diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index 216448a3cdb5..bff71287993b 100644
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -173,7 +173,8 @@ Used in rule descriptions, OCIL, fixtext, and warnings fields:
- `{{{ describe_file_permissions(file="/path", perms="0700") }}}` - File permission description
- `{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}` - Sysctl description
- `{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}` - Full OCIL for sysctl
-- `{{{ complete_ocil_entry_package(package="name") }}}` - Full OCIL for package check
+- `{{{ complete_ocil_entry_package_installed("name") }}}` - OCIL when the package must be installed
+- `{{{ complete_ocil_entry_package_removed("name") }}}` - OCIL when the package must be absent
- `{{{ fixtext_package_removed("name") }}}` - Fixtext for package removal
- `{{{ fixtext_sysctl("key", "value") }}}` - Fixtext for sysctl setting
- `{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}` - Fixtext for dir permissions
diff --git a/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml
index f3c77b1eeff0..1e648b605618 100644
--- a/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml
+++ b/linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml
@@ -21,9 +21,7 @@ identifiers:
references:
srg: SRG-OS-000342-GPOS-00133
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="audispd-plugins") }}}'
+{{{ complete_ocil_entry_package_installed("audispd-plugins") }}}
fixtext: '{{{ fixtext_package_installed("audispd-plugins") }}}'
diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml
index cdd150b6925d..3b200b050cac 100644
--- a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml
+++ b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml
@@ -1,15 +1,15 @@
-{{% if product in ["sle12","sle15"] %}}
-{{% set package_name = "libaudit1" %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
+ {{%- set package = "libaudit1" %}}
{{% else %}}
-{{% set package_name = "audit-libs" %}}
+ {{%- set package = "audit-libs" %}}
{{% endif %}}
documentation_complete: true
-title: 'Ensure the {{{ package_name }}} package as a part of audit Subsystem is Installed'
+title: 'Ensure the {{{ package }}} package as a part of audit Subsystem is Installed'
-description: 'The {{{ package_name }}} package should be installed.'
+description: 'The {{{ package }}} package should be installed.'
rationale: 'The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.'
@@ -32,25 +32,16 @@ references:
pcidss: Req-10.2.1
srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220
-ocil_clause: 'the {{{ package_name }}} package is not installed'
-
-{{% if product in ["sle12","sle15","slmicro5"] %}}
-ocil: '{{{ ocil_package("libaudit1") }}}'
-{{% else %}}
-ocil: '{{{ ocil_package("audit-libs") }}}'
-{{% endif %}}
+{{{ complete_ocil_entry_package_installed(package=package) }}}
fixtext: |-
- Install the {{{ package_name }}} package (if {{{ package_name }}} package is not already installed) with the following command:
-{{% if product in ["sle12","sle15","slmicro5"] %}}
- {{{ package_install("libaudit1") }}}
-{{% else %}}
- {{{ package_install("audit-libs") }}}
-{{% endif %}}
+ Install the {{{ package }}} package (if {{{ package }}} package is not already installed) with the following command:
+ {{{ package_install(package=package) }}}
template:
name: package_installed
vars:
pkgname: audit-libs
+ pkgname@sle12: libaudit1
pkgname@sle15: libaudit1
pkgname@slmicro5: libaudit1
diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml
index 1f0043e096d3..47f71637a7a2 100644
--- a/linux_os/guide/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/auditing/package_audit_installed/rule.yml
@@ -33,9 +33,7 @@ references:
stigid@sle12: SLES-12-020000
stigid@sle15: SLES-15-030650
-ocil_clause: 'the audit package is not installed'
-
-ocil: '{{{ ocil_package("audit") }}}'
+{{{ complete_ocil_entry_package_installed("audit") }}}
fixtext: |-
Install the audit service (if the audit service is not already installed) with the following command:
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml
index bcce1830dfb5..dec65f241145 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml
@@ -33,7 +33,8 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="avahi-autoipd") }}}
+{{{ complete_ocil_entry_package_removed("avahi-autoipd") }}}
+
fixtext: '{{{ fixtext_package_removed("avahi-autoipd") }}}'
template:
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
index c8f9b7d43b0f..9e62a077de40 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
@@ -34,7 +34,8 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="avahi") }}}
+{{{ complete_ocil_entry_package_removed("avahi") }}}
+
fixtext: '{{{ fixtext_package_removed("avahi") }}}'
template:
diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml
index 5ad756c1d78f..64a7c2677464 100644
--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml
+++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml
@@ -26,7 +26,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@ol8: OL08-00-040001
-{{{ complete_ocil_entry_package(package="abrt") }}}
+{{{ complete_ocil_entry_package_removed("abrt") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/base/package_psacct_installed/rule.yml b/linux_os/guide/services/base/package_psacct_installed/rule.yml
index ebdb655ed5e1..4eedf0d7c62d 100644
--- a/linux_os/guide/services/base/package_psacct_installed/rule.yml
+++ b/linux_os/guide/services/base/package_psacct_installed/rule.yml
@@ -29,9 +29,7 @@ references:
nist: AU-12(a),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="psacct") }}}'
+{{{ complete_ocil_entry_package_installed("psacct") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml b/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml
index 18b12702432c..c539f453688f 100644
--- a/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml
+++ b/linux_os/guide/services/cron_and_at/disable_anacron/rule.yml
@@ -26,4 +26,4 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="cronie-anacron") }}}
+{{{ complete_ocil_entry_package_removed("cronie-anacron") }}}
diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
index 8ae169f1707d..1ad468bd6cd3 100644
--- a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
+++ b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
@@ -1,7 +1,7 @@
-{{% if product in [ "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "sle16"] %}}
-{{% set package_name = "cronie" %}}
+{{% if 'rhel' in product or product in ["ol9", "ol10", "sle12", "sle15", "sle16"] %}}
+ {{%- set package = "cronie" %}}
{{% else %}}
-{{% set package_name = "cron" %}}
+ {{%- set package = "cron" %}}
{{% endif %}}
documentation_complete: true
@@ -35,12 +35,9 @@ references:
nist-csf: PR.IP-1,PR.PT-3
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is installed'
-
-ocil: |-
- {{{ ocil_package(package_name) }}}
+{{{ complete_ocil_entry_package_installed(package=package) }}}
template:
name: package_installed
vars:
- pkgname: {{{ package_name }}}
+ pkgname: {{{ package }}}
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_client/package_dhcp_client_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_client/package_dhcp_client_removed/rule.yml
index 8997bfccd035..362e3857b60c 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_client/package_dhcp_client_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_client/package_dhcp_client_removed/rule.yml
@@ -30,7 +30,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="dhcp-client") }}}
+{{{ complete_ocil_entry_package_removed("dhcp-client") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
index cf13c4a31c11..be5f3397ad78 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
@@ -1,17 +1,19 @@
+{{% if 'ubuntu' in product %}}
+ {{%- set package = "isc-dhcp-server" %}}
+{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
+ {{%- set package = "dhcp-server" %}}
+{{% else %}}
+ {{%- set package = "dhcp" %}}
+{{% endif %}}
+
documentation_complete: true
title: 'Uninstall DHCP Server Package'
description: |-
If the system does not need to act as a DHCP server,
- the dhcp package can be uninstalled.
- {{% if 'ubuntu' in product %}}
- {{{ describe_package_remove(package="isc-dhcp-server") }}}
- {{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
- {{{ describe_package_remove(package="dhcp-server") }}}
- {{% else %}}
- {{{ describe_package_remove(package="dhcp") }}}
- {{% endif %}}
+ the {{{ package }}} package can be uninstalled.
+ {{{ describe_package_remove(package=package) }}}
rationale: |-
Removing the DHCP server ensures that it cannot be easily or
@@ -39,13 +41,8 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{% if 'ubuntu' in product %}}
-{{{ complete_ocil_entry_package(package="isc-dhcp-server") }}}
-{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
-{{{ complete_ocil_entry_package(package="dhcp-server") }}}
-{{% else %}}
-{{{ complete_ocil_entry_package(package="dhcp") }}}
-{{% endif %}}
+
+{{{ complete_ocil_entry_package_removed(package=package) }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
index 8311aa5ce764..c85abff6015a 100644
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml
@@ -18,7 +18,7 @@ identifiers:
cce@rhel10: CCE-86596-4
cce@sle16: CCE-96693-7
-{{{ complete_ocil_entry_package(package="kea") }}}
+{{{ complete_ocil_entry_package_removed("kea") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
index b749e3c50001..9e9e33fb7aea 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
@@ -36,7 +36,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="bind") }}}
+{{{ complete_ocil_entry_package_removed("bind") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml
index 2b53ebdc4ab2..45d124710099 100644
--- a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml
+++ b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml
@@ -21,7 +21,7 @@ identifiers:
cce@rhel10: CCE-86558-4
cce@sle15: CCE-92596-6
-{{{ complete_ocil_entry_package(package="dnsmasq") }}}
+{{{ complete_ocil_entry_package_removed("dnsmasq") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/docker/package_docker_installed/rule.yml b/linux_os/guide/services/docker/package_docker_installed/rule.yml
index 5d3c27149a1d..fe6c70cf8616 100644
--- a/linux_os/guide/services/docker/package_docker_installed/rule.yml
+++ b/linux_os/guide/services/docker/package_docker_installed/rule.yml
@@ -14,9 +14,7 @@ rationale: |-
severity: medium
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="docker") }}}'
+{{{ complete_ocil_entry_package_installed("docker") }}}
platform: machine
diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
index e7fad9aefd82..e68b0952998e 100644
--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
@@ -24,9 +24,7 @@ references:
srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230
stigid@ol8: OL08-00-040135
-ocil_clause: 'the fapolicyd package is not installed'
-
-ocil: '{{{ ocil_package(package="fapolicyd") }}}'
+{{{ complete_ocil_entry_package_installed("fapolicyd") }}}
fixtext: |-
{{{ fixtext_package_installed("fapolicyd") | indent(4) }}}
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index ace8d2e05c55..783ab5e16d83 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -36,7 +36,7 @@ references:
stigid@sle12: SLES-12-030011
stigid@sle15: SLES-15-010030
-{{{ complete_ocil_entry_package(package="vsftpd") }}}
+{{{ complete_ocil_entry_package_removed("vsftpd") }}}
fixtext: '{{{ fixtext_package_removed(package="vsftpd") }}}'
diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
index 0c1605831326..02f281ed5266 100644
--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
@@ -1,15 +1,15 @@
documentation_complete: true
{{% if 'ubuntu' in product %}}
-{{% set package_name = "apache2" %}}
+ {{%- set package = "apache2" %}}
{{% else %}}
-{{% set package_name = "httpd" %}}
+ {{%- set package = "httpd" %}}
{{% endif %}}
-title: 'Uninstall {{{ package_name }}} Package'
+title: 'Uninstall {{{ package }}} Package'
description: |-
- {{{ describe_package_remove(package=package_name) }}}
+ {{{ describe_package_remove(package=package) }}}
rationale: |-
If there is no need to make the web server software available,
@@ -36,9 +36,9 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package=package_name) }}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
template:
name: package_removed
vars:
- pkgname: {{{ package_name }}}
+ pkgname: {{{ package }}}
diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml
index a08e93d5c988..55004edb92bf 100644
--- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml
@@ -24,7 +24,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="nginx") }}}
+{{{ complete_ocil_entry_package_removed("nginx") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml
index 3906c80254f7..04338b8528cd 100644
--- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml
+++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml
@@ -17,7 +17,7 @@ identifiers:
cce@rhel10: CCE-90156-1
cce@sle15: CCE-92595-8
-{{{ complete_ocil_entry_package(package="cyrus-imapd") }}}
+{{{ complete_ocil_entry_package_removed("cyrus-imapd") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
index 3cfd8548ef7b..0a1f7f5b2a2e 100644
--- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
+++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
@@ -1,13 +1,15 @@
+{{% if 'ubuntu' not in product %}}
+ {{%- set package = "dovecot" %}}
+{{% else %}}
+ {{%- set package = "dovecot-core" %}}
+{{% endif %}}
+
documentation_complete: true
title: 'Uninstall dovecot Package'
description: |-
- {{% if 'ubuntu' not in product %}}
- {{{ describe_package_remove(package="dovecot") }}}
- {{% else %}}
- {{{ describe_package_remove(package="dovecot-core") }}}
- {{% endif %}}
+ {{{ describe_package_remove(package=package) }}}
rationale: |-
If there is no need to make the Dovecot software available,
@@ -27,11 +29,7 @@ references:
cis@sle12: 2.2.12
cis@sle15: 2.2.12
-{{% if 'ubuntu' not in product %}}
-{{{ complete_ocil_entry_package(package="dovecot") }}}
-{{% else %}}
-{{{ complete_ocil_entry_package(package="dovecot-core") }}}
-{{% endif %}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
index 336f04b987bd..9f180563b3f9 100644
--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
@@ -32,9 +32,7 @@ references:
platforms:
- krb5_server_older_than_1_17-18
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="krb5-server") }}}'
+{{{ complete_ocil_entry_package_removed("krb5-server") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index d8a0c6ed8a2a..5ff291774a91 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -1,9 +1,9 @@
-{{% if product in ["sle12", "sle15"] %}}
-{{% set package_name = "openldap2-client" %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
+ {{%- set package = "openldap2-client" %}}
{{% elif "ubuntu" in product %}}
-{{% set package_name = "ldap-utils" %}}
+ {{%- set package = "ldap-utils" %}}
{{% else %}}
-{{% set package_name = "openldap-clients" %}}
+ {{%- set package = "openldap-clients" %}}
{{% endif %}}
documentation_complete: true
@@ -14,7 +14,7 @@ title: 'Ensure LDAP client is not installed'
description: |-
The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
- {{{ describe_package_remove( package_name ) }}}
+ {{{ describe_package_remove(package=package) }}}
rationale:
@@ -35,10 +35,7 @@ references:
cis@sle12: 2.3.5
cis@sle15: 2.3.5
-ocil_clause: 'the package is installed'
-
-ocil: |-
- {{{ ocil_package(package_name) }}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
index 5c805fa09975..2c2f7ea7552a 100644
--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
@@ -1,20 +1,17 @@
-{{% if product in ["sle12", "sle15"] %}}
-{{% set package_name = "openldap2" %}}
-{{% set run_cmd = "$ rpm -q openldap2" %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
+ {{%- set package = "openldap2" %}}
{{% elif "ubuntu" in product %}}
-{{% set package_name = "slapd" %}}
-{{% set run_cmd = "$ dpkg -l slapd" %}}
+ {{%- set package = "slapd" %}}
{{% else %}}
-{{% set package_name = "openldap-servers" %}}
-{{% set run_cmd = "$ rpm -q openldap-servers" %}}
+ {{%- set package = "openldap-servers" %}}
{{% endif %}}
documentation_complete: true
-title: 'Uninstall openldap-servers Package'
+title: 'Uninstall {{{ package }}} Package'
description: |-
- The {{{ package_name }}} package is not installed by default on a {{{ full_name }}}
+ The {{{ package }}} package is not installed by default on a {{{ full_name }}}
system. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed.
@@ -43,14 +40,8 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-ocil_clause: "it does not"
-ocil: |-
- To verify the {{{ package_name }}} package is not installed, run the
- following command:
- {{{ run_cmd }}}
- The output should show the following:
- package {{{ package_name }}} is not installed
+{{{ complete_ocil_entry_package_removed(package=package) }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/mail/package_mailx_installed/rule.yml b/linux_os/guide/services/mail/package_mailx_installed/rule.yml
index 6e42ca61263d..b61f166bb54b 100644
--- a/linux_os/guide/services/mail/package_mailx_installed/rule.yml
+++ b/linux_os/guide/services/mail/package_mailx_installed/rule.yml
@@ -26,9 +26,7 @@ references:
stigid@sle12: SLES-12-010498
stigid@sle15: SLES-15-010418
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="mailx") }}}'
+{{{ complete_ocil_entry_package_installed("mailx") }}}
fixtext: '{{{ fixtext_package_installed(package="mailx") }}}'
diff --git a/linux_os/guide/services/mail/package_postfix_installed/rule.yml b/linux_os/guide/services/mail/package_postfix_installed/rule.yml
index 59373fb084a9..b00b209dec85 100644
--- a/linux_os/guide/services/mail/package_postfix_installed/rule.yml
+++ b/linux_os/guide/services/mail/package_postfix_installed/rule.yml
@@ -19,9 +19,7 @@ identifiers:
references:
srg: SRG-OS-000046-GPOS-00022
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="postfix") }}}'
+{{{ complete_ocil_entry_package_installed("postfix") }}}
fixtext: '{{{ fixtext_package_installed(package="postfix") }}}'
diff --git a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
index 7b49a41fd5da..244b65b94499 100644
--- a/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
+++ b/linux_os/guide/services/mail/package_s-nail_installed/rule.yml
@@ -21,9 +21,7 @@ references:
nist: CM-3(5)
srg: SRG-OS-000363-GPOS-00150
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="s-nail") }}}'
+{{{ complete_ocil_entry_package_installed("s-nail") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 59e0d3880866..6cf8ca96e488 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -33,7 +33,7 @@ references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000095-GPOS-00049
stigid@ol8: OL08-00-040002
-{{{ complete_ocil_entry_package(package="sendmail") }}}
+{{{ complete_ocil_entry_package_removed("sendmail") }}}
fixtext: '{{{ fixtext_package_removed("sendmail") }}}'
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml
index ac9312c2317f..0bd04cbf81f4 100644
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml
@@ -28,7 +28,7 @@ references:
cis@sle12: 2.2.8
cis@sle15: 2.2.8
-{{{ complete_ocil_entry_package(package="rpcbind") }}}
+{{{ complete_ocil_entry_package_removed("rpcbind") }}}
fixtext: '{{{ fixtext_package_removed("rpcbind") }}}'
diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml
index fd114321b115..e5063ba5e209 100644
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml
@@ -12,7 +12,7 @@ rationale: |-
severity: low
-{{{ complete_ocil_entry_package(package="nfs-common") }}}
+{{{ complete_ocil_entry_package_removed("nfs-common") }}}
fixtext: '{{{ fixtext_package_removed("nfs-common") }}}'
diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-kernel-server_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-kernel-server_removed/rule.yml
index aec94da56d3b..a620b4492284 100644
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-kernel-server_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-kernel-server_removed/rule.yml
@@ -12,7 +12,7 @@ rationale: |-
severity: low
-{{{ complete_ocil_entry_package(package="nfs-kernel-server") }}}
+{{{ complete_ocil_entry_package_removed("nfs-kernel-server") }}}
fixtext: '{{{ fixtext_package_removed("nfs-kernel-server") }}}'
diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
index 16bace74c76a..d53f4c4838c8 100644
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
@@ -28,7 +28,7 @@ references:
cis@sle15: 2.2.7
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="nfs-utils") }}}
+{{{ complete_ocil_entry_package_removed("nfs-utils") }}}
fixtext: '{{{ fixtext_package_removed("nfs-utils") }}}'
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index fd09e0005180..4de2268e8a6c 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -32,9 +32,7 @@ references:
pcidss: Req-10.4
srg: SRG-OS-000355-GPOS-00143
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="chrony") }}}'
+{{{ complete_ocil_entry_package_installed("chrony") }}}
fixtext: '{{{ describe_package_install(package="chrony") }}}'
diff --git a/linux_os/guide/services/ntp/package_ntp_installed/rule.yml b/linux_os/guide/services/ntp/package_ntp_installed/rule.yml
index 697bcafe47e0..54a64c9680ae 100644
--- a/linux_os/guide/services/ntp/package_ntp_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_ntp_installed/rule.yml
@@ -1,3 +1,8 @@
+{{% if product == "debian13" %}}
+ {{%- set package = "ntpsec" %}}
+{{% else %}}
+ {{%- set package = "ntp" %}}
+{{% endif %}}
documentation_complete: true
title: 'Install the ntp service'
@@ -22,15 +27,8 @@ references:
nist-csf: PR.PT-1
pcidss: Req-10.4
-ocil_clause: 'the package is not installed'
+{{{ complete_ocil_entry_package_installed(package=package) }}}
-ocil: |-
- {{% if product == "debian13" %}}
- {{{ ocil_package(package="ntpsec") }}}
- {{% else %}}
- {{{ ocil_package(package="ntp") }}}
- {{% endif %}}
-
template:
name: package_installed
vars:
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml
index dd8afdb34f44..e95155e21f3b 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_installed/rule.yml
@@ -26,9 +26,7 @@ references:
nist-csf: PR.IP-1
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="tcp_wrappers") }}}'
+{{{ complete_ocil_entry_package_installed("tcp_wrappers") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_removed/rule.yml
index ee0f1c513e9c..111b88262f64 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_tcp_wrappers_removed/rule.yml
@@ -38,7 +38,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
-{{{ complete_ocil_entry_package(package="tcpd") }}}
+{{{ complete_ocil_entry_package_removed("tcpd") }}}
fixtext: '{{{ fixtext_package_removed("tcpd") }}}'
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index c1e0d7193f3e..413af2a83202 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -1,7 +1,7 @@
documentation_complete: true
-title: 'Uninstall xinetd Package'
+title: 'Uninstall xinetd package if not used by network services'
description: |-
{{{ describe_package_remove(package="xinetd") }}}
@@ -32,18 +32,17 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
-ocil: |-
- If network services are using the xinetd service, this is not applicable.
-
- {{{ complete_ocil_entry_package(package="xinetd") }}}
+ocil_clause: "the xinetd package is installed and the network services are not using the xinetd service"
-template:
- name: package_removed
- vars:
- pkgname: xinetd
+{{{ ocil_package_installed_how_to_check(package="xinetd") }}}
{{% if product in ["rhel9"] %}}
warnings:
- general:
The package is not available in {{{ full_name }}}.
{{% endif %}}
+
+template:
+ name: package_removed
+ vars:
+ pkgname: xinetd
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ab37fab3c561..95515f503b52 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -39,7 +39,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@ol7: OL07-00-020010
-{{{ complete_ocil_entry_package(package="ypserv") }}}
+{{{ complete_ocil_entry_package_removed("ypserv") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml
index d499c08c9f5d..931b8b6d385c 100644
--- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml
@@ -30,7 +30,7 @@ references:
cis@sle12: 2.2.17
cis@sle15: 2.2.17
-{{{ complete_ocil_entry_package(package=pkg) }}}
+{{{ complete_ocil_entry_package_removed(pkg) }}}
fixtext: '{{{ fixtext_package_removed(pkg) }}}'
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index 925223e63275..3dd81702001e 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -36,7 +36,7 @@ references:
stigid@ol7: OL07-00-020000
stigid@ol8: OL08-00-040010
-{{{ complete_ocil_entry_package(package="rsh-server") }}}
+{{{ complete_ocil_entry_package_removed("rsh-server") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index a820ba060e8e..2de29f76db34 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -22,7 +22,7 @@ identifiers:
references:
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
-{{{ complete_ocil_entry_package(package="talk-server") }}}
+{{{ complete_ocil_entry_package_removed("talk-server") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 3004f7fda063..550d0afd9c55 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -30,7 +30,7 @@ references:
cis@sle15: 2.3.3
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
-{{{ complete_ocil_entry_package(package="talk") }}}
+{{{ complete_ocil_entry_package_removed("talk") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index e511577a63de..e561d5b0e872 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -51,7 +51,7 @@ references:
stigid@sle12: SLES-12-030000
stigid@sle15: SLES-15-010180
-{{{ complete_ocil_entry_package(package="telnet-server") }}}
+{{{ complete_ocil_entry_package_removed("telnet-server") }}}
srg_requirement: '{{{ srg_requirement_package_removed("telnet-server") }}}'
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 1d6fbf388c10..1aa283f3983a 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,19 +1,19 @@
-documentation_complete: true
-
{{% if 'ubuntu' in product %}}
-{{% set package_name = "tftpd-hpa" %}}
+ {{%- set package = "tftpd-hpa" %}}
{{% elif 'sle' in product %}}
-{{% set package_name = "tftp" %}}
+ {{%- set package = "tftp" %}}
{{% else %}}
-{{% set package_name = "tftp-server" %}}
+ {{%- set package = "tftp-server" %}}
{{% endif %}}
-title: 'Uninstall {{{ package_name }}} Package'
+documentation_complete: true
+
+title: 'Uninstall {{{ package }}} Package'
-description: '{{{ describe_package_remove(package=package_name) }}}'
+description: '{{{ describe_package_remove(package=package) }}}'
rationale: |-
- Removing the {{{ package_name }}} package decreases the risk of the accidental
+ Removing the {{{ package }}} package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
@@ -43,13 +43,13 @@ references:
stigid@ol7: OL07-00-040700
stigid@ol8: OL08-00-040190
-{{{ complete_ocil_entry_package(package=package_name) }}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
-fixtext: '{{{ fixtext_package_removed(package_name) }}}'
+fixtext: '{{{ fixtext_package_removed(package=package) }}}'
srg_requirement: 'The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for {{{ full_name }}} operational support.'
template:
name: package_removed
vars:
- pkgname: {{{ package_name }}}
+ pkgname: {{{ package }}}
diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
index 2a5561109ba9..510779e396e9 100644
--- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
@@ -1,11 +1,14 @@
documentation_complete: true
{{% if 'ubuntu' in product %}}
-{{% set service_name = "tftpd-hpa" %}}
-{{% set package_name = "tftpd-hpa" %}}
+ {{%- set service_name = "tftpd-hpa" %}}
+ {{%- set package = "tftpd-hpa" %}}
+{{% elif 'sle' in product or product == "slmicro5" %}}
+ {{%- set service_name = "tftp" %}}
+ {{%- set package = "tftp" %}}
{{% else %}}
-{{% set service_name = "tftp" %}}
-{{% set package_name = "tftp-server" %}}
+ {{%- set service_name = "tftp" %}}
+ {{%- set package = "tftp-server" %}}
{{% endif %}}
title: 'Disable {{{ service_name }}} Service'
@@ -46,4 +49,4 @@ template:
name: service_disabled
vars:
servicename: {{{ service_name }}}
- packagename: {{{ package_name }}}
+ packagename: {{{ package }}}
diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml
index 8cfbd3135b55..4dea9847d3c3 100644
--- a/linux_os/guide/services/printing/package_cups_removed/rule.yml
+++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml
@@ -31,7 +31,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
-{{{ complete_ocil_entry_package(package="cups") }}}
+{{{ complete_ocil_entry_package_removed("cups") }}}
fixtext: '{{{ fixtext_package_removed("cups") }}}'
diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
index 8dd15db0821d..9f586ca6c42b 100644
--- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
+++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
cce@sle15: CCE-91372-3
cce@slmicro5: CCE-93895-1
-{{{ complete_ocil_entry_package(package="squid") }}}
+{{{ complete_ocil_entry_package_removed("squid") }}}
references:
cis@sle12: 2.2.14
diff --git a/linux_os/guide/services/radius/package_freeradius_removed/rule.yml b/linux_os/guide/services/radius/package_freeradius_removed/rule.yml
index 9e412ae8ac0a..474f26a809ed 100644
--- a/linux_os/guide/services/radius/package_freeradius_removed/rule.yml
+++ b/linux_os/guide/services/radius/package_freeradius_removed/rule.yml
@@ -22,9 +22,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82752-7
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="freeradius") }}}'
+{{{ complete_ocil_entry_package_removed("freeradius") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
index 028087f208cc..94b03f0c79d4 100644
--- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
+++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
@@ -29,7 +29,7 @@ references:
nist-csf: PR.PT-4
srg: SRG-OS-000480-GPOS-00227
-{{{ complete_ocil_entry_package(package="quagga") }}}
+{{{ complete_ocil_entry_package_removed("quagga") }}}
fixtext: '{{{ fixtext_package_removed("quagga") }}}'
diff --git a/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml b/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml
index 7a62905135ab..38848e9ac1f7 100644
--- a/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml
+++ b/linux_os/guide/services/smb/configuring_samba/package_samba-common_installed/rule.yml
@@ -11,9 +11,7 @@ rationale: 'If the samba-common package is not installed, samba cannot be config
severity: medium
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="samba-common") }}}'
+{{{ complete_ocil_entry_package_installed("samba-common") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
index de76ade2bf81..79cd28d84c97 100644
--- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml
@@ -23,7 +23,7 @@ references:
cis@sle12: 2.2.13
cis@sle15: 2.2.13
-{{{ complete_ocil_entry_package(package="samba") }}}
+{{{ complete_ocil_entry_package_removed("samba") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
index d03b49ce0829..3d86a465a82e 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -33,9 +33,9 @@ references:
cis@sle15: 2.2.15
{{% if pkg_manager != "apt_get" %}}
-{{{ complete_ocil_entry_package(package="net-snmp") }}}
+ {{{- complete_ocil_entry_package_removed("net-snmp") }}}
{{% else %}}
-{{{ complete_ocil_entry_package(package="snmp") }}}
+ {{{- complete_ocil_entry_package_removed("snmp") }}}
{{% endif %}}
template:
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
index 62068ca327c4..d94efa5d442d 100644
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -21,9 +21,7 @@ references:
ospp: FIA_UAU.5,FTP_ITC_EXT.1,FCS_SSH_EXT.1,FCS_SSHC_EXT.1
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="openssh-clients") }}}'
+{{{ complete_ocil_entry_package_installed("openssh-clients") }}}
fixtext: '{{{ fixtext_package_removed("openssh-clients") }}}'
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index 925eef72f632..89833be81624 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -32,9 +32,7 @@ references:
stigid@ol7: OL07-00-040300
stigid@ol8: OL08-00-040159
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="openssh-server") }}}'
+{{{ complete_ocil_entry_package_installed("openssh-server") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
index 02c2396dc5a7..17e21fd60866 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml
@@ -16,9 +16,7 @@ severity: medium
identifiers:
cce@rhcos4: CCE-86709-3
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="openssh-server") }}}'
+{{{ complete_ocil_entry_package_removed("openssh-server") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/ssh/package_openssh_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh_installed/rule.yml
index 5ec44279483d..1d6502a205a6 100644
--- a/linux_os/guide/services/ssh/package_openssh_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh_installed/rule.yml
@@ -18,9 +18,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000423-GPOS-00187
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="openssh") }}}'
+{{{ complete_ocil_entry_package_installed("openssh") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/ssh/package_openssh_removed/rule.yml b/linux_os/guide/services/ssh/package_openssh_removed/rule.yml
index b548e2bcb67d..30f0b696a1d1 100644
--- a/linux_os/guide/services/ssh/package_openssh_removed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh_removed/rule.yml
@@ -14,9 +14,7 @@ rationale: |-
severity: medium
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="openssh") }}}'
+{{{ complete_ocil_entry_package_removed("openssh") }}}
template:
name: package_removed
diff --git a/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml
index 039d6d76860e..8b025333bdb2 100644
--- a/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml
+++ b/linux_os/guide/services/sssd/package_sssd-ipa_installed/rule.yml
@@ -17,10 +17,8 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
-
-ocil_clause: 'the package is not installed'
-ocil: '{{{ ocil_package(package="sssd-ipa") }}}'
+{{{ complete_ocil_entry_package_installed("sssd-ipa") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
index d59ffbd19035..67cf5a89875a 100644
--- a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
+++ b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml
@@ -27,10 +27,7 @@ references:
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
srg: SRG-OS-000375-GPOS-00160
-
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="sssd") }}}'
+{{{ complete_ocil_entry_package_installed("sssd") }}}
template:
name: package_installed
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
index 891e3b7400ab..c08f6cac97a8 100644
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -49,9 +49,7 @@ references:
srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315
stigid@ol8: OL08-00-040139
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="usbguard") }}}'
+{{{ complete_ocil_entry_package_installed("usbguard") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-pam/package_authselect_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_authselect_installed/rule.yml
index 0435216520b7..44105c3ba1a7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/package_authselect_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/package_authselect_installed/rule.yml
@@ -18,9 +18,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-89186-1
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="authselect") }}}'
+{{{ complete_ocil_entry_package_installed("authselect") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_installed/rule.yml
index 8a1043ea30c4..ab43dd7253a8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/package_pam_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_installed/rule.yml
@@ -17,9 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-89184-6
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="pam") }}}'
+{{{ complete_ocil_entry_package_installed("pam") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
index 4681a7f46e0a..c9d08e4bb907 100644
--- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
@@ -1,3 +1,8 @@
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
+ {{%- set package = "libpwquality" %}}
+{{% else %}}
+ {{%- set package = "libpam-pwquality" %}}
+{{% endif %}}
documentation_complete: true
@@ -27,14 +32,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00225
-ocil_clause: 'the package is not installed'
-
-ocil: |-
-{{%- if 'ubuntu' not in product and 'debian' not in product %}}
- {{{ ocil_package(package="libpwquality") }}}
-{{%- else %}}
- {{{ ocil_package(package="libpam-pwquality") }}}
-{{%- endif %}}
+{{{ complete_ocil_entry_package_installed(package=package) }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
index d81d6ad11eb0..5837737c0a3d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
@@ -38,9 +38,7 @@ references:
srg: SRG-OS-000029-GPOS-00010
stigid@ol7: OL07-00-010090
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="screen") }}}'
+{{{ complete_ocil_entry_package_installed("screen") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index 472131ead727..b33652090fcb 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -42,9 +42,7 @@ references:
ospp: FMT_SMF_EXT.1,FMT_MOF_EXT.1,FTA_SSL.1
srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="tmux") }}}'
+{{{ complete_ocil_entry_package_installed("tmux") }}}
fixtext: '{{{ describe_package_install(package="tmux") }}}'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml
index da1771e5bfff..847d74aedec5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml
@@ -1,3 +1,9 @@
+{{% if 'ubuntu' in product %}}
+ {{%- set package = "vlock" %}}
+{{% else %}}
+ {{%- set package = "kbd" %}}
+{{% endif %}}
+
documentation_complete: true
@@ -6,11 +12,7 @@ title: 'Check that vlock is installed to allow session locking'
description: |-
The {{{ full_name }}} operating system must have vlock installed to allow for session locking.
- {{% if 'ubuntu' in product %}}
- {{{ describe_package_install(package="vlock") }}}
- {{% else %}}
- {{{ describe_package_install(package="kbd") }}}
- {{% endif %}}
+ {{{ describe_package_install(package=package) }}}
rationale: |-
A session lock is a temporary action taken when a user stops work and
@@ -41,14 +43,7 @@ references:
stigid@sle12: SLES-12-010070
stigid@sle15: SLES-15-010110
-ocil_clause: 'the package is not installed'
-
-ocil: |-
- {{% if 'ubuntu' in product %}}
- {{{ ocil_package(package="vlock") }}}
- {{% else %}}
- {{{ ocil_package(package="kbd") }}}
- {{% endif %}}
+{{{ complete_ocil_entry_package_installed(package) }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index 0012f81f5918..cd2393b0c761 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -61,9 +61,13 @@ ocil_clause: 'smartcard software is not installed'
ocil: |-
Check that {{{ full_name }}} has the packages for smart card support installed.
+ {{% if pkg_system is undefined or pkg_system not in ["rpm", "dpkg"] %}}
+ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system | default("undefined") }}}'. Has to be either 'rpm' or 'dpkg'.
+ {{% else %}}
{{% for pkg in smartcard_packages %}}
- {{{ ocil_package(package=pkg) }}}
+ Run the following command to determine if the {{{ pkg }}} package is installed: $ {{% if pkg_system == "rpm" %}}rpm -q {{% elif pkg_system == "dpkg" %}}dpkg -l {{% endif %}}{{{ pkg }}}
{{% endfor %}}
+ {{% endif %}}
{{% if product not in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
template:
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
index 3a85ae9df616..b46b481548ea 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
@@ -1,14 +1,15 @@
+{{% if 'ubuntu' not in product %}}
+ {{%- set package = "opensc" %}}
+{{% else %}}
+ {{%- set package = "opensc-pkcs11" %}}
+{{% endif %}}
documentation_complete: true
-title: 'Install the opensc Package For Multifactor Authentication'
+title: 'Install the {{{ package }}} Package For Multifactor Authentication'
description: |-
- {{% if 'ubuntu' not in product %}}
- {{{ describe_package_install(package="opensc") }}}
- {{% else %}}
- {{{ describe_package_install(package="opensc-pkcs11") }}}
- {{% endif %}}
+ {{{ describe_package_install(package=package) }}}
rationale: |-
Using an authentication device, such as a CAC or token that is separate from
@@ -33,13 +34,7 @@ references:
srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161
stigid@ol8: OL08-00-010410
-ocil_clause: 'the package is not installed'
-
-{{% if 'ubuntu' not in product %}}
-ocil: '{{{ ocil_package(package="opensc") }}}'
-{{% else %}}
-ocil: '{{{ ocil_package(package="opensc-pkcs11") }}}'
-{{% endif %}}
+{{{ complete_ocil_entry_package_installed(package) }}}
template:
name: package_installed
@@ -48,15 +43,7 @@ template:
pkgname@ubuntu2204: opensc-pkcs11
fixtext: |-
- {{% if 'ubuntu' not in product %}}
- {{{ describe_package_install(package="opensc") }}}
- {{% else %}}
- {{{ describe_package_install(package="opensc-pkcs11") }}}
- {{% endif %}}
+ {{{ describe_package_install(package=package) }}}
srg_requirement: |-
- {{% if 'ubuntu' not in product %}}
- {{{ srg_requirement_package_installed(package="opensc") | indent(4) }}}
- {{% else %}}
- {{{ srg_requirement_package_installed(package="opensc-pkcs11") | indent(4) }}}
- {{% endif %}}
+ {{{ srg_requirement_package_installed(package=package) | indent(4) }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite-ccid_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite-ccid_installed/rule.yml
index 778e50eea75f..1a237c660281 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite-ccid_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite-ccid_installed/rule.yml
@@ -20,9 +20,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000375-GPOS-00160
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="pcsc-lite-ccid") }}}'
+{{{ complete_ocil_entry_package_installed("pcsc-lite-ccid") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index 7ac4e6621db6..a1fc81bbdc0e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -21,9 +21,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000375-GPOS-00160
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="pcsc-lite") }}}'
+{{{ complete_ocil_entry_package_installed("pcsc-lite") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
index bf7ab28ebb49..e5bbb94e024c 100644
--- a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
+++ b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml
@@ -25,9 +25,7 @@ references:
stigid@sle12: SLES-12-010600
stigid@sle15: SLES-15-010390
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="pam_apparmor") }}}'
+{{{ complete_ocil_entry_package_installed("pam_apparmor") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
index f4a62583346a..f5525d348192 100644
--- a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
+++ b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
@@ -26,9 +26,7 @@ identifiers:
references:
srg: SRG-OS-000479-GPOS-00224
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="systemd-journal-remote") }}}'
+{{{ complete_ocil_entry_package_installed("systemd-journal-remote") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml b/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml
index 74ae024ddbad..3ed696891870 100644
--- a/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml
+++ b/linux_os/guide/system/logging/log_rotation/package_logrotate_installed/rule.yml
@@ -30,9 +30,7 @@ references:
nist-csf: PR.PT-1
pcidss: Req-10.7
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="logrotate") }}}'
+{{{ complete_ocil_entry_package_installed("logrotate") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
index 47a7de4f9934..3203605817e0 100644
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
@@ -1,18 +1,20 @@
+{{% if 'sle' not in product %}}
+ {{%- set package = "rsyslog-gnutls" %}}
+{{% else %}}
+ {{%- set package = "rsyslog-module-gtls" %}}
+{{% endif %}}
+
documentation_complete: true
-title: 'Ensure rsyslog-gnutls is installed'
+title: 'Ensure {{{ package }}} is installed'
description: |-
TLS protocol support for rsyslog is installed.
- {{% if 'sle' not in product %}}
- {{{ describe_package_install(package="rsyslog-gnutls") }}}
- {{% else %}}
- {{{ describe_package_install(package="rsyslog-module-gtls") }}}
- {{% endif %}}
+ {{{ describe_package_install(package=package) }}}
rationale: |-
- The rsyslog-gnutls package provides Transport Layer Security (TLS) support
+ The {{{ package }}} package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging.
severity: medium
@@ -29,13 +31,7 @@ references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
stigid@ol8: OL08-00-030680
-ocil_clause: 'the package is not installed'
-
-{{% if 'sle' not in product %}}
-{{{ complete_ocil_entry_package(package="rsyslog-gnutls") }}}
-{{% else %}}
-{{{ complete_ocil_entry_package(package="rsyslog-module-gtls") }}}
-{{% endif %}}
+{{{ complete_ocil_entry_package_installed(package) }}}
template:
name: package_installed
@@ -46,11 +42,6 @@ template:
pkgname@sle16: rsyslog-module-gtls
fixtext: |-
- {{% if 'sle' not in product %}}
- {{{ describe_package_install(package="rsyslog-gnutls") }}}
- {{% else %}}
- {{{ describe_package_install(package="rsyslog-module-gtls") }}}
- {{% endif %}}
-
+ {{{ describe_package_install(package=package) }}}
srg_requirement:
{{{ full_name }}} must have the packages required for encrypting offloaded audit logs installed.
diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
index 1d2b634233a3..b3292366f9d3 100644
--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
@@ -32,9 +32,7 @@ references:
srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024,SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-030670
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="rsyslog") }}}'
+{{{ complete_ocil_entry_package_installed("rsyslog") }}}
fixtext: |-
Configure {{{ full_name }}} to offload audit logs by installing the required packages with the following command:
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml
index 57241eee6686..a1fe9e136ae1 100644
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml
@@ -21,9 +21,7 @@ references:
nist: CM-6(a)
nist-csf: PR.PT-1
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="syslog-ng-core") }}}'
+{{{ complete_ocil_entry_package_installed("syslog-ng-core") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
index 0b974a275b36..64e521807275 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -38,9 +38,7 @@ references:
stigid@ol8: OL08-00-040100
stigid@sle15: SLES-15-010220
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="firewalld") }}}'
+{{{ complete_ocil_entry_package_installed("firewalld") }}}
fixtext: |-
To install the "firewalld" package run the following command:
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
index b32d3a54d175..47e3718e8e61 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_deactivation/package_firewalld_removed/rule.yml
@@ -24,7 +24,7 @@ identifiers:
references:
cis@sle15: 3.5.2.2,3.5.3.1.3
-{{{ complete_ocil_entry_package(package="firewalld") }}}
+{{{ complete_ocil_entry_package_removed("firewalld") }}}
fixtext: '{{{ fixtext_package_removed("firewalld") }}}'
diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
index d2d3098eab7b..79124282ddbf 100644
--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
@@ -35,9 +35,7 @@ references:
pcidss: Req-4.1
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="libreswan") }}}'
+{{{ complete_ocil_entry_package_installed("libreswan") }}}
fixtext: '{{{ fixtext_package_installed("libreswan") }}}'
diff --git a/linux_os/guide/system/network/network-ipsec/package_strongswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_strongswan_installed/rule.yml
index 0f2318334d39..3a6e4de6d971 100644
--- a/linux_os/guide/system/network/network-ipsec/package_strongswan_installed/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/package_strongswan_installed/rule.yml
@@ -30,9 +30,7 @@ references:
pcidss: Req-4.1
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="strongswan") }}}'
+{{{ complete_ocil_entry_package_installed("strongswan") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-nft_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-nft_installed/rule.yml
index 73552ac09ec0..c41950f89215 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables-nft_installed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables-nft_installed/rule.yml
@@ -21,9 +21,7 @@ identifiers:
references:
nist: CM-6(a)
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="iptables-nft") }}}'
+{{{ complete_ocil_entry_package_installed("iptables-nft") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml
index 4c0aaca58dfb..afdc7d20c795 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_installed/rule.yml
@@ -13,9 +13,7 @@ severity: medium
platform: package[iptables]
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="iptables-persistent") }}}'
+{{{ complete_ocil_entry_package_installed("iptables-persistent") }}}
{{%- if 'ubuntu' in product %}}
template:
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml
index ef8bdc559fcb..fa519c12cdc9 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables-persistent_removed/rule.yml
@@ -13,9 +13,7 @@ severity: medium
platform: package[ufw]
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="iptables-persistent") }}}'
+{{{ complete_ocil_entry_package_removed("iptables-persistent") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml
index 7a39d7ec752e..1d686035c231 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables-services_installed/rule.yml
@@ -23,9 +23,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the iptables-services package is not installed'
-
-ocil: '{{{ ocil_package(package="iptables-services") }}}'
+{{{ complete_ocil_entry_package_installed("iptables-services") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml
index d7defdc05f72..ea96552678e5 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables-services_removed/rule.yml
@@ -20,10 +20,7 @@ platform: package[iptables]
identifiers:
cce@rhel8: CCE-86679-8
-
-ocil_clause: 'the iptables-services package is installed'
-
-ocil: '{{{ ocil_package(package="iptables-services") }}}'
+{{{ complete_ocil_entry_package_removed("iptables-services") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
index e2fdaad08ada..c3cc32d49472 100644
--- a/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
@@ -29,9 +29,7 @@ references:
pcidss: Req-1.4.1
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="iptables") }}}'
+{{{ complete_ocil_entry_package_installed("iptables") }}}
{{%- if product in [ "sle12", "sle15" ] or 'ubuntu' in product %}}
template:
diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml
index 35552c4b3530..e09fe3d9c48d 100644
--- a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml
@@ -27,9 +27,7 @@ identifiers:
references:
cis@sle15: 3.5.2.1
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="nftables") }}}'
+{{{ complete_ocil_entry_package_installed("nftables") }}}
platform: system_with_kernel and service_disabled[iptables] and service_disabled[ufw]
diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
index 4d3b3c1618ef..60d5ea59bf2a 100644
--- a/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
+++ b/linux_os/guide/system/network/network-nftables/package_nftables_removed/rule.yml
@@ -20,7 +20,7 @@ identifiers:
references:
cis@sle15: 3.5.1.2,3.5.3.1.2
-{{{ complete_ocil_entry_package(package="nftables") }}}
+{{{ complete_ocil_entry_package_removed("nftables") }}}
fixtext: '{{{ fixtext_package_removed("nftables") }}}'
diff --git a/linux_os/guide/system/network/network-susefirewall2/package_SuSEfirewall2_installed/rule.yml b/linux_os/guide/system/network/network-susefirewall2/package_SuSEfirewall2_installed/rule.yml
index d0daf70b9e3e..a210c2e85643 100644
--- a/linux_os/guide/system/network/network-susefirewall2/package_SuSEfirewall2_installed/rule.yml
+++ b/linux_os/guide/system/network/network-susefirewall2/package_SuSEfirewall2_installed/rule.yml
@@ -18,9 +18,7 @@ references:
srg: SRG-OS-000420-GPOS-00186,SRG-OS-000096-GPOS-00050
stigid@sle12: SLES-12-030030
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="SuSEfirewall2") }}}'
+{{{ complete_ocil_entry_package_installed("SuSEfirewall2") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/network/network-susefirewall2/susefirewall2_ddos_protection/rule.yml b/linux_os/guide/system/network/network-susefirewall2/susefirewall2_ddos_protection/rule.yml
index 7222131437e3..ee729a542b16 100644
--- a/linux_os/guide/system/network/network-susefirewall2/susefirewall2_ddos_protection/rule.yml
+++ b/linux_os/guide/system/network/network-susefirewall2/susefirewall2_ddos_protection/rule.yml
@@ -45,7 +45,8 @@ references:
ocil_clause: 'the DoS protection is not active'
ocil: |-
- {{{ ocil_package(package="SuSEfirewall2") }}}
+ Run the following command to determine if the SuSEfirewall2 package is installed: $rpm -q SuSEfirewall2
+
{{{ ocil_service_enabled(service="SuSEfirewall2") }}}
Run the following command:
diff --git a/linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml b/linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml
index 126dd0183a41..ee44169fb944 100644
--- a/linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml
+++ b/linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml
@@ -50,7 +50,8 @@ references:
ocil_clause: 'unauthorized network services can be accessed from the network'
ocil: |-
- {{{ ocil_package(package="SuSEfirewall2") }}}
+ Run the following command to determine if the SuSEfirewall2 package is installed: $rpm -q SuSEfirewall2
+
{{{ ocil_service_enabled(service="SuSEfirewall2") }}}
Check the firewall configuration for any unnecessary or prohibited
diff --git a/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml b/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml
index 53035bc75c34..64341e55dfc9 100644
--- a/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml
@@ -15,9 +15,7 @@ severity: medium
references:
srg: SRG-OS-000297-GPOS-00115
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="ufw") }}}'
+{{{ complete_ocil_entry_package_installed("ufw") }}}
{{%- if 'ubuntu' in product %}}
template:
diff --git a/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml b/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
index 1efcd761d632..d0114bcb6b07 100644
--- a/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
+++ b/linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
@@ -11,9 +11,7 @@ rationale: |-
severity: medium
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="ufw") }}}'
+{{{ complete_ocil_entry_package_removed("ufw") }}}
platform: system_with_kernel
diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
index e97e56c968f3..b902d67bbd5c 100644
--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
@@ -22,9 +22,7 @@ identifiers:
cce@sle15: CCE-92490-2
cce@sle16: CCE-95712-6
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="libselinux") }}}'
+{{{ complete_ocil_entry_package_installed("libselinux") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index e345282b5e21..48c7080bfe1b 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -22,9 +22,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="policycoreutils-python-utils") }}}'
+{{{ complete_ocil_entry_package_installed("policycoreutils-python-utils") }}}
fixtext: '{{{ fixtext_package_installed("policycoreutils-python-utils") }}}'
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
index b489a0fd0fab..ce5df82c7b8d 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
@@ -33,9 +33,7 @@ references:
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
stigid@ol8: OL08-00-010171
-ocil_clause: 'the policycoreutils package is not installed'
-
-ocil: '{{{ ocil_package(package="policycoreutils") }}}'
+{{{ complete_ocil_entry_package_installed("policycoreutils") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
index 2578c0675617..354a8060c709 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml
@@ -23,7 +23,7 @@ identifiers:
cce@sle15: CCE-91269-1
cce@sle16: CCE-96431-2
-{{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}}
+{{{ complete_ocil_entry_package_removed("setroubleshoot-plugins") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
index b4d07c4ba6f2..0fcc6980b0e0 100644
--- a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
+++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml
@@ -24,7 +24,7 @@ identifiers:
cce@sle15: CCE-91267-5
cce@sle16: CCE-96268-8
-{{{ complete_ocil_entry_package(package="setroubleshoot-server") }}}
+{{{ complete_ocil_entry_package_removed("setroubleshoot-server") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index 404e14e5b9d8..c3ed2b166ca3 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -22,9 +22,7 @@ references:
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="crypto-policies") }}}'
+{{{ complete_ocil_entry_package_installed("crypto-policies") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
index b707c73f1649..19f594a04a0d 100644
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
@@ -33,9 +33,7 @@ references:
nist: SI-2(2)
srg: SRG-OS-000191-GPOS-00080
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package=pkg) }}}'
+{{{ complete_ocil_entry_package_installed(pkg) }}}
warnings:
- general: |-
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
index 9705dda83661..dd201283020b 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
@@ -30,9 +30,7 @@ references:
nist-csf: PR.AC-3,PR.PT-4
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="dracut-fips-aesni") }}}'
+{{{ complete_ocil_entry_package_installed("dracut-fips-aesni") }}}
warnings:
- general: |-
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
index b903dc76ca1e..7a3485d69bd9 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
@@ -29,9 +29,7 @@ references:
nist-csf: PR.AC-3,PR.PT-4
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="dracut-fips") }}}'
+{{{ complete_ocil_entry_package_installed("dracut-fips") }}}
warnings:
- regulatory: |-
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 7844c8991ce8..dc497c0c7b9a 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -38,9 +38,7 @@ references:
stigid@sle12: SLES-12-010499
stigid@sle15: SLES-15-010419
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="aide") }}}'
+{{{ complete_ocil_entry_package_installed("aide") }}}
fixtext: |-
{{{ describe_package_install("aide") }}}
diff --git a/linux_os/guide/system/software/sap_host/package_glibc_installed/rule.yml b/linux_os/guide/system/software/sap_host/package_glibc_installed/rule.yml
index b7564be44d58..c092789ae83d 100644
--- a/linux_os/guide/system/software/sap_host/package_glibc_installed/rule.yml
+++ b/linux_os/guide/system/software/sap_host/package_glibc_installed/rule.yml
@@ -1,3 +1,4 @@
+{{%- set minimum_version = "0:2.17-55.0.4.el7_0.3" %}}
documentation_complete: true
@@ -17,12 +18,12 @@ rationale: |-
severity: medium
-ocil_clause: 'the minimum required glibc version is not installed'
+ocil_clause: 'glibc is missing or installed at a version lower than {{{ minimum_version }}}'
-ocil: '{{{ ocil_package(package="glibc") }}}'
+{{{ ocil_package_installed_how_to_check(package="glibc") }}}
template:
name: package_installed
vars:
pkgname: glibc
- evr: 0:2.17-55.0.4.el7_0.3
+ evr: {{{ minimum_version }}}
diff --git a/linux_os/guide/system/software/sap_host/package_uuidd_installed/rule.yml b/linux_os/guide/system/software/sap_host/package_uuidd_installed/rule.yml
index cfeb5beb1337..e0e5d42dd145 100644
--- a/linux_os/guide/system/software/sap_host/package_uuidd_installed/rule.yml
+++ b/linux_os/guide/system/software/sap_host/package_uuidd_installed/rule.yml
@@ -19,9 +19,7 @@ rationale: |-
severity: medium
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="uuidd") }}}'
+{{{ complete_ocil_entry_package_installed("uuidd") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
index 9fa248ae5d3f..2c46a602376e 100644
--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
@@ -31,9 +31,7 @@ references:
ospp: FMT_MOF_EXT.1
srg: SRG-OS-000324-GPOS-00125
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="sudo") }}}'
+{{{ complete_ocil_entry_package_installed("sudo") }}}
fixtext: |-
{{{ describe_package_install(package="sudo") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
index 848e7ff4c37b..bf0552c9ba75 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}}
+{{{ complete_ocil_entry_package_removed("abrt-addon-ccpp") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
index 6a4366edb8be..f22e7b294016 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}}
+{{{ complete_ocil_entry_package_removed("abrt-addon-kerneloops") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
index d8f0d38f23fc..e1ecc296bc96 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
@@ -15,7 +15,7 @@ severity: low
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-addon-python") }}}
+{{{ complete_ocil_entry_package_removed("abrt-addon-python") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
index 389988e539c4..e693756ef912 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-cli") }}}
+{{{ complete_ocil_entry_package_removed("abrt-cli") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-libs_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-libs_removed/rule.yml
index 507a42f72223..451a40cee22c 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-libs_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-libs_removed/rule.yml
@@ -15,7 +15,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@ol8: OL08-00-040001
-{{{ complete_ocil_entry_package(package="abrt-libs") }}}
+{{{ complete_ocil_entry_package_removed("abrt-libs") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
index 122886e14b9c..57db060dbe25 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}}
+{{{ complete_ocil_entry_package_removed("abrt-plugin-logger") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
index 09bb7b5ae42e..1cdafc35c8eb 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
@@ -19,7 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}}
+{{{ complete_ocil_entry_package_removed("abrt-plugin-rhtsupport") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
index 6732e5b1a79d..d6542f276b01 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
@@ -18,7 +18,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}}
+{{{ complete_ocil_entry_package_removed("abrt-plugin-sosreport") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-server-info-page_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-server-info-page_removed/rule.yml
index 0b108df2e7e7..54dfb557de0a 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-server-info-page_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-server-info-page_removed/rule.yml
@@ -15,7 +15,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@ol8: OL08-00-040001
-{{{ complete_ocil_entry_package(package="abrt-server-info-page") }}}
+{{{ complete_ocil_entry_package_removed("abrt-server-info-page") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml
index 75b91a333e64..2b9873059ece 100644
--- a/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_binutils_installed/rule.yml
@@ -16,9 +16,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82989-5
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="binutils") }}}'
+{{{ complete_ocil_entry_package_installed("binutils") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
index d1a75d5bc5a7..d00b4eaf70b6 100644
--- a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
@@ -20,9 +20,7 @@ identifiers:
cce@rhel9: CCE-86612-9
cce@rhel10: CCE-87541-9
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="cryptsetup") }}}'
+{{{ complete_ocil_entry_package_installed("cryptsetup") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 8f85f0d165d4..93e5309e0479 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -21,9 +21,7 @@ references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
srg: SRG-OS-000366-GPOS-00153
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="dnf-plugin-subscription-manager") }}}'
+{{{ complete_ocil_entry_package_installed("dnf-plugin-subscription-manager") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml
index 12af635a5ec3..838b2f0a88da 100644
--- a/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_geolite2-city_removed/rule.yml
@@ -14,7 +14,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82939-0
-{{{ complete_ocil_entry_package(package="geolite2-city") }}}
+{{{ complete_ocil_entry_package_removed("geolite2-city") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml
index 26cd1d47c24b..b8e533ce3ec5 100644
--- a/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_geolite2-country_removed/rule.yml
@@ -14,7 +14,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82936-6
-{{{ complete_ocil_entry_package(package="geolite2-country") }}}
+{{{ complete_ocil_entry_package_removed("geolite2-country") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
index 39608267f9bc..d72cc37d3614 100644
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
@@ -25,9 +25,7 @@ references:
ospp: FIA_X509_EXT.1,FIA_X509_EXT.1.1,FIA_X509_EXT.2
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="gnutls-utils") }}}'
+{{{ complete_ocil_entry_package_installed("gnutls-utils") }}}
fixtext: '{{{ fixtext_package_installed("gnutls-utils") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
index ab99ff48c20f..70714ac0473c 100644
--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
@@ -22,7 +22,7 @@ references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-040370
-{{{ complete_ocil_entry_package(package="gssproxy") }}}
+{{{ complete_ocil_entry_package_removed("gssproxy") }}}
srg_requirement: '{{{ srg_requirement_package_removed("gssproxy") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
index c337bda264ce..72973e86b50a 100644
--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
@@ -21,7 +21,7 @@ references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-040380
-{{{ complete_ocil_entry_package(package="iprutils") }}}
+{{{ complete_ocil_entry_package_removed("iprutils") }}}
fixtext: '{{{ fixtext_package_removed("iprutils") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
index d925c313f957..9787a9e11abc 100644
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
@@ -32,7 +32,7 @@ platforms:
warnings:
{{{ warning_ovirt_rule_notapplicable("RHV hosts require ipa-client package, which has dependency on krb5-workstation") | indent(4) }}}
-{{{ complete_ocil_entry_package(package="krb5-workstation") }}}
+{{{ complete_ocil_entry_package_removed("krb5-workstation") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml
index 96c272175642..2719904b4e97 100644
--- a/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_libcap-ng-utils_installed/rule.yml
@@ -19,10 +19,8 @@ identifiers:
references:
srg: SRG-OS-000445-GPOS-00199
-
-ocil_clause: 'the package is not installed'
-ocil: '{{{ ocil_package(package="libcap-ng-utils") }}}'
+{{{ complete_ocil_entry_package_installed("libcap-ng-utils") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml
index ac6e11b85567..c513d51ad843 100644
--- a/linux_os/guide/system/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml
@@ -21,9 +21,7 @@ references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
srg: SRG-OS-000366-GPOS-00153
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="libdnf-plugin-subscription-manager") }}}'
+{{{ complete_ocil_entry_package_installed("libdnf-plugin-subscription-manager") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml
index bdfed2221079..8e24ebd8945e 100644
--- a/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-logger_removed/rule.yml
@@ -23,7 +23,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@ol8: OL08-00-040001
-{{{ complete_ocil_entry_package(package="libreport-plugin-logger") }}}
+{{{ complete_ocil_entry_package_removed("libreport-plugin-logger") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml
index aa86cedf173f..dd889497c51a 100644
--- a/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_libreport-plugin-rhtsupport_removed/rule.yml
@@ -18,7 +18,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="libreport-plugin-rhtsupport") }}}
+{{{ complete_ocil_entry_package_removed("libreport-plugin-rhtsupport") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
index 3a2cc488881b..7fd84173e32f 100644
--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
@@ -23,9 +23,7 @@ references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000480-GPOS-00227
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="nss-tools") }}}'
+{{{ complete_ocil_entry_package_installed("nss-tools") }}}
fixtext: '{{{ fixtext_package_installed("nss-tools") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
index af7857193e8c..110df4185625 100644
--- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
@@ -21,10 +21,8 @@ identifiers:
references:
ospp: AGD_PRE.1,AGD_OPE.1
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000191-GPOS-00080
-
-ocil_clause: 'the package is not installed'
-ocil: '{{{ ocil_package(package="openscap-scanner") }}}'
+{{{ complete_ocil_entry_package_installed("openscap-scanner") }}}
fixtext: '{{{ fixtext_package_installed("openscap-scanner") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
index 953c593ae565..664eff36cda4 100644
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
@@ -20,7 +20,7 @@ identifiers:
references:
srg: SRG-OS-000433-GPOS-00192
-{{{ complete_ocil_entry_package(package="pigz") }}}
+{{{ complete_ocil_entry_package_removed("pigz") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_python3-abrt-addon_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_python3-abrt-addon_removed/rule.yml
index b1e896461485..eef0ff8c6b49 100644
--- a/linux_os/guide/system/software/system-tools/package_python3-abrt-addon_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_python3-abrt-addon_removed/rule.yml
@@ -18,7 +18,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-{{{ complete_ocil_entry_package(package="python3-abrt-addon") }}}
+{{{ complete_ocil_entry_package_removed("python3-abrt-addon") }}}
template:
name: package_removed
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
index cedb1b39211b..8f5dd735e0a0 100644
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
@@ -17,10 +17,7 @@ identifiers:
cce@rhel9: CCE-83503-3
cce@rhel10: CCE-90643-8
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="rear") }}}'
-
+{{{ complete_ocil_entry_package_installed("rear") }}}
platforms:
- not ((s390x_arch and os_linux[rhel]<=8.4) or (os_linux[rhel]>=9.0 and aarch64_arch) or (os_linux[ol]>=9.0 and aarch64_arch))
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
index 8d387db19622..a1bbbe567cf0 100644
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
@@ -21,9 +21,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-010472
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="rng-tools") }}}'
+{{{ complete_ocil_entry_package_installed("rng-tools") }}}
fixtext: '{{{ fixtext_package_installed("rng-tools") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
index 373dd78161db..75f64b5f6de0 100644
--- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
@@ -27,10 +27,8 @@ identifiers:
references:
ospp: AGD_PRE.1,AGD_OPE.1
srg: SRG-OS-000480-GPOS-00227
-
-ocil_clause: 'the package is not installed'
-ocil: '{{{ ocil_package(package="scap-security-guide") }}}'
+{{{ complete_ocil_entry_package_installed("scap-security-guide") }}}
fixtext: "{{{ fixtext_package_installed("scap-security-guide") }}}"
diff --git a/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
index e109b59d5631..525ff8220296 100644
--- a/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
@@ -22,9 +22,7 @@ references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
srg: SRG-OS-000366-GPOS-00153
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="sequoia-sq") }}}'
+{{{ complete_ocil_entry_package_installed("sequoia-sq") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index 4b5b9b9fd088..dae058993c4d 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -31,9 +31,7 @@ references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
srg: SRG-OS-000366-GPOS-00153
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="subscription-manager") }}}'
+{{{ complete_ocil_entry_package_installed("subscription-manager") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml
index c12e9b276883..8c4c74b0e74a 100644
--- a/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_tar_installed/rule.yml
@@ -17,9 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82965-5
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="tar") }}}'
+{{{ complete_ocil_entry_package_installed("tar") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
index f0f0bb5cd60c..481da09c1966 100644
--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
@@ -23,7 +23,7 @@ references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-040390
-{{{ complete_ocil_entry_package(package="tuned") }}}
+{{{ complete_ocil_entry_package_removed("tuned") }}}
fixtext: '{{{ fixtext_package_removed("tuned") }}}'
diff --git a/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml
index 4884067bf734..3107fb374ea5 100644
--- a/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_vim_installed/rule.yml
@@ -14,9 +14,7 @@ severity: low
identifiers:
cce@rhel8: CCE-82956-4
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="vim-enhanced") }}}'
+{{{ complete_ocil_entry_package_installed("vim-enhanced") }}}
template:
name: package_installed
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
index f31123960e9d..0e7e82f0ebdb 100644
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
@@ -23,9 +23,7 @@ references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
srg: SRG-OS-000191-GPOS-00080
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="dnf-automatic") }}}'
+{{{ complete_ocil_entry_package_installed("dnf-automatic") }}}
platform: not bootc and not container
diff --git a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml
index 2455146eac67..07234de6d7da 100644
--- a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml
+++ b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml
@@ -10,9 +10,7 @@ rationale: 'The GNOME software package must be installed so that it can be used
severity: medium
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="gnome-software") }}}'
+{{{ complete_ocil_entry_package_installed("gnome-software") }}}
fixtext: |-
{{{ describe_package_install("gnome-software") }}}
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
index 76759bdde775..cd398e7c370f 100644
--- a/shared/macros/10-ocil.jinja
+++ b/shared/macros/10-ocil.jinja
@@ -167,105 +167,63 @@ ocil: |
{{%- endmacro %}}
-{{# Package macros #}}
+{{# Package macros -#}}
{{#
- Describe how to check if a package is installed with rpm.
-
-:param package: The package to check
-:type package: str
-
-#}}
-{{%- macro rpm_ocil_package(package) -%}}
- Run the following command to determine if the {{{ package }}} package is installed:
- $ rpm -q {{{ package }}}
-{{%- endmacro -%}}
-
-
-{{#
- Describe how to check if a package is installed with dpkg.
-
-:param package: The package to check
-:type package: str
+ OCIL entry with instructions how to check if a package is installed
+ :param package: Package name
+ :type package: str
#}}
-{{%- macro dpkg_ocil_package(package) %}}
- Run the following command to determine if the {{{ package }}} package is installed:
- $ dpkg -l {{{ package }}}
-{{%- endmacro %}}
-
-
-{{#
- Insert general ocil clause to check if a package is installed, substituting the
- correct package management software.
-
-:param package: Name of package
-:type package: str
-
-#}}
-{{% macro ocil_package(package) -%}}
- {{% if pkg_system is defined %}}
- {{%- if pkg_system == "rpm" -%}}
- {{{ rpm_ocil_package(package) }}}
- {{%- elif pkg_system == "dpkg" -%}}
- {{{ dpkg_ocil_package(package) }}}
- {{%- else -%}}
-JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
- {{%- endif -%}}
+{{%- macro ocil_package_installed_how_to_check(package) -%}}
+ocil: |-
+ {{% if pkg_system is undefined or pkg_system not in ["rpm", "dpkg"] -%}}
+ JINJA MACRO ERROR - Unknown package system '{{{ pkg_system | default("undefined") }}}'. Has to be either 'rpm' or 'dpkg'.
+ {{%- else -%}}
+ Run the following command to determine if the {{{ package }}} package is installed: $ {{% if pkg_system == "rpm" %}}rpm -q {{% elif pkg_system == "dpkg" %}}dpkg -l {{% endif %}}{{{ package }}}
{{%- endif -%}}
-{{%- endmacro %}}
+{{% endmacro -%}}
{{#
- OCIL and OCIL clause how to check if a package is installed with rpm.
-
-:param package: The package to check
-:type package: str
+ Set ocil_clause - a finding: when the rule expects the package to be:
+ - absent, a finding is an installed package.
+ - present, a finding is an absent package.
+ :param package: Package name
+ :type package: str
+ :param clause_predicate: "not installed" if the rule requires the package to be installed
+ and "installed" if it must be absent.
+ :type clause_predicate: str
#}}
-{{%- macro rpm_complete_ocil_entry_package(package) %}}
-ocil: |-
- {{{ rpm_ocil_package(package) }}}
-
-ocil_clause: "the package is installed"
-{{%- endmacro %}}
+{{%- macro ocil_clause_package(package, clause_predicate) -%}}
+ocil_clause: "the {{{ package }}} package is {{{ clause_predicate }}}"
+{{% endmacro -%}}
{{#
- OCIL and OCIL clause how to check if a package is installed with dpkg.
-
-:param package: The package to check
-:type package: str
-
-#}}
-{{%- macro dpkg_complete_ocil_entry_package(package) %}}
-ocil: |-
- {{{ dpkg_ocil_package(package) }}}
-
-ocil_clause: "the package is installed"
-{{%- endmacro %}}
-
+ OCIL complete entries (ocil_clause: followed by ocil:) for package install/remove rules.
-{{#
- Insert a complete OCIL block for a case when a package should be removed,
- substituting the correct package management software.
+ complete_ocil_entry_package_installed(package)
+ Use when the rule requires the package to be installed. The finding is
+ that the package is not installed.
-:param package: Name of package
-:type package: str
+ complete_ocil_entry_package_removed(package)
+ Use when the rule requires the package to be absent. The finding is
+ that the package is still installed.
+ :param package: Package name
+ :type package: str
#}}
-{{% macro complete_ocil_entry_package(package) -%}}
- {{% if pkg_system is defined %}}
- {{%- if pkg_system == "rpm" %}}
- {{{ rpm_complete_ocil_entry_package(package) }}}
- {{%- elif pkg_system == "dpkg" %}}
- {{{ dpkg_complete_ocil_entry_package(package) }}}
- {{%- else -%}}
-ocil: |-
- JINJA MACRO ERROR - Unknown package system '{{{ pkg_system }}}'.
- {{%- endif -%}}
- {{%- endif -%}}
-{{%- endmacro %}}
+{{%- macro complete_ocil_entry_package_installed(package) %}}
+{{{ ocil_clause_package(package, "not installed") }}}
+{{{ ocil_package_installed_how_to_check(package) }}}
+{{% endmacro -%}}
+
+{{%- macro complete_ocil_entry_package_removed(package) %}}
+{{{ ocil_clause_package(package, "installed") }}}
+{{{ ocil_package_installed_how_to_check(package) }}}
+{{% endmacro -%}}
{{# Service Enabled macros #}}
diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/package_abrt_removed/rule.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/package_abrt_removed/rule.yml
index 44815f6b2f6b..c70cceb690d5 100644
--- a/tests/unit/ssg-module/test_playbook_builder_data/guide/package_abrt_removed/rule.yml
+++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/package_abrt_removed/rule.yml
@@ -21,7 +21,7 @@ references:
srg: SRG-OS-000095-GPOS-00049
stigid@rhel8: RHEL-08-040001
-{{{ complete_ocil_entry_package(package="abrt") }}}
+{{{ complete_ocil_entry_package_removed("abrt") }}}
template:
name: package_removed