Merge pull request #9951 from jan-cerny/use_package_platform

Use templated package platform
ComplianceAsCode · Jan 6, 2023 · 7ed780c · 7ed780c
2 parents 2166772 + b5ca218
commit 7ed780c
Show file tree

Hide file tree

Showing 116 changed files with 148 additions and 760 deletions.
diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
@@ -47,4 +47,4 @@ ocil: |-
     The result should contain:
     <pre>ssl start_tls</pre>
 
-platform: nss-pam-ldapd
+platform: package[nss-pam-ldapd]
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
@@ -22,4 +22,4 @@ ocil: |-
     <pre>$ grep relayhost /etc/postfix/main.cf</pre>
     If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
 
-platform: postfix
+platform: package[postfix]
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
@@ -49,4 +49,4 @@ ocil: |-
     <pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
     If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
 
-platform: postfix
+platform: package[postfix]
diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml
@@ -7,4 +7,4 @@ description: |-
     operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
     or some other software.
 
-platform: postfix
+platform: package[postfix]
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -71,7 +71,7 @@ rationale: |-
 severity: medium
 
 platforms:
-    - ntp or chrony
+    - package[ntp] or package[chrony]
 
 identifiers:
     cce@rhcos4: CCE-82684-2

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
@@ -86,7 +86,7 @@ rationale: |-
 
 severity: medium
 
-platform: machine and (chrony or ntp)  # The check uses service_... extended definition, which doesnt support offline mode
+platform: machine and (package[chrony] or package[ntp])  # The check uses service_... extended definition, which doesn't support offline mode
 
 identifiers:
     cce@rhcos4: CCE-82683-4

diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -36,7 +36,7 @@ rationale: |-
 
 severity: medium
 
-platform: chrony
+platform: package[chrony]
 
 identifiers:
     cce@rhel7: CCE-82878-0

diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
 
 severity: medium
 
-platform: chrony
+platform: package[chrony]
 
 warnings:
   - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.

diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -19,7 +19,7 @@ rationale: |-
 
 severity: medium
 
-platform: chrony
+platform: package[chrony]
 
 identifiers:
     cce@rhel7: CCE-83418-4

diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/rule.yml
@@ -21,7 +21,7 @@ rationale: |-
 
 severity: medium
 
-platform: ntp
+platform: package[ntp]
 
 references:
     cis@alinux2: 2.1.1.2

diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/rule.yml
@@ -22,7 +22,7 @@ rationale: |-
 
 severity: medium
 
-platform: ntp
+platform: package[ntp]
 
 references:
     cis@alinux2: 2.1.1.2

diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml
@@ -44,4 +44,4 @@ ocil: |-
     In the file, there should be a section similar to the following:
     <pre>server <i>ntpserver</i></pre>
 
-platform: ntp
+platform: package[ntp]
diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml
@@ -47,4 +47,4 @@ template:
         servicename: ntpd
         packagename: ntp
 
-platform: ntp
+platform: package[ntp]
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
@@ -27,7 +27,7 @@ rationale: |-
 
 severity: medium
 
-platform: tftp-server
+platform: package[tftp-server]
 
 identifiers:
     cce@rhel7: CCE-80214-0

diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml
@@ -27,4 +27,4 @@ ocil: |-
     <pre>$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser'</pre>
     There should be no output.
 
-platform: net-snmp
+platform: package[net-snmp]
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
@@ -43,4 +43,4 @@ ocil: |-
     <pre>$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private'</pre>
     There should be no output.
 
-platform: net-snmp
+platform: package[net-snmp]
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml
@@ -30,4 +30,4 @@ ocil: |-
     <pre>$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
     There should be no output.
 
-platform: net-snmp
+platform: package[net-snmp]
diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml
@@ -24,4 +24,4 @@ description: |-
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/userauth/userauth-UsingtheSystemSecurityServicesDaemon.html") }}}
     {{%- endif %}}
 
-platform: sssd
+platform: package[sssd]
diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
@@ -29,7 +29,7 @@ references:
     stigid@ol8: OL08-00-030603
     stigid@rhel8: RHEL-08-030603
 
-platform: usbguard
+platform: package[usbguard]
 
 ocil_clause: 'AuditBackend is not set to LinuxAudit'
 

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml
@@ -10,4 +10,4 @@ description: |-
     The following sections describe how to configure the GDM login
     banner.
 
-platform: gdm
+platform: package[gdm]
diff --git a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml
@@ -48,4 +48,4 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must not be configured to bypass password requirements for privilege escalation.'
 
-platform: pam
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
@@ -54,7 +54,7 @@ references:
     stigid@sle15: SLES-15-020080
     stigid@ubuntu2004: UBTU-20-010453
 
-platform: pam
+platform: package[pam]
 
 ocil_clause: '"pam_lastlog" is missing from "{{{ pam_lastlog_path }}}" file, or the silent option is present'
 

diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml
@@ -36,4 +36,4 @@ ocil: |-
   The output should return the following uncommented:
   <pre>session    required     pam_namespace.so</pre>
 
-platform: pam
+platform: package[pam]
diff --git a/...ounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/...ounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
@@ -47,7 +47,7 @@ ocil: |-
     <tt>{{{ xccdf_value("var_password_pam_remember") }}}</tt>, or is missing the
     "use_authtok" keyword, this is a finding.
 
-platform: pam
+platform: package[pam]
 
 template:
     name: pam_options

diff --git a/...ing_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/...ing_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -114,7 +114,7 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.'
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/...cking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/...cking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
@@ -114,7 +114,7 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.'
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -89,7 +89,7 @@ fixtext: |-
     <pre>authselect enable-feature with-pwhistory</pre>
     {{% endif %}}
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -54,7 +54,7 @@ references:
     stigid@rhel8: RHEL-08-020010
     vmmsrg: SRG-OS-000021-VMM-000050
 
-platform: pam
+platform: package[pam]
 
 ocil_clause: |-
     the "deny" option is not set to "{{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}"

diff --git a/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -83,7 +83,7 @@ fixtext: |-
     <pre>even_deny_root</pre>
     {{% endif %}}
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/...s/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml b/...s/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml
@@ -50,7 +50,7 @@ fixtext: |-
     add, uncomment or edit the following line:
     <pre>dir = {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}</pre>
 
-platform: pam
+platform: package[pam]
 
 srg_requirement: '{{{ full_name }}} must ensure account lockouts persist.'
 

diff --git a/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml
@@ -44,7 +44,7 @@ fixtext: |-
     add or uncomment the following line:
     <pre>silent</pre>
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -42,7 +42,7 @@ references:
     stigid@rhel8: RHEL-08-020012
     vmmsrg: SRG-OS-000021-VMM-000050
 
-platform: pam
+platform: package[pam]
 
 ocil_clause: |-
     the "fail_interval" option is not set to "{{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}"

diff --git a/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml b/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml
@@ -46,7 +46,7 @@ fixtext: |-
     add or uncomment the following line:
     <pre>silent</pre>
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - general: |-

diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -54,7 +54,7 @@ references:
     stigid@rhel8: RHEL-08-020016
     vmmsrg: SRG-OS-000329-VMM-001180
 
-platform: pam
+platform: package[pam]
 
 ocil_clause: |-
     the "unlock_time" option is not set to "{{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}",

diff --git a/...counts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml b/...counts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml
@@ -54,7 +54,7 @@ fixtext: |-
     <pre>account required pam_tally2.so</pre></li>
     </ul>
 
-platform: pam
+platform: package[pam]
 
 srg_requirement: |-
     {{{ full_name }}} must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
diff --git a/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_unlock_time/rule.yml b/...unts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_unlock_time/rule.yml
@@ -47,7 +47,7 @@ fixtext: |-
     Modify the content of both <tt>/etc/pam.d/common-auth</tt>, like this:
     <pre>auth required pam_tally2.so deny={{{ xccdf_value("var_accounts_passwords_pam_tally2_deny") }}} <tt>unlock_time={{{ xccdf_value("var_accounts_passwords_pam_tally2_unlock_time") }}}</tt> </pre>
 
-platform: pam
+platform: package[pam]
 
 srg_requirement: |-
         {{{ full_name }}} must automatically lock an account until the locked account is released by an administrator.
diff --git a/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one numeric character be used.'
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -42,7 +42,7 @@ ocil: |-
 
     /etc/security/pwquality.conf:dictcheck=1</pre>
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...unts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/...unts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -61,7 +61,7 @@ ocil: |-
 
     difok = {{{ xccdf_value("var_password_pam_difok") }}}</pre>
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/.../password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/.../password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml
@@ -34,7 +34,7 @@ ocil: |-
     <pre>$ grep local_users_only /etc/security/pwquality.conf</pre>
     The output should return <tt>local_users_only</tt> uncommented.
 
-platform: pam
+platform: package[pam]
 
 warnings:
     - management: |-

diff --git a/...m/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/...m/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -51,7 +51,7 @@ fixtext: |-
 srg_requirement: |-
     {{{ full_name }}} must enforce password complexity rules for the root account.
 
-platform: pam
+platform: package[pam]
 
 template:
     name: "lineinfile"

diff --git a/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml b/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml
@@ -40,7 +40,7 @@ ocil: |-
     <pre>$ grep -i enforcing /etc/security/pwquality.conf</pre>
     The output should return <tt>enforcing = 1</tt> uncommented.
 
-platform: pam
+platform: package[pam]
 
 template:
     name: "lineinfile"

diff --git a/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one lower-case character be used.'
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/...password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -51,7 +51,7 @@ ocil: |-
 
     maxclassrepeat = {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}</pre>
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/...-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -53,7 +53,7 @@ ocil: |-
 
     maxrepeat = {{{ xccdf_value("var_password_pam_maxrepeat") }}}</pre>
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...s-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/...s-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -72,7 +72,7 @@ ocil: |-
 
     minclass = {{{ xccdf_value("var_password_pam_minclass") }}}</pre>
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...nts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/...nts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -78,7 +78,7 @@ fixtext: |-
 srg_requirement: |-
     {{{ full_name }}} passwords must be created with a minimum of 15 characters.
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/...ts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
 srg_requirement: |-
     {{{ full_name }}} must enforce password complexity by requiring that at least one special character be used.
 
-platform: pam
+platform: package[pam]
 
 template:
     name: accounts_password

diff --git a/...quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/...quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
@@ -44,4 +44,4 @@ fixtext: |-
 
 srg_requirement: '{{{ full_name }}} must ensure the password complexity module is enabled in the password-auth file.'
 
-platform: pam
+platform: package[pam]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -48,4 +48,4 @@ fixtext: \|-

		srg_requirement: '{{{ full_name }}} must not be configured to bypass password requirements for privilege escalation.'

		platform: pam
		platform: package[pam]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -44,4 +44,4 @@ fixtext: \|-

		srg_requirement: '{{{ full_name }}} must ensure the password complexity module is enabled in the password-auth file.'

		platform: pam
		platform: package[pam]