OCIL
- TEMPLATE rhcos_node_login_instructions
How to log in to a Red Hat CoreOS Node
rhcos_node_login_instructions()
- TEMPLATE complete_ocil_entry_audit_privileged_commands
OCIL and OCIL clause for ensuring that a privileged command is audited.
- Parameters:
cmd (str) – The command to audit
path_prefix (str) – The directory the command is in
complete_ocil_entry_audit_privileged_commands(cmd, path_prefix, key)
- TEMPLATE ocil_audit_syscall
OCIL for adding a syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
ocil_audit_syscall(syscall)
- TEMPLATE ocil_clause_entry_audit_syscall
OCIL clause for adding a syscall to audit logs
ocil_clause_entry_audit_syscall()
- TEMPLATE complete_ocil_entry_audit_syscall
OCIL and OCIL clause for adding a syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
complete_ocil_entry_audit_syscall(syscall)
- TEMPLATE ocil_audit_successful_syscall
OCIL for adding a successful syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
ocil_audit_successful_syscall(syscall)
- TEMPLATE ocil_audit_unsuccessful_syscall
OCIL for adding a unsuccessful syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
ocil_audit_unsuccessful_syscall(syscall)
- TEMPLATE complete_ocil_entry_audit_successful_syscall
OCIL and OCIL clause for adding a successful syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
complete_ocil_entry_audit_successful_syscall(syscall)
- TEMPLATE complete_ocil_entry_audit_unsuccessful_syscall
OCIL and OCIL clause for adding a unsuccessful syscall to audit logs
- Parameters:
syscall (str) – The syscall to audit
complete_ocil_entry_audit_unsuccessful_syscall(syscall)
- TEMPLATE dpkg_ocil_package
Describe how to check if a package is installed with dpkg.
- Parameters:
package (str) – The package to check
dpkg_ocil_package(package)
- TEMPLATE ocil_package
Insert general ocil clause to check if a package is installed, substituting the correct package management software.
- Parameters:
package (str) – Name of package
ocil_package(package)
- TEMPLATE rpm_complete_ocil_entry_package
OCIL and OCIL clause how to check if a package is installed with rpm.
- Parameters:
package (str) – The package to check
rpm_complete_ocil_entry_package(package)
- TEMPLATE dpkg_complete_ocil_entry_package
OCIL and OCIL clause how to check if a package is installed with dpkg.
- Parameters:
package (str) – The package to check
dpkg_complete_ocil_entry_package(package)
- TEMPLATE complete_ocil_entry_package
Insert a complete OCIL block for a case when a package should be removed, substituting the correct package management software.
- Parameters:
package (str) – Name of package
complete_ocil_entry_package(package)
- TEMPLATE ocil_service_enabled
Inserts an OCIL for a case when a service should be enabled, substituting the correct init system.
- Parameters:
service (str) – Name of service
ocil_service_enabled(service)
- TEMPLATE ocil_clause_service_enabled
Inserts an OCIL Clause for a case when a service should be enabled.
- Parameters:
service (str) – Name of service
ocil_clause_service_enabled(service)
- TEMPLATE ocil_service_disabled
Inserts an OCIL for a case when a service should be disabled, substituting the correct init system.
- Parameters:
service (str) – Name of service
ocil_service_disabled(service)
- TEMPLATE ocil_clause_service_disabled
Inserts an OCIL Clause for a case when a service should be disabled.
- Parameters:
service (str) – Name of service
ocil_clause_service_disabled(service)
- TEMPLATE socket_disabled_check_with_systemd
Describe how to check if socket is disabled with systemd.
- Parameters:
socket (str) – The socket to check
socket_disabled_check_with_systemd(socket)
- TEMPLATE systemd_complete_ocil_entry_socket_and_service_disabled
OCIL and OCIL clause for ensure socket is disabled in systemd and xinetd.
- Parameters:
name (str) – The socket to check
systemd_complete_ocil_entry_socket_and_service_disabled(name)
- TEMPLATE complete_ocil_entry_socket_and_service_disabled
Inserts an OCIL for a case when a service and a corresponding socket should be disabled, substituting the correct init system.
- Parameters:
service (str) – Name of service
complete_ocil_entry_socket_and_service_disabled(service)
- TEMPLATE ocil_sshd_option
OCIL for an sshd option.
Example usage:
ocil_sshd_option(default="no", option="Banner", value="/etc/issue")
- Parameters:
default (str) – If set to yes the default value is accepted
option (str) – The sshd option to configure
value (str) – The value for the given option
ocil_sshd_option(default, option, value)
- TEMPLATE complete_ocil_entry_sshd_option
OCIL and OCIL clause for and sshd option.
Example usage:
complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue")
- Parameters:
default (str) – If set to yes the default value is accepted
option (str) – The sshd option to configure
value (str) – The value for the given option
complete_ocil_entry_sshd_option(default, option, value)
- TEMPLATE ocil_clause_entry_mount_option
The OCIL clause for mount options.
- Parameters:
point (str) – The mount point to check
option (str) – The options the mount point should have
ocil_clause_entry_mount_option(point, option)
- TEMPLATE complete_ocil_entry_mount_option
The OCIL and OCIL clause for mount options.
- Parameters:
point (str) – The mount point to check
option (str) – The options the mount point should have
complete_ocil_entry_mount_option(point, option)
- TEMPLATE complete_ocil_entry_separate_partition
OCIL for how to check if given path is on its own partition or logical volume and the correct OCIL clause.
- Parameters:
part (str) – Path to check
complete_ocil_entry_separate_partition(part)
- TEMPLATE _firewalld_check
Firewalld macros
_firewalld_check(access_action, port, proto, service)
- TEMPLATE ocil_firewalld_allow_access
OCIL for allowing a port or service in firewalld. If the
serviceparameter is defined it is assumed to be a service and theportandprotoparameters will have no effect.
- Parameters:
port (str) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
ocil_firewalld_allow_access(port=none, proto=none, service=none)
- TEMPLATE ocil_firewalld_prevent_access
OCIL for preventing access a port or service in firewalld. If the
serviceparameter is defined it is assumed to be a service and theportandprotoparameters will have no effect.
- Parameters:
port (int) – The port to allow
proto (str) – The protocol to allow
service (str) – The service to allow
ocil_firewalld_prevent_access(port=none, proto=none, service=none)
- TEMPLATE complete_ocil_entry_module_disable
OCIL and OCIL clause for disabling a kernel module.
- Parameters:
module (str) – The module to disable.
complete_ocil_entry_module_disable(module)
- TEMPLATE describe_sebool_check_var
Describe how to check if given SELinux boolean is set depending on a variable.
- Parameters:
sebool (str) – The SELinux boolean to check
describe_sebool_check_var(sebool)
- TEMPLATE complete_ocil_entry_sebool_disabled
OCIL and OCIL clause for how to check if given SELinux boolean is disabled.
- Parameters:
sebool (str) – The SELinux boolean to check
complete_ocil_entry_sebool_disabled(sebool)
- TEMPLATE describe_sebool_check_enabled
Describe how to check if given SELinux boolean is enabled.
- Parameters:
sebool (str) – The SELinux boolean to check
describe_sebool_check_enabled(sebool)
- TEMPLATE complete_ocil_entry_sebool_enabled
OCIL and OCIL clause for how to check if given SELinux boolean is enabled.
- Parameters:
sebool (str) – The SELinux boolean to check
complete_ocil_entry_sebool_enabled(sebool)
- TEMPLATE ocil_timer_enabled
Inserts an OCIL for a case when a timer should be enabled, substituting the correct init system.
- Parameters:
timer (str) – Name of timer
ocil_timer_enabled(timer)
- TEMPLATE ocil_clause_file_permissions
OCIL clause for file permissions
- Parameters:
file (str) – File to change
perms (str) – the permissions for the file
ocil_clause_file_permissions(file, perms)
- TEMPLATE ocil_file_owner
OCIL how to check the file owner of a file.
- Parameters:
file (str) – File to change
owner (str) – The owner for the file
ocil_file_owner(file, owner)
- TEMPLATE ocil_clause_file_owner
OCIL clause for file owner
- Parameters:
file (str) – File to change
owner (str) – the owner for the file
ocil_clause_file_owner(file, owner)
- TEMPLATE ocil_file_group_owner
OCIL how to check the file group owner of a file.
- Parameters:
file (str) – File to change
group (str) – the group owner for the file
ocil_file_group_owner(file, group)
- TEMPLATE ocil_clause_file_group_owner
OCIL clause for file group owner
- Parameters:
file (str) – File to change
group (str) – the group owner for the file
ocil_clause_file_group_owner(file, group)
- TEMPLATE complete_ocil_entry_sysctl_option_value
OCIL and OCIL clause for a sysctl option
- Parameters:
sysctl (str) – The kernel parameter to change
value (str) – The value to be set
complete_ocil_entry_sysctl_option_value(sysctl, value)
- TEMPLATE ocil_audit_rules_unsuccessful_file_modification_o_creat
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_creat template
- Parameters:
syscall (str) – system call
position (str) – the position of the system call O_CREAT argument, eg. a2
ocil_audit_rules_unsuccessful_file_modification_o_creat(syscall, position)
- TEMPLATE ocil_audit_rules_unsuccessful_file_modification_o_trunc_write
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_o_trunc_write template
- Parameters:
syscall (str) – system call
position (str) – the position of the system call O_TRUNC_WRITE argument, eg. a2
ocil_audit_rules_unsuccessful_file_modification_o_trunc_write(syscall, position)
- TEMPLATE ocil_audit_rules_unsuccessful_file_modification_rule_order
Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification_rule_order template
- Parameters:
syscall (str) – system call
position (str) – the position of the system call O_TRUNC_WRITE and O_CREAT arguments, eg. a2
ocil_audit_rules_unsuccessful_file_modification_rule_order(syscall, position)