/guide/system/network/var_network_filtering_service.var
diff --git a/linux_os/guide/system/network/var_network_filtering_service.var b/linux_os/guide/system/network/var_network_filtering_service.var
new file mode 100644
index 00000000000..353caac8cd7
--- /dev/null
+++ b/linux_os/guide/system/network/var_network_filtering_service.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Network filtering service'
+
+description: |-
+ Network filtering service: iptables, nftables, firewalld or ufw
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+ iptables: iptables
+ nftables: nftables
+ firewalld: firewalld
+ ufw: ufw
+ default: firewalld
From dc4a09865947ab82cbc6d0403d0b9350cd0997b8 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:35:55 +0300
Subject: [PATCH 03/21] Set relevant values for SLE platforms
---
products/sle12/profiles/default.profile | 1 +
products/sle15/profiles/cis.profile | 1 +
products/sle15/profiles/default.profile | 1 +
3 files changed, 3 insertions(+)
diff --git a/products/sle12/profiles/default.profile b/products/sle12/profiles/default.profile
index a488f3d8ad5..0e63f6b8b0f 100644
--- a/products/sle12/profiles/default.profile
+++ b/products/sle12/profiles/default.profile
@@ -12,6 +12,7 @@ description: |-
is to keep a rule in the product's XCCDF Benchmark.
selections:
+ - var_network_filtering_service=iptables
- accounts_user_dot_user_ownership
- service_timesyncd_enabled
- gnome_gdm_disable_xdmcp
diff --git a/products/sle15/profiles/cis.profile b/products/sle15/profiles/cis.profile
index 7b19b83dd7e..3fffef4cab6 100644
--- a/products/sle15/profiles/cis.profile
+++ b/products/sle15/profiles/cis.profile
@@ -21,6 +21,7 @@ description: |-
selections:
- cis_sle15:all:l2_server
+ - var_network_filtering_service=firewalld
# Exclude from CIS profile all rules related to ntp and timesyncd and keep only
# rules related to chrony
- '!ntpd_configure_restrictions'
diff --git a/products/sle15/profiles/default.profile b/products/sle15/profiles/default.profile
index da5449e6ae4..0804ae5ca0f 100644
--- a/products/sle15/profiles/default.profile
+++ b/products/sle15/profiles/default.profile
@@ -12,6 +12,7 @@ description: |-
is to keep a rule in the product's XCCDF Benchmark.
selections:
+ - var_network_filtering_service=firewalld
- accounts_user_dot_user_ownership
- service_timesyncd_enabled
- gnome_gdm_disable_xdmcp
From 64885fde944f4c9c3587d01e1e6275f9697c39d1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:43:06 +0300
Subject: [PATCH 04/21] Templates for pkg installed/removed and svc
enabled/disabled, guarded by ext varaiable
The idea is the oval checks and remediation to check provided external variable, and thus honour if really to check/install/remove certain package or service
---
.../ansible.template | 17 ++
.../package_installed_guard_var/bash.template | 17 ++
.../package_installed_guard_var/oval.template | 26 +++
.../package_installed_guard_var/template.py | 12 ++
.../package_installed_guard_var/template.yml | 4 +
.../ansible.template | 18 ++
.../package_removed_guard_var/bash.template | 23 +++
.../package_removed_guard_var/oval.template | 26 +++
.../package_removed_guard_var/template.yml | 4 +
.../ansible.template | 54 ++++++
.../service_disabled_guard_var/bash.template | 32 ++++
.../service_disabled_guard_var/oval.template | 37 ++++
.../service_disabled_guard_var/template.py | 8 +
.../service_disabled_guard_var/template.yml | 4 +
.../ansible.template | 32 ++++
.../service_enabled_guard_var/bash.template | 22 +++
.../service_enabled_guard_var/oval.template | 170 ++++++++++++++++++
.../service_enabled_guard_var/template.py | 6 +
.../service_enabled_guard_var/template.yml | 4 +
19 files changed, 516 insertions(+)
create mode 100644 shared/templates/package_installed_guard_var/ansible.template
create mode 100644 shared/templates/package_installed_guard_var/bash.template
create mode 100644 shared/templates/package_installed_guard_var/oval.template
create mode 100644 shared/templates/package_installed_guard_var/template.py
create mode 100644 shared/templates/package_installed_guard_var/template.yml
create mode 100644 shared/templates/package_removed_guard_var/ansible.template
create mode 100644 shared/templates/package_removed_guard_var/bash.template
create mode 100644 shared/templates/package_removed_guard_var/oval.template
create mode 100644 shared/templates/package_removed_guard_var/template.yml
create mode 100644 shared/templates/service_disabled_guard_var/ansible.template
create mode 100644 shared/templates/service_disabled_guard_var/bash.template
create mode 100644 shared/templates/service_disabled_guard_var/oval.template
create mode 100644 shared/templates/service_disabled_guard_var/template.py
create mode 100644 shared/templates/service_disabled_guard_var/template.yml
create mode 100644 shared/templates/service_enabled_guard_var/ansible.template
create mode 100644 shared/templates/service_enabled_guard_var/bash.template
create mode 100644 shared/templates/service_enabled_guard_var/oval.template
create mode 100644 shared/templates/service_enabled_guard_var/template.py
create mode 100644 shared/templates/service_enabled_guard_var/template.yml
diff --git a/shared/templates/package_installed_guard_var/ansible.template b/shared/templates/package_installed_guard_var/ansible.template
new file mode 100644
index 00000000000..21025983a0a
--- /dev/null
+++ b/shared/templates/package_installed_guard_var/ansible.template
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is installed
+ package:
+ name: "{{{ PKGNAME }}}"
+ state: present
+{{% if OPERATION == "pattern match" %}}
+ when: {{{ VARIABLE }}} is regex("{{{ VALUE }}}")
+{{% else %}}
+ when: {{{ VARIABLE }}} == "{{{ VALUE }}}"
+{{% endif %}}
diff --git a/shared/templates/package_installed_guard_var/bash.template b/shared/templates/package_installed_guard_var/bash.template
new file mode 100644
index 00000000000..61ec0f61f6a
--- /dev/null
+++ b/shared/templates/package_installed_guard_var/bash.template
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+ if [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]]; then
+ {{{ bash_package_install(package=PKGNAME) }}}
+ fi
+{{% else %}}
+ if [ ${{{ VARIABLE }}} == {{{ VALUE }}} ]; then
+ {{{ bash_package_install(package=PKGNAME) }}}
+ fi
+{{% endif %}}
diff --git a/shared/templates/package_installed_guard_var/oval.template b/shared/templates/package_installed_guard_var/oval.template
new file mode 100644
index 00000000000..279a1e1eca2
--- /dev/null
+++ b/shared/templates/package_installed_guard_var/oval.template
@@ -0,0 +1,26 @@
+
+ {{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+ {{% if OPERATION is defined %}}
+ {{%- set variable_value_op = OPERATION -%}}
+ {{% else %}}
+ {{%- set variable_value_op = "equals" -%}}
+ {{% endif %}}
+
+ {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_sle"]) }}}
+
+
+
+
+
+
+
+
+
+
+{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+{{{ oval_test_package_installed(package=PKGNAME, evr=EVR, test_id="test_package_"+PKGNAME+"_installed") }}}
+
diff --git a/shared/templates/package_installed_guard_var/template.py b/shared/templates/package_installed_guard_var/template.py
new file mode 100644
index 00000000000..cfb47b7af5d
--- /dev/null
+++ b/shared/templates/package_installed_guard_var/template.py
@@ -0,0 +1,12 @@
+import re
+
+
+def preprocess(data, lang):
+ if "evr" in data:
+ evr = data["evr"]
+ if evr and not re.match(r'\d:\d[\d\w+.]*-\d[\d\w+.]*', evr, 0):
+ raise RuntimeError(
+ "ERROR: input violation: evr key should be in "
+ "epoch:version-release format, but package {0} has set "
+ "evr to {1}".format(data["pkgname"], evr))
+ return data
diff --git a/shared/templates/package_installed_guard_var/template.yml b/shared/templates/package_installed_guard_var/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/package_installed_guard_var/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
diff --git a/shared/templates/package_removed_guard_var/ansible.template b/shared/templates/package_removed_guard_var/ansible.template
new file mode 100644
index 00000000000..15476033d0e
--- /dev/null
+++ b/shared/templates/package_removed_guard_var/ansible.template
@@ -0,0 +1,18 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Ensure {{{ PKGNAME }}} is removed
+ package:
+ name: "{{{ PKGNAME }}}"
+ state: absent
+ when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% if OPERATION == "pattern match" %}}
+ when: {{{ VARIABLE }}} is not regex("{{{ VALUE }}}")
+{{% else %}}
+ when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% endif %}}
diff --git a/shared/templates/package_removed_guard_var/bash.template b/shared/templates/package_removed_guard_var/bash.template
new file mode 100644
index 00000000000..d7d5b6b7b85
--- /dev/null
+++ b/shared/templates/package_removed_guard_var/bash.template
@@ -0,0 +1,23 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+# CAUTION: This remediation script will remove {{{ PKGNAME }}}
+# from the system, and may remove any packages
+# that depend on {{{ PKGNAME }}}. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+ if ! [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]]; then
+ {{{ bash_package_remove(package=PKGNAME) }}}
+ fi
+{{% else %}}
+ if [ ${{{ VARIABLE }}} != {{{ VALUE }}} ]; then
+ {{{ bash_package_remove(package=PKGNAME) }}}
+ fi
+{{% endif %}}
diff --git a/shared/templates/package_removed_guard_var/oval.template b/shared/templates/package_removed_guard_var/oval.template
new file mode 100644
index 00000000000..aa5bc4a8072
--- /dev/null
+++ b/shared/templates/package_removed_guard_var/oval.template
@@ -0,0 +1,26 @@
+
+ {{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+ {{% if OPERATION is defined %}}
+ {{%- set variable_value_op = OPERATION -%}}
+ {{% else %}}
+ {{%- set variable_value_op = "equals" -%}}
+ {{% endif %}}
+
+ {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_sle"]) }}}
+
+
+
+
+
+
+
+
+
+
+{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+{{{ oval_test_package_removed(package=PKGNAME, test_id="test_package_"+PKGNAME+"_removed") }}}
+
diff --git a/shared/templates/package_removed_guard_var/template.yml b/shared/templates/package_removed_guard_var/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/package_removed_guard_var/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
diff --git a/shared/templates/service_disabled_guard_var/ansible.template b/shared/templates/service_disabled_guard_var/ansible.template
new file mode 100644
index 00000000000..3d28077776f
--- /dev/null
+++ b/shared/templates/service_disabled_guard_var/ansible.template
@@ -0,0 +1,54 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+{{%- if init_system == "systemd" %}}
+
+- name: "{{{ rule_title }}} - Collect systemd Services Present in the System"
+ ansible.builtin.command: systemctl -q list-unit-files --type service
+ register: service_exists
+ changed_when: false
+ failed_when: service_exists.rc not in [0, 1]
+ check_mode: false
+
+- name: '{{{ rule_title }}} - Ensure "{{{ DAEMONNAME }}}.service" is Masked'
+ ansible.builtin.systemd:
+ name: "{{{ DAEMONNAME }}}.service"
+ state: "stopped"
+ enabled: false
+ masked: true
+ when:
+ - 'service_exists.stdout_lines is search("{{{ SERVICENAME }}}.service",multiline=True)'
+{{% if OPERATION == "pattern match" %}}
+ - {{{ VARIABLE }}} is not regex("{{{ VALUE }}}")
+{{% else %}}
+ - {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% endif %}}
+
+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+ ansible.builtin.command: systemctl -q list-unit-files {{{ DAEMONNAME }}}.socket
+ register: socket_file_exists
+ changed_when: false
+ failed_when: socket_file_exists.rc not in [0, 1]
+ check_mode: false
+
+- name: Disable socket {{{ SERVICENAME }}}
+ ansible.builtin.systemd:
+ name: "{{{ DAEMONNAME }}}.socket"
+ enabled: "no"
+ state: "stopped"
+ masked: "yes"
+ when:
+ - 'socket_file_exists.stdout_lines is search("{{{ DAEMONNAME }}}.socket",multiline=True)'
+{{% if OPERATION == "pattern match" %}}
+ - {{{ VARIABLE }}} is not regex("{{{ VALUE }}}")
+{{% else %}}
+ - {{{ VARIABLE }}} != "{{{ VALUE }}}"
+{{% endif %}}
+{{%- else %}}
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+{{%- endif %}}
diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
new file mode 100644
index 00000000000..b175b99fc89
--- /dev/null
+++ b/shared/templates/service_disabled_guard_var/bash.template
@@ -0,0 +1,32 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+{{%- if init_system == "systemd" %}}
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+{{% if OPERATION == "pattern match" %}}
+if ! [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]];
+{{% else %}}
+if [ ${{{ VARIABLE }}} != {{{ VALUE }}} ]; then
+{{%- endif %}}
+ SYSTEMCTL_EXEC='/usr/bin/systemctl'
+ "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
+ "$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
+ "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
+ # Disable socket activation if we have a unit file for it
+ if "$SYSTEMCTL_EXEC" -q list-unit-files {{{ DAEMONNAME }}}.socket; then
+ "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket'
+ "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket'
+ fi
+ # The service may not be running because it has been started and failed,
+ # so let's reset the state so OVAL checks pass.
+ # Service should be 'inactive', not 'failed' after reboot though.
+ "$SYSTEMCTL_EXEC" reset-failed '{{{ DAEMONNAME }}}.service' || true
+fi
+{{%- else %}}
+
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+{{%- endif %}}
diff --git a/shared/templates/service_disabled_guard_var/oval.template b/shared/templates/service_disabled_guard_var/oval.template
new file mode 100644
index 00000000000..d90e09c6db0
--- /dev/null
+++ b/shared/templates/service_disabled_guard_var/oval.template
@@ -0,0 +1,37 @@
+
+
+{{%- set package_removed_test_id = _RULE_ID + "_test_service_" + SERVICENAME + "_package_" + PACKAGENAME + "_removed" -%}}
+{{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+{{% if OPERATION is defined %}}
+ {{%- set variable_value_op = OPERATION -%}}
+{{% else %}}
+ {{%- set variable_value_op = "equals" -%}}
+{{% endif %}}
+
+
+ {{{ oval_metadata("The " + SERVICENAME + " service should be disabled.", affected_platforms=["multi_platform_sle"]) }}}
+
+
+
+
+
+
+
+
+
+
+ {{{ oval_test_service_disabled_criteria(SERVICENAME) }}}
+
+
+
+
+
+ {{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+
+ {{{ oval_test_service_disabled_tests(SERVICENAME) }}}
+
+ {{{ oval_test_package_removed(package=PACKAGENAME, test_id=package_removed_test_id) }}}
+
+
diff --git a/shared/templates/service_disabled_guard_var/template.py b/shared/templates/service_disabled_guard_var/template.py
new file mode 100644
index 00000000000..e3de33c418a
--- /dev/null
+++ b/shared/templates/service_disabled_guard_var/template.py
@@ -0,0 +1,8 @@
+def preprocess(data, lang):
+ if "packagename" not in data:
+ data["packagename"] = data["servicename"]
+ if "daemonname" not in data:
+ data["daemonname"] = data["servicename"]
+ if "mask_service" not in data:
+ data["mask_service"] = "true"
+ return data
diff --git a/shared/templates/service_disabled_guard_var/template.yml b/shared/templates/service_disabled_guard_var/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/service_disabled_guard_var/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
diff --git a/shared/templates/service_enabled_guard_var/ansible.template b/shared/templates/service_enabled_guard_var/ansible.template
new file mode 100644
index 00000000000..eaecf5dfda6
--- /dev/null
+++ b/shared/templates/service_enabled_guard_var/ansible.template
@@ -0,0 +1,32 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables(VARIABLE) }}}
+
+- name: Enable service {{{ SERVICENAME }}}
+ block:
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+{{%- if init_system == "systemd" %}}
+ - name: Enable service {{{ SERVICENAME }}}
+ systemd:
+ name: "{{{ DAEMONNAME }}}"
+ enabled: "yes"
+ state: "started"
+ masked: "no"
+ when:
+ - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
+ - {{{ VARIABLE }}} == "{{{ VALUE }}}"
+{{% if OPERATION == "pattern match" %}}
+ - {{{ VARIABLE }}} is regex("{{{ VALUE }}}")
+{{% else %}}
+ - {{{ VARIABLE }}} == "{{{ VALUE }}}"
+{{% endif %}}
+{{%- else %}}
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+{{%- endif %}}
diff --git a/shared/templates/service_enabled_guard_var/bash.template b/shared/templates/service_enabled_guard_var/bash.template
new file mode 100644
index 00000000000..3cedf2eacfa
--- /dev/null
+++ b/shared/templates/service_enabled_guard_var/bash.template
@@ -0,0 +1,22 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+{{%- if init_system == "systemd" %}}
+
+{{{ bash_instantiate_variables(VARIABLE) }}}
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+{{% if OPERATION == "pattern match" %}}
+if [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]];
+{{% else %}}
+if [ ${{{ VARIABLE }}} == {{{ VALUE }}} ]; then
+{{%- endif %}}
+ "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
+ "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
+ "$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
+fi
+{{% else %}}
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+{{%- endif %}}
diff --git a/shared/templates/service_enabled_guard_var/oval.template b/shared/templates/service_enabled_guard_var/oval.template
new file mode 100644
index 00000000000..3b0d77597e4
--- /dev/null
+++ b/shared/templates/service_enabled_guard_var/oval.template
@@ -0,0 +1,170 @@
+
+
+{{%- set package_installed_test_id = "test_service_" + SERVICENAME + "_package_" + PACKAGENAME + "_installed" -%}}
+{{%- set variable_value_test_id = _RULE_ID + "_test_variable_" + VARIABLE -%}}
+{{% if OPERATION is defined %}}
+ {{%- set variable_value_op = OPERATION -%}}
+{{% else %}}
+ {{%- set variable_value_op = "equals" -%}}
+{{% endif %}}
+{{% if target_oval_version >= [5, 11] %}}
+
+
+ {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ multi-user.target
+
+
+ {{{ SERVICENAME }}}.service
+
+
+
+
+
+
+
+ multi-user.target
+
+
+ {{{ SERVICENAME }}}.socket
+
+
+
+
+
+
+
+ ^{{{ SERVICENAME }}}\.(socket|service)$
+ ActiveState
+
+
+ active
+
+
+{{% else %}}
+
+
+ {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{{ SERVICENAME }}}
+ 0
+
+
+ {{{ SERVICENAME }}}
+ 1
+
+
+ {{{ SERVICENAME }}}
+ 2
+
+
+ {{{ SERVICENAME }}}
+ 3
+
+
+ {{{ SERVICENAME }}}
+ 4
+
+
+ {{{ SERVICENAME }}}
+ 5
+
+
+ {{{ SERVICENAME }}}
+ 6
+
+
+ true
+ false
+
+
+{{% endif %}}
+{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
+{{{ oval_test_package_installed(package=PACKAGENAME, evr="", test_id=package_installed_test_id) }}}
+
diff --git a/shared/templates/service_enabled_guard_var/template.py b/shared/templates/service_enabled_guard_var/template.py
new file mode 100644
index 00000000000..6607a54310e
--- /dev/null
+++ b/shared/templates/service_enabled_guard_var/template.py
@@ -0,0 +1,6 @@
+def preprocess(data, lang):
+ if "packagename" not in data:
+ data["packagename"] = data["servicename"]
+ if "daemonname" not in data:
+ data["daemonname"] = data["servicename"]
+ return data
diff --git a/shared/templates/service_enabled_guard_var/template.yml b/shared/templates/service_enabled_guard_var/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/service_enabled_guard_var/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
From 9aa0beb6dfad404ccf624a4cc18bafaca5a8fbdc Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:46:27 +0300
Subject: [PATCH 05/21] Enable nftable service on SLE only if active firewall
technology is set to be nftables
---
.../service_nftables_enabled/rule.yml | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
index 10b1027f20c..6929707091a 100644
--- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
@@ -34,9 +34,21 @@ ocil: |-
fixtext: |-
{{{ fixtext_service_enabled("nftables") }}}
-platform: system_with_kernel and package[nftables] and service_disabled[firewalld]
+platform: machine and package[nftables] and service_disabled[firewalld]
+
+
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_enabled_guard_var
+ vars:
+ packagename: nftables
+ servicename: nftables
+ variable: var_network_filtering_service
+ value: nftables
+{{%- else %}}
template:
name: service_enabled
vars:
servicename: nftables
+{{%- endif %}}
From 22ac8fd4ef1ee21ae191b2e0f99aaa067d925733 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 04:49:53 +0300
Subject: [PATCH 06/21] Disable nftable service on SLE only if active firewall
technology is set to be firewalld or iptables
---
.../service_nftables_disabled/rule.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
index b7300ac92bd..53fb41eed93 100644
--- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
@@ -38,8 +38,19 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}'
platform: system_with_kernel and package[nftables] and package[firewalld]
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_disabled_guard_var
+ vars:
+ packagename: nftables
+ servicename: nftables
+ variable: var_network_filtering_service
+ value: firewalld|iptables
+ operation: pattern match
+{{%- else %}}
template:
name: service_disabled
vars:
servicename: nftables
packagename: nftables
+{{%- endif %}}
From 99243abcb7ed3bcce1f45e22fec432ca89f50b1b Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:02:37 +0300
Subject: [PATCH 07/21] Removing nftable package on SLE makes sense only if
active firewall technology is set to be firewalld or iptables
---
.../network-nftables/package_nftables_removed/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
index 5836583556d..7df74c0d824 100644
--- a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
@@ -27,7 +27,17 @@ references:
fixtext: '{{{ fixtext_package_removed("nftables") }}}'
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: package_removed_guard_var
+ vars:
+ pkgname: nftables
+ variable: var_network_filtering_service
+ value: firewalld|iptables
+ operation: pattern match
+{{%- else %}}
template:
name: package_removed
vars:
pkgname: nftables
+{{%- endif %}}
From 3a65275934db7182b1053d86a05d8ef4fbd8f618 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:04:50 +0300
Subject: [PATCH 08/21] Installing iptables package on SLE only if active
firewall technology is set to be iptables
---
.../network-iptables/package_iptables_installed/rule.yml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
index aa83b94e350..d03f8a31592 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
@@ -36,7 +36,16 @@ ocil_clause: 'the package is not installed'
ocil: '{{{ ocil_package(package="iptables") }}}'
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: package_installed_guard_var
+ vars:
+ pkgname: iptables
+ variable: var_network_filtering_service
+ value: iptables
+{{%- else %}}
template:
name: package_installed
vars:
pkgname: iptables
+{{%- endif %}}
From 93fc615403112f88869b95f4fd42108c5a3f0988 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:06:16 +0300
Subject: [PATCH 09/21] Enable iptables service on SLE only if active firewall
technology is set to be iptables
---
.../service_iptables_enabled/rule.yml | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
index 14cbf9801fa..092b18ebec0 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -31,12 +31,22 @@ references:
nist: AC-4,CM-7(b),CA-3(5),SC-7(21),CM-6(a)
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
-platform: system_with_kernel and package[iptables] and service_disabled[firewalld]
+platform: machine and package[iptables] and service_disabled[firewalld]
ocil: |-
{{{ ocil_service_enabled(service="iptables") }}}
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_enabled_guard_var
+ vars:
+ packagename: iptables
+ servicename: iptables
+ variable: var_network_filtering_service
+ value: iptables
+{{%- else %}}
template:
name: service_enabled
vars:
servicename: iptables
+{{%- endif %}}
From 53f09ca6ad916a39f690f6637251194beb5f0837 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:10:58 +0300
Subject: [PATCH 10/21] Disable firewalld service on SLE only if active
firewall technology is set to be nftables or iptables
---
.../service_firewalld_disabled/rule.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
index cc6f5f3cb76..e67f50e1efd 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
@@ -37,8 +37,19 @@ fixtext: '{{{ fixtext_service_disabled("firewalld") }}}'
srg_requirement: '{{{ srg_requirement_service_disabled("firewalld") }}}'
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_disabled_guard_var
+ vars:
+ packagename: firewalld
+ servicename: firewalld
+ variable: var_network_filtering_service
+ value: nftables|iptables
+ operation: pattern match
+{{%- else %}}
template:
name: service_disabled
vars:
servicename: firewalld
packagename: firewalld
+{{%- endif %}}
From 55fd107c2a9772bc078d75f7477b73d35ad3c044 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:13:33 +0300
Subject: [PATCH 11/21] Removing package on SLE makes sense only if active
firewall technology is set to be nftables or iptables
---
.../package_firewalld_removed/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
index c2970f30da1..b4d1a6ec54d 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
@@ -29,7 +29,17 @@ references:
fixtext: '{{{ fixtext_package_removed("firewalld") }}}'
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: package_removed_guard_var
+ vars:
+ pkgname: firewalld
+ variable: var_network_filtering_service
+ value: nftables|iptables
+ operation: pattern match
+{{%- else %}}
template:
name: package_removed
vars:
pkgname: firewalld
+{{%- endif %}}
From 67b36163269d5a5d9f5289a5f844023c44c2ffeb Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:15:26 +0300
Subject: [PATCH 12/21] Enable firewalld service on SLE only if active firewall
technology is set to be firewalld
---
.../service_firewalld_enabled/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
index 6f0bf8b41ed..b8ee45417c5 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -55,7 +55,17 @@ fixtext: |-
srg_requirement: '{{{ srg_requirement_service_enabled("firewalld") }}}'
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_enabled_guard_var
+ vars:
+ packagename: firewalld
+ servicename: firewalld
+ variable: var_network_filtering_service
+ value: firewalld
+{{%- else %}}
template:
name: service_enabled
vars:
servicename: firewalld
+{{%- endif %}}
From 7df2ff6a7a3a3b4c64381590aeb46b4dde494620 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 05:17:26 +0300
Subject: [PATCH 13/21] Installing firewalld package on SLE only if active
firewall technology is set to be firewalld
---
.../package_firewalld_installed/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
index 6f7cc146261..a6e40a13ba2 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -49,10 +49,20 @@ fixtext: |-
{{{ package_install("firewalld") }}}
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: package_installed_guard_var
+ vars:
+ pkgname: firewalld
+ variable: var_network_filtering_service
+ value: firewalld
+{{%- else %}}
template:
name: package_installed
vars:
pkgname: firewalld
+{{%- endif %}}
+
srg_requirement:
{{{ full_name }}} must have the firewalld package installed.
From 75126ba4aa100e2bf78b3c683df47c28e31a3f2a Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 14 Apr 2024 06:49:38 +0300
Subject: [PATCH 14/21] Fix bash template to produce shellcheck compliant code
---
shared/templates/package_installed_guard_var/bash.template | 2 +-
shared/templates/package_removed_guard_var/bash.template | 2 +-
shared/templates/service_disabled_guard_var/bash.template | 2 +-
shared/templates/service_enabled_guard_var/bash.template | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/templates/package_installed_guard_var/bash.template b/shared/templates/package_installed_guard_var/bash.template
index 61ec0f61f6a..86b03c61821 100644
--- a/shared/templates/package_installed_guard_var/bash.template
+++ b/shared/templates/package_installed_guard_var/bash.template
@@ -7,7 +7,7 @@
{{{ bash_instantiate_variables(VARIABLE) }}}
{{% if OPERATION == "pattern match" %}}
- if [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]]; then
+ if [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
{{{ bash_package_install(package=PKGNAME) }}}
fi
{{% else %}}
diff --git a/shared/templates/package_removed_guard_var/bash.template b/shared/templates/package_removed_guard_var/bash.template
index d7d5b6b7b85..81cd8b25a4a 100644
--- a/shared/templates/package_removed_guard_var/bash.template
+++ b/shared/templates/package_removed_guard_var/bash.template
@@ -13,7 +13,7 @@
{{{ bash_instantiate_variables(VARIABLE) }}}
{{% if OPERATION == "pattern match" %}}
- if ! [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]]; then
+ if ! [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
{{{ bash_package_remove(package=PKGNAME) }}}
fi
{{% else %}}
diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
index b175b99fc89..0afd3332d86 100644
--- a/shared/templates/service_disabled_guard_var/bash.template
+++ b/shared/templates/service_disabled_guard_var/bash.template
@@ -8,7 +8,7 @@
{{{ bash_instantiate_variables(VARIABLE) }}}
{{% if OPERATION == "pattern match" %}}
-if ! [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]];
+if ! [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
{{% else %}}
if [ ${{{ VARIABLE }}} != {{{ VALUE }}} ]; then
{{%- endif %}}
diff --git a/shared/templates/service_enabled_guard_var/bash.template b/shared/templates/service_enabled_guard_var/bash.template
index 3cedf2eacfa..12f12bac454 100644
--- a/shared/templates/service_enabled_guard_var/bash.template
+++ b/shared/templates/service_enabled_guard_var/bash.template
@@ -9,7 +9,7 @@
SYSTEMCTL_EXEC='/usr/bin/systemctl'
{{% if OPERATION == "pattern match" %}}
-if [[ "{{{ VALUE }}}" =~ "${{{ VARIABLE }}}" ]];
+if [[ "{{{ VALUE }}}" =~ ${{{ VARIABLE }}} ]]; then
{{% else %}}
if [ ${{{ VARIABLE }}} == {{{ VALUE }}} ]; then
{{%- endif %}}
From e8ef4d7244821f3c4a10b6ce993e75a8fb61ec43 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Mon, 15 Apr 2024 18:25:51 +0300
Subject: [PATCH 15/21] Package removed template guarded is with inverted logic
Given variable should actually mark the state in which package should not be removed because it is needed by the setup
---
.../firewalld_deactivation/package_firewalld_removed/rule.yml | 3 +--
.../network/network-nftables/package_nftables_removed/rule.yml | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
index b4d1a6ec54d..74935c28be2 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
@@ -35,8 +35,7 @@ template:
vars:
pkgname: firewalld
variable: var_network_filtering_service
- value: nftables|iptables
- operation: pattern match
+ value: firewalld
{{%- else %}}
template:
name: package_removed
diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
index 7df74c0d824..385fb09444d 100644
--- a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
@@ -33,7 +33,7 @@ template:
vars:
pkgname: nftables
variable: var_network_filtering_service
- value: firewalld|iptables
+ value: firewalld|nftables
operation: pattern match
{{%- else %}}
template:
From 6ae92ca101daff8ba7b41e100839497e10f397b1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 18 Apr 2024 11:19:23 +0300
Subject: [PATCH 16/21] Invert the logic for variable dependency for service
disabled rules
---
.../service_firewalld_disabled/rule.yml | 3 +--
.../service_ip6tables_enabled/rule.yml | 10 ++++++++++
.../service_iptables_enabled/rule.yml | 4 ++--
.../service_nftables_disabled/rule.yml | 3 +--
4 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
index e67f50e1efd..ae471731f81 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/service_firewalld_disabled/rule.yml
@@ -44,8 +44,7 @@ template:
packagename: firewalld
servicename: firewalld
variable: var_network_filtering_service
- value: nftables|iptables
- operation: pattern match
+ value: firewalld
{{%- else %}}
template:
name: service_disabled
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
index b9c907e6ddc..8c90fb0ecdc 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_ip6tables_enabled/rule.yml
@@ -34,8 +34,18 @@ ocil: |-
{{{ ocil_service_enabled(service="ip6tables") }}}
+{{%- if product in [ "sle12", "sle15" ] %}}
+template:
+ name: service_enabled_guard_var
+ vars:
+ packagename: iptables
+ servicename: iptables
+ variable: var_network_filtering_service
+ value: iptables
+{{%- else %}}
template:
name: service_enabled
vars:
servicename: ip6tables
packagename: iptables-ipv6
+{{%- endif %}}
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
index 092b18ebec0..066dcf1cd81 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -40,8 +40,8 @@ ocil: |-
template:
name: service_enabled_guard_var
vars:
- packagename: iptables
- servicename: iptables
+ packagename: ip6tables
+ servicename: iptables-ipv6
variable: var_network_filtering_service
value: iptables
{{%- else %}}
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
index 53fb41eed93..45fa774a56c 100644
--- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
@@ -45,8 +45,7 @@ template:
packagename: nftables
servicename: nftables
variable: var_network_filtering_service
- value: firewalld|iptables
- operation: pattern match
+ value: nftables
{{%- else %}}
template:
name: service_disabled
From 55f0f7908248c1d1d940227b39616826975f0bd1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 21 Jan 2025 11:50:28 +0200
Subject: [PATCH 17/21] Update
shared/templates/package_removed_guard_var/ansible.template
Co-authored-by: Matthew Burket
---
shared/templates/package_removed_guard_var/ansible.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/package_removed_guard_var/ansible.template b/shared/templates/package_removed_guard_var/ansible.template
index 15476033d0e..d35ce522e89 100644
--- a/shared/templates/package_removed_guard_var/ansible.template
+++ b/shared/templates/package_removed_guard_var/ansible.template
@@ -7,7 +7,7 @@
{{{ ansible_instantiate_variables(VARIABLE) }}}
- name: Ensure {{{ PKGNAME }}} is removed
- package:
+ ansible.builtin.package:
name: "{{{ PKGNAME }}}"
state: absent
when: {{{ VARIABLE }}} != "{{{ VALUE }}}"
From b7a296e49955f1629f64aa90d16d6f15ed1cb0a4 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 21 Jan 2025 11:50:48 +0200
Subject: [PATCH 18/21] Update
shared/templates/service_enabled_guard_var/ansible.template
Co-authored-by: Matthew Burket
---
shared/templates/service_enabled_guard_var/ansible.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/service_enabled_guard_var/ansible.template b/shared/templates/service_enabled_guard_var/ansible.template
index eaecf5dfda6..74ad34e16ca 100644
--- a/shared/templates/service_enabled_guard_var/ansible.template
+++ b/shared/templates/service_enabled_guard_var/ansible.template
@@ -14,7 +14,7 @@
{{%- if init_system == "systemd" %}}
- name: Enable service {{{ SERVICENAME }}}
- systemd:
+ ansible.builtin.systemd_service:
name: "{{{ DAEMONNAME }}}"
enabled: "yes"
state: "started"
From b96d6583ab6e3f204dc8a546e1c180827985b4c0 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 21 Jan 2025 11:50:59 +0200
Subject: [PATCH 19/21] Update
shared/templates/package_installed_guard_var/ansible.template
Co-authored-by: Matthew Burket
---
shared/templates/package_installed_guard_var/ansible.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/package_installed_guard_var/ansible.template b/shared/templates/package_installed_guard_var/ansible.template
index 21025983a0a..69f30446458 100644
--- a/shared/templates/package_installed_guard_var/ansible.template
+++ b/shared/templates/package_installed_guard_var/ansible.template
@@ -7,7 +7,7 @@
{{{ ansible_instantiate_variables(VARIABLE) }}}
- name: Ensure {{{ PKGNAME }}} is installed
- package:
+ ansible.builtin.package:
name: "{{{ PKGNAME }}}"
state: present
{{% if OPERATION == "pattern match" %}}
From 440dd03a09de3a619fd8b7191abc57090c36f1e4 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 12 Dec 2024 18:30:41 +0200
Subject: [PATCH 20/21] Simplify template removing obsolete oval < 5.11 version
support
Thanks to @Mab879 for the support
---
.../service_enabled_guard_var/oval.template | 103 ------------------
1 file changed, 103 deletions(-)
diff --git a/shared/templates/service_enabled_guard_var/oval.template b/shared/templates/service_enabled_guard_var/oval.template
index 3b0d77597e4..768b89329b0 100644
--- a/shared/templates/service_enabled_guard_var/oval.template
+++ b/shared/templates/service_enabled_guard_var/oval.template
@@ -7,8 +7,6 @@
{{% else %}}
{{%- set variable_value_op = "equals" -%}}
{{% endif %}}
-{{% if target_oval_version >= [5, 11] %}}
-
{{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
@@ -64,107 +62,6 @@
active
-
-{{% else %}}
-
-
- {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- {{{ SERVICENAME }}}
- 0
-
-
- {{{ SERVICENAME }}}
- 1
-
-
- {{{ SERVICENAME }}}
- 2
-
-
- {{{ SERVICENAME }}}
- 3
-
-
- {{{ SERVICENAME }}}
- 4
-
-
- {{{ SERVICENAME }}}
- 5
-
-
- {{{ SERVICENAME }}}
- 6
-
-
- true
- false
-
-
-{{% endif %}}
{{{ oval_test_external_variable_value(variable=VARIABLE, value=VALUE, test_id=variable_value_test_id, operation=variable_value_op) }}}
{{{ oval_test_package_installed(package=PACKAGENAME, evr="", test_id=package_installed_test_id) }}}
From 8f0fdfe8d1fed15632d41aa24f060fc164409016 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 12 Dec 2024 18:31:49 +0200
Subject: [PATCH 21/21] Replace machine with more relevant system_with_kernel
platform
Thanks to @Mab879 for raising the flag I missed that during rebase
---
.../iptables_activation/service_iptables_enabled/rule.yml | 2 +-
.../network/network-nftables/service_nftables_enabled/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
index 066dcf1cd81..2998afd4275 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/service_iptables_enabled/rule.yml
@@ -31,7 +31,7 @@ references:
nist: AC-4,CM-7(b),CA-3(5),SC-7(21),CM-6(a)
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
-platform: machine and package[iptables] and service_disabled[firewalld]
+platform: system_with_kernel and package[iptables] and service_disabled[firewalld]
ocil: |-
{{{ ocil_service_enabled(service="iptables") }}}
diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
index 6929707091a..37addf11a5c 100644
--- a/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
@@ -35,7 +35,7 @@ fixtext: |-
{{{ fixtext_service_enabled("nftables") }}}
-platform: machine and package[nftables] and service_disabled[firewalld]
+platform: system_with_kernel and package[nftables] and service_disabled[firewalld]
{{%- if product in [ "sle12", "sle15" ] %}}