Refactor OCIL macros for installed/removed packages + rules

.claude/CLAUDE.md

@@ -173,7 +173,8 @@ Used in rule descriptions, OCIL, fixtext, and warnings fields:
 - `{{{ describe_file_permissions(file="/path", perms="0700") }}}` - File permission description
 - `{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}` - Sysctl description
 - `{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}` - Full OCIL for sysctl
-- `{{{ complete_ocil_entry_package(package="name") }}}` - Full OCIL for package check
+- `{{{ complete_ocil_entry_package_installed("name") }}}` - OCIL when the package must be installed
+- `{{{ complete_ocil_entry_package_removed("name") }}}` - OCIL when the package must be absent
 - `{{{ fixtext_package_removed("name") }}}` - Fixtext for package removal
 - `{{{ fixtext_sysctl("key", "value") }}}` - Fixtext for sysctl setting
 - `{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}` - Fixtext for dir permissions

linux_os/guide/auditing/package_audispd-plugins_installed/rule.yml

@@ -21,9 +21,7 @@ identifiers:
 references:
     srg: SRG-OS-000342-GPOS-00133
 
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="audispd-plugins") }}}'
+{{{ complete_ocil_entry_package_installed("audispd-plugins") }}}
 
 fixtext: '{{{ fixtext_package_installed("audispd-plugins") }}}'
 

linux_os/guide/auditing/package_audit-libs_installed/rule.yml

@@ -1,15 +1,15 @@
-{{% if product in ["sle12","sle15"] %}}
-{{% set package_name = "libaudit1" %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
+  {{%- set package = "libaudit1" %}}
 {{% else %}}
-{{% set package_name = "audit-libs" %}}
+  {{%- set package = "audit-libs" %}}
 {{% endif %}}
 
 documentation_complete: true
 
-title: 'Ensure the {{{ package_name }}} package as a part of audit Subsystem is Installed'
+title: 'Ensure the {{{ package }}} package as a part of audit Subsystem is Installed'
 
 
-description: 'The {{{ package_name }}} package should be installed.'
+description: 'The {{{ package }}} package should be installed.'
 
 rationale: 'The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.'
 
@@ -32,25 +32,16 @@ references:
     pcidss: Req-10.2.1
     srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220
 
-ocil_clause: 'the {{{ package_name }}} package is not installed'
-
-{{% if product in ["sle12","sle15","slmicro5"] %}}
-ocil: '{{{ ocil_package("libaudit1") }}}'
-{{% else %}}
-ocil: '{{{ ocil_package("audit-libs") }}}'
-{{% endif %}}
+{{{ complete_ocil_entry_package_installed(package=package) }}}
 
 fixtext: |-
-    Install the {{{ package_name }}} package (if {{{ package_name }}} package is not already installed) with the following command:
-{{% if product in ["sle12","sle15","slmicro5"] %}}
-    {{{ package_install("libaudit1") }}}
-{{% else %}}
-    {{{ package_install("audit-libs") }}}
-{{% endif %}}
+    Install the {{{ package }}} package (if {{{ package }}} package is not already installed) with the following command:
+    {{{ package_install(package=package) }}}
 
 template:
     name: package_installed
     vars:
         pkgname: audit-libs
+        pkgname@sle12: libaudit1
         pkgname@sle15: libaudit1
         pkgname@slmicro5: libaudit1

linux_os/guide/auditing/package_audit_installed/rule.yml

@@ -33,9 +33,7 @@ references:
     stigid@sle12: SLES-12-020000
     stigid@sle15: SLES-15-030650
 
-ocil_clause: 'the audit package is not installed'
-
-ocil: '{{{ ocil_package("audit") }}}'
+{{{ complete_ocil_entry_package_installed("audit") }}}
 
 fixtext: |-
     Install the audit service (if the audit service is not already installed) with the following command:

linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml

@@ -33,7 +33,8 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="avahi-autoipd") }}}
+{{{ complete_ocil_entry_package_removed("avahi-autoipd") }}}
+
 fixtext: '{{{ fixtext_package_removed("avahi-autoipd") }}}'
 
 template:

linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml

@@ -34,7 +34,8 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="avahi") }}}
+{{{ complete_ocil_entry_package_removed("avahi") }}}
+
 fixtext: '{{{ fixtext_package_removed("avahi") }}}'
 
 template:

linux_os/guide/services/base/package_abrt_removed/rule.yml

@@ -26,7 +26,7 @@ references:
     srg: SRG-OS-000095-GPOS-00049
     stigid@ol8: OL08-00-040001
 
-{{{ complete_ocil_entry_package(package="abrt") }}}
+{{{ complete_ocil_entry_package_removed("abrt") }}}
 
 template:
     name: package_removed

linux_os/guide/services/base/package_psacct_installed/rule.yml

@@ -29,9 +29,7 @@ references:
     nist: AU-12(a),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3
 
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="psacct") }}}'
+{{{ complete_ocil_entry_package_installed("psacct") }}}
 
 template:
     name: package_installed

linux_os/guide/services/cron_and_at/disable_anacron/rule.yml

@@ -26,4 +26,4 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="cronie-anacron") }}}
+{{{ complete_ocil_entry_package_removed("cronie-anacron") }}}

linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml

@@ -1,7 +1,7 @@
-{{% if product in [ "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "sle16"] %}}
-{{% set package_name = "cronie" %}}
+{{% if 'rhel' in product or product in ["ol9", "ol10", "sle12", "sle15", "sle16"] %}}
+  {{%- set package = "cronie" %}}
 {{% else %}}
-{{% set package_name = "cron" %}}
+  {{%- set package = "cron" %}}
 {{% endif %}}
 
 documentation_complete: true
@@ -35,12 +35,9 @@ references:
     nist-csf: PR.IP-1,PR.PT-3
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: 'the package is installed'
-
-ocil: |-
-    {{{ ocil_package(package_name) }}}
+{{{ complete_ocil_entry_package_installed(package=package) }}}
 
 template:
     name: package_installed
     vars:
-        pkgname: {{{ package_name }}}
+        pkgname: {{{ package }}}

linux_os/guide/services/dhcp/disabling_dhcp_client/package_dhcp_client_removed/rule.yml

@@ -30,7 +30,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="dhcp-client") }}}
+{{{ complete_ocil_entry_package_removed("dhcp-client") }}}
 
 template:
     name: package_removed

linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml

@@ -1,17 +1,19 @@
+{{% if 'ubuntu' in product %}}
+ {{%- set package = "isc-dhcp-server" %}}
+{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
+ {{%- set package = "dhcp-server" %}}
+{{% else %}}
+ {{%- set package = "dhcp" %}}
+{{% endif %}}
+
 documentation_complete: true
 
 title: 'Uninstall DHCP Server Package'
 
 description: |-
     If the system does not need to act as a DHCP server,
-    the dhcp package can be uninstalled.
-    {{% if 'ubuntu' in product %}}
-    {{{ describe_package_remove(package="isc-dhcp-server") }}}
-    {{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
-    {{{ describe_package_remove(package="dhcp-server") }}}
-    {{% else %}}
-    {{{ describe_package_remove(package="dhcp") }}}
-    {{% endif %}}
+    the {{{ package }}} package can be uninstalled.
+    {{{ describe_package_remove(package=package) }}}
 
 rationale: |-
     Removing the DHCP server ensures that it cannot be easily or
@@ -39,13 +41,8 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{% if 'ubuntu' in product %}}
-{{{ complete_ocil_entry_package(package="isc-dhcp-server") }}}
-{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9', 'sle12', 'sle15'] %}}
-{{{ complete_ocil_entry_package(package="dhcp-server") }}}
-{{% else %}}
-{{{ complete_ocil_entry_package(package="dhcp") }}}
-{{% endif %}}
+
+{{{ complete_ocil_entry_package_removed(package=package) }}}
 
 template:
     name: package_removed

linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml

@@ -18,7 +18,7 @@ identifiers:
     cce@rhel10: CCE-86596-4
     cce@sle16: CCE-96693-7
 
-{{{ complete_ocil_entry_package(package="kea") }}}
+{{{ complete_ocil_entry_package_removed("kea") }}}
 
 template:
     name: package_removed

linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml

@@ -36,7 +36,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="bind") }}}
+{{{ complete_ocil_entry_package_removed("bind") }}}
 
 template:
     name: package_removed

linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml

@@ -21,7 +21,7 @@ identifiers:
     cce@rhel10: CCE-86558-4
     cce@sle15: CCE-92596-6
 
-{{{ complete_ocil_entry_package(package="dnsmasq") }}}
+{{{ complete_ocil_entry_package_removed("dnsmasq") }}}
 
 template:
     name: package_removed

linux_os/guide/services/docker/package_docker_installed/rule.yml

@@ -14,9 +14,7 @@ rationale: |-
 
 severity: medium
 
-ocil_clause: 'the package is not installed'
-
-ocil: '{{{ ocil_package(package="docker") }}}'
+{{{ complete_ocil_entry_package_installed("docker") }}}
 
 platform: machine
 

linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml

@@ -24,9 +24,7 @@ references:
     srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230
     stigid@ol8: OL08-00-040135
 
-ocil_clause: 'the fapolicyd package is not installed'
-
-ocil: '{{{ ocil_package(package="fapolicyd") }}}'
+{{{ complete_ocil_entry_package_installed("fapolicyd") }}}
 
 fixtext: |-
     {{{ fixtext_package_installed("fapolicyd") | indent(4) }}}

linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

@@ -36,7 +36,7 @@ references:
     stigid@sle12: SLES-12-030011
     stigid@sle15: SLES-15-010030
 
-{{{ complete_ocil_entry_package(package="vsftpd") }}}
+{{{ complete_ocil_entry_package_removed("vsftpd") }}}
 
 fixtext: '{{{ fixtext_package_removed(package="vsftpd") }}}'
 

linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml

@@ -1,15 +1,15 @@
 documentation_complete: true
 
 {{% if 'ubuntu' in product %}}
-{{% set package_name = "apache2" %}}
+  {{%- set package = "apache2" %}}
 {{% else %}}
-{{% set package_name = "httpd" %}}
+  {{%- set package = "httpd" %}}
 {{% endif %}}
 
-title: 'Uninstall {{{ package_name }}} Package'
+title: 'Uninstall {{{ package }}} Package'
 
 description: |-
-    {{{ describe_package_remove(package=package_name) }}}
+    {{{ describe_package_remove(package=package) }}}
 
 rationale: |-
     If there is no need to make the web server software available,
@@ -36,9 +36,9 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package=package_name) }}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
 
 template:
     name: package_removed
     vars:
-        pkgname: {{{ package_name }}}
+        pkgname: {{{ package }}}

linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml

@@ -24,7 +24,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
 
-{{{ complete_ocil_entry_package(package="nginx") }}}
+{{{ complete_ocil_entry_package_removed("nginx") }}}
 
 template:
     name: package_removed

linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml

@@ -17,7 +17,7 @@ identifiers:
     cce@rhel10: CCE-90156-1
     cce@sle15: CCE-92595-8
 
-{{{ complete_ocil_entry_package(package="cyrus-imapd") }}}
+{{{ complete_ocil_entry_package_removed("cyrus-imapd") }}}
 
 template:
     name: package_removed

linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml

@@ -1,13 +1,15 @@
+{{% if 'ubuntu' not in product %}}
+ {{%- set package = "dovecot" %}}
+{{% else %}}
+ {{%- set package = "dovecot-core" %}}
+{{% endif %}}
+
 documentation_complete: true
 
 title: 'Uninstall dovecot Package'
 
 description: |-
-    {{% if 'ubuntu' not in product %}}
-    {{{ describe_package_remove(package="dovecot") }}}
-    {{% else %}}
-    {{{ describe_package_remove(package="dovecot-core") }}}
-    {{% endif %}}
+    {{{ describe_package_remove(package=package) }}}
 
 rationale: |-
     If there is no need to make the Dovecot software available,
@@ -27,11 +29,7 @@ references:
     cis@sle12: 2.2.12
     cis@sle15: 2.2.12
 
-{{% if 'ubuntu' not in product %}}
-{{{ complete_ocil_entry_package(package="dovecot") }}}
-{{% else %}}
-{{{ complete_ocil_entry_package(package="dovecot-core") }}}
-{{% endif %}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
 
 template:
     name: package_removed

linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml

@@ -32,9 +32,7 @@ references:
 platforms:
     - krb5_server_older_than_1_17-18
 
-ocil_clause: 'the package is installed'
-
-ocil: '{{{ ocil_package(package="krb5-server") }}}'
+{{{ complete_ocil_entry_package_removed("krb5-server") }}}
 
 template:
     name: package_removed

linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml

@@ -1,9 +1,9 @@
-{{% if product in ["sle12", "sle15"] %}}
-{{% set package_name = "openldap2-client" %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
+  {{%- set package = "openldap2-client" %}}
 {{% elif "ubuntu" in product %}}
-{{% set package_name = "ldap-utils" %}}
+  {{%- set package = "ldap-utils" %}}
 {{% else %}}
-{{% set package_name = "openldap-clients" %}}
+  {{%- set package = "openldap-clients" %}}
 {{% endif %}}
 
 documentation_complete: true
@@ -14,7 +14,7 @@ title: 'Ensure LDAP client is not installed'
 description: |-
     The Lightweight Directory Access Protocol (LDAP) is a service that provides
     a method for looking up information from a central database.
-    {{{ describe_package_remove( package_name ) }}}
+    {{{ describe_package_remove(package=package) }}}
 
 
 rationale:
@@ -35,10 +35,7 @@ references:
     cis@sle12: 2.3.5
     cis@sle15: 2.3.5
 
-ocil_clause: 'the package is installed'
-
-ocil: |-
-    {{{ ocil_package(package_name) }}}
+{{{ complete_ocil_entry_package_removed(package=package) }}}
 
 template:
     name: package_removed