snippets.json

{
	"Rule": {
		"prefix": "rule",
		"body": [
			"documentation_complete: ${1|true,false|} # switch to true when rule is ready to be enabled",
			"",
			"title: $2",
			"",
			"description: $3",
			"",
			"rationale: $4",
			"",
			"severity: ${5|low,medium,high,unknown|}",
			"",
			"identifiers:",
			"\t${6:# use ident snippet}\t",
			"",
			"references:",
			"\t$7: $8",
			"",
			"ocil_clause: $9",
			"",
			"ocil: $10",
			""

		],
		"description": "Rule stub. Reference: https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#rules"
	},
	"Identifier": {
		"prefix": "ident",
		"body": [
			"${1|cce@rhel7,cce@rhel8,cce@rhel9|}: $2"

		],
		"description": "Identifier"
	},
	"Template accounts_password": {
		"prefix": "t_accounts_password",
		"body": [
			"template:",
			"\tname: accounts_password",
			"\tvars:",
			"\t\tvariable: ${1:# PAM 'pam_pwquality' password quality requirement, eg. 'ucredit', 'ocredit'}",
			"\t\toperation: ${2:# OVAL operation, eg. 'less than or equal'}",
			"\t\tzero_comparison_operation: ${3:# (optional) OVAL operation, eg. 'greater than'. When set, it will test if the variable value matches the OVAL operation when compared to zero.}"
		],
		"description": "Checks if PAM enforces password quality requirements. Checks the configuration in:\n\n'/etc/security/pwquality.conf'.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template auditd_lineinfile": {
		"prefix": "t_auditd_lineinfile",
		"body": [
			"template:",
			"\tname: auditd_lineinfile",
			"\tvars:",
			"\t\tparameter: ${1:# auditd configuration item}",
			"\t\tvalue: ${2:# the value of configuration item specified by parameter}",
			"\t\tmissing_parameter_pass: ${3:# effective only in OVAL checks, if set to \"false\" and the parameter is not present in the configuration file, the OVAL check will return false (default value: \"false\".}"
		],
		"description": "Checks configuration options of the Audit Daemon in:\n\n/etc/audit/auditd.conf.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template audit_rules_dac_modification": {
		"prefix": "t_audit_rules_dac_modification",
		"body": [
			"template:",
			"\tname: audit_rules_dac_modification",
			"\tvars:",
			"\t\tattr: ${1:# value of '-S' argument in Audit rule, eg. 'chmod'}"
		],
		"description": "Checks Audit Discretionary Access Control rules.\n\nLanguages: Ansible, Bash, OVAL, Kubernetes\n\n"
	},
	"Template audit_rules_file_deletion_events": {
		"prefix": "t_audit_rules_file_deletion_events",
		"body": [
			"template:",
			"\tname: audit_rules_file_deletion_events",
			"\tvars:",
			"\t\tname: ${1:# value of '-S' argument in Audit rule, eg. 'unlink'}"
		],
		"description": "Ensure auditd Collects file deletion events.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template audit_rules_login_events": {
		"prefix": "t_audit_rules_login_events",
		"body": [
			"template:",
			"\tname: audit_rules_login_events",
			"\tvars:",
			"\t\tpath: ${1:# value of '-w' in the Audit rule, eg. '/var/run/faillock'}"
		],
		"description": "Checks if there are Audit rules that record attempts to alter logon and logout events.\n\nLanguages: Ansible, Bash, OVAL, Kubernetes\n\n"
	},
	"Template audit_rules_path_syscall": {
		"prefix": "t_audit_rules_path_syscall",
		"body": [
			"template:",
			"\tname: audit_rules_path_syscall",
			"\tvars:",
			"\t\tpath: ${1:# path of the protected file, eg. '/etc/shadow'}",
			"\t\tpos: ${2:# position of argument, eg. 'a2'}",
			"\t\tsyscall: ${3:# name of the system call, eg. 'openat'}"
		],
		"description": "Check if there are Audit rules to record events that modify user/group information via a syscall on a specific file.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template audit_rules_privileged_commands": {
		"prefix": "t_audit_rules_privileged_commands",
		"body": [
			"template:",
			"\tname: audit_rules_privileged_commands",
			"\tvars:",
			"\t\tpath: ${1:# the path of the privileged command - eg. '/usr/bin/mount'}"
		],
		"description": "Ensure Auditd collects information on the use of specified privileged command.\n\nLanguages: Ansible, Bash, OVAL, Kubernetes\n\n"
	},
	"Template audit_rules_syscall_events": {
		"prefix": "t_audit_rules_syscall_events",
		"body": [
			"template:",
			"\tname: audit_rules_syscall_events",
			"\tvars:",
			"\t\tattr: ${1:# the name of the system call, eg. 'unlinkat'}"
		],
		"description": "Ensure there is an audit rule to record for all uses of specified system call.\n\nLanguages: Ansible, Bash, OVAL, Kubernetes\n\n"
	},
	"Template audit_file_contents": {
		"prefix": "t_audit_file_contents",
		"body": [
			"template:",
			"\tname: audit_file_contents",
			"\tvars:",
			"\t\tfilepath: ${1:# path to audit rules file, e.g.: '/etc/audit/rules.d/10-base-config.rules'}",
			"\t\tcontents: ${2:# expected contents of the file}"
		],
		"description": "Ensure that audit '.rules' file specified by parameter 'filepath' contains the contents specified in parameter 'contents'.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template audit_rules_unsuccessful_file_modification": {
		"prefix": "t_audit_rules_unsuccessful_file_modification",
		"body": [
			"template:",
			"\tname: audit_rules_unsuccessful_file_modification",
			"\tvars:",
			"\t\tname: ${1:# name of the unsuccessful system call, eg. 'creat'}"
		],
		"description": "Ensure there is an Audit rule to record unsuccessful attempts to access files.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template audit_rules_unsuccessful_file_modification_o_creat": {
		"prefix": "t_audit_rules_unsuccessful_file_modification_o_creat",
		"body": [
			"template:",
			"\tname: audit_rules_unsuccessful_file_modification_o_creat",
			"\tvars:",
			"\t\tsyscall: ${1:# name of the unsuccessful system call, eg. 'openat'}",
			"\t\tpos: ${2:# position of the O_CREAT argument in the syscall, as specified by '-F' audit rule argument, eg. 'a2'}"
		],
		"description": "Ensure there is an Audit rule to record unsuccessful attempts to access files when O_CREAT flag is specified.\n\nLanguages: OVAL\n\n"
	},
	"Template audit_rules_unsuccessful_file_modification_o_trunc_write": {
		"prefix": "t_audit_rules_unsuccessful_file_modification_o_trunc_write",
		"body": [
			"template:",
			"\tname: audit_rules_unsuccessful_file_modification_o_trunc_write",
			"\tvars:",
			"\t\tsyscall: ${1:# name of the unsuccessful system call, eg. 'openat'}",
			"\t\tpos: ${2:# position of the O_TRUNC_WRITE argument in the syscall, as specified by '-F' audit rule argument, eg. 'a2'}"
		],
		"description": "Ensure there is an Audit rule to record unsuccessful attempts to access files when O_TRUNC_WRITE flag is specified.\n\nLanguages: OVAL\n\n"
	},
	"Template audit_rules_unsuccessful_file_modification_rule_order": {
		"prefix": "t_audit_rules_unsuccessful_file_modification_rule_order",
		"body": [
			"template:",
			"\tname: audit_rules_unsuccessful_file_modification_rule_order",
			"\tvars:",
			"\t\tsyscall: ${1:# name of the unsuccessful system call, eg. 'openat'}",
			"\t\tpos: ${2:# position of the flag parameter in the syscall, as specified by '-F' audit rule argument, eg. 'a2'}"
		],
		"description": "Ensure that Audit rules for unauthorized attempts to use a specific system call are ordered correctly.\n\nLanguages: OVAL\n\n"
	},
	"Template audit_rules_usergroup_modification": {
		"prefix": "t_audit_rules_usergroup_modification",
		"body": [
			"template:",
			"\tname: audit_rules_usergroup_modification",
			"\tvars:",
			"\t\tpath: ${1:# path that should be part of the audit rule as a value of '-w' argument, eg. '/etc/group'.}"
		],
		"description": "Check if Audit is configured to record events that modify account changes.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template argument_value_in_line": {
		"prefix": "t_argument_value_in_line",
		"body": [
			"template:",
			"\tname: argument_value_in_line",
			"\tvars:",
			"\t\tfilepath: ${1:# File(s) to be checked. The value would be treated as a regular expression pattern.}",
			"\t\targ_name: ${2:# Argument name, eg. 'audit'}",
			"\t\targ_value: ${3:# Argument value, eg. '1'}",
			"\t\tline_prefix: ${4:# The prefix of the line in which argument-value pair should be present, optional.}",
			"\t\tline_suffix: ${5:# The suffix of the line in which argument-value pair should be present, optional.}"
		],
		"description": "Checks that 'argument=value' pair is present in (optionally) the line started with line_prefix (and, optionally, ending with line_suffix) in the file(s) defined by filepath.\n\nLanguages: OVAL\n\n"
	},
	"Template coreos_kernel_option": {
		"prefix": "t_coreos_kernel_option",
		"body": [
			"template:",
			"\tname: coreos_kernel_option",
			"\tvars:",
			"\t\targ_name: ${1:# Argument name, eg. 'audit'}",
			"\t\targ_value: ${2:# Argument value, eg. '1'. This parameter is optional, and if omitted, this template will only use 'arg_name'.}",
			"\t\targ_negate: ${3:# negates the check, which then ensures that 'argument=value' is not present in the kernel arguments.}",
			"\t\targ_is_regex: ${4:# Specifies that the given 'arg_name' and 'arg_value' are regexes.}"
		],
		"description": "Checks that 'argument=value' pair is present in the kernel arguments. Note that this applies to Red Hat CoreOS.\n\nLanguages: OVAL, Kubernetes\n\n"
	},
	"Template dconf_ini_file": {
		"prefix": "t_dconf_ini_file",
		"body": [
			"template:",
			"\tname: dconf_ini_file",
			"\tvars:",
			"\t\tpath: ${1:# dconf configuration files directory. All files within this directory will be check for the configuration presence. eg. '/etc/dconf/db/local.d/'.}",
			"\t\tsection: ${2:# name of the 'dconf' configuration section, eg. \"org/gnome/desktop/lockdown\"}",
			"\t\tparameter: ${3:# name of the dconf configuration option, eg. 'user-administration-disabled'}",
			"\t\tvalue: ${4:# value of the 'dconf' configuration option specified by parameter, eg. \"true\".}"
		],
		"description": "Checks for 'dconf' configuration. Additionally checks if the configuration is locked so it cannot be overriden by the user. The 'locks' directory is always the path appended by 'locks/'.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template file_existence": {
		"prefix": "t_file_existence",
		"body": [
			"template:",
			"\tname: file_existence",
			"\tvars:",
			"\t\tfilepath: ${1:# File path to be checked.}",
			"\t\texists: ${2:#  If set to 'true' the check will fail if the file doesn't exist and vice versa for 'false'.}"
		],
		"description": "Check if a file exists or doesn't exist.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template file_groupowner": {
		"prefix": "t_file_groupowner",
		"body": [
			"template:",
			"\tname: file_groupowner",
			"\tvars:",
			"\t\tfilepath: ${1:# File path to be checked. If the file path ends with '/' it describes a directory. Can also be a list of paths. If 'file_regex' is not specified, the rule will only check and remediate directories.}",
			"\t\tfilepath_is_regex: ${2:#  If set to \"true\" the OVAL will consider the value of 'filepath' as a regular expression.}",
			"\t\tmissing_file_pass: ${3:# If set to \"true\" the OVAL check will pass when file is absent. Default value is \"false\".}",
			"\t\tfile_regex: ${4:# Regular expression that matches file names in a directory specified by 'filepath'. Can be set only if 'filepath' parameter specifies a directory. Note: Applies to base name of files, so if a file '/foo/bar/file.txt' is processed, only 'file.txt' is tested against \"file_regex\". Can be a list of regexes.}",
			"\t\trecursive: ${5:# If set to \"true\" the OVAL will consider the subdirectories under the directory specified by filepath. Default value is \"false\".}",
			"\t\tfilegid: ${6:# group ID (GID)}"
		],
		"description": "Check group that owns the given file.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template file_owner": {
		"prefix": "t_file_owner",
		"body": [
			"template:",
			"\tname: file_owner",
			"\tvars:",
			"\t\tfilepath: ${1:# File path to be checked. If the file path ends with '/' it describes a directory. Can also be a list of paths. If 'file_regex' is not specified, the rule will only check and remediate directories.}",
			"\t\tfilepath_is_regex: ${2:#  If set to \"true\" the OVAL will consider the value of 'filepath' as a regular expression.}",
			"\t\tmissing_file_pass: ${3:# If set to \"true\" the OVAL check will pass when file is absent. Default value is \"false\".}",
			"\t\tfile_regex: ${4:# Regular expression that matches file names in a directory specified by 'filepath'. Can be set only if 'filepath' parameter specifies a directory. Note: Applies to base name of files, so if a file '/foo/bar/file.txt' is processed, only 'file.txt' is tested against \"file_regex\". Can be a list of regexes.}",
			"\t\trecursive: ${5:# If set to \"true\" the OVAL will consider the subdirectories under the directory specified by filepath. Default value is \"false\".}",
			"\t\tfileuid: ${6:# user ID (UID)}"
		],
		"description": "Check user that owns the given file.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template file_permissions": {
		"prefix": "t_file_permissions",
		"body": [
			"template:",
			"\tname: file_permissions",
			"\tvars:",
			"\t\tfilepath: ${1:# File path to be checked. If the file path ends with '/' it describes a directory. Can also be a list of paths. If 'file_regex' is not specified, the rule will only check and remediate directories.}",
			"\t\tfilepath_is_regex: ${2:# If set to \"true\" the OVAL will consider the value of 'filepath' as a regular expression.}",
			"\t\tmissing_file_pass: ${3:# If set to \"true\" the OVAL check will pass when file is absent. Default value is \"false\".}",
			"\t\tfile_regex: ${4:# Regular expression that matches file names in a directory specified by 'filepath'. Can be set only if 'filepath' parameter specifies a directory. Note: Applies to base name of files, so if a file '/foo/bar/file.txt' is processed, only 'file.txt' is tested against \"file_regex\". Can be a list of regexes.}",
			"\t\trecursive: ${5:# If set to \"true\" the OVAL will consider the subdirectories under the directory specified by filepath. Default value is \"false\".}",
			"\t\tfilemode: ${6:# File permissions in a hexadecimal format, eg. 0640'.}",
			"\t\tallow_stricter_permissions: ${7:# If set to \"true\" the OVAL will also consider permissions stricter than filemode as compliant. Default value is \"true\".}"
		],
		"description": "Checks permissions (mode) on a given file.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template firefox_lockpreference": {
		"prefix": "t_firefox_lockpreference",
		"body": [
			"template:",
			"\tname: firefox_lockpreference",
			"\tvars:",
			"\t\tparameter: ${1:# Name of Mozilla Firefox configuration item to be checked/set.}",
			"\t\tvalue: ${2:# Literal value to be set in the Mozilla Firefox default configuration.}"
		],
		"description": "Checks that a given Mozilla Firefox configuration item is locked and set.\n\nLanguages: Bash, OVAL\n\n"
	},
	"Template grub2_bootloader_argument": {
		"prefix": "t_grub2_bootloader_argument",
		"body": [
			"template:",
			"\tname: grub2_bootloader_argument",
			"\tvars:",
			"\t\targ_name: ${1:# argument name, eg. 'audit'}",
			"\t\targ_value: ${2:# argument value, eg. '1'}",
			"\t\targ_value: ${3:# the variable used as the value for the argument, eg. 'var_slub_debug_options' This parameter is mutually exclusive with 'arg_value'.}"
		],
		"description": "Ensures that a kernel command line argument is present in GRUB 2 configuration.\n\nLanguages: Ansible, Bash, OVAL, Blueprint\n\n"
	},
	"Template grub2_bootloader_argument_absent": {
		"prefix": "t_grub2_bootloader_argument_absent",
		"body": [
			"template:",
			"\tname: grub2_bootloader_argument",
			"\tvars:",
			"\t\targ_name: ${1:# argument name, eg. 'audit', 'nosmep'}"
		],
		"description": "Ensures that a kernel command line argument is absent in GRUB 2 configuration. The template can also remove arguments with a value assigned, eg. audit=1\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template kernel_build_config": {
		"prefix": "t_kernel_build_config",
		"body": [
			"template:",
			"\tname: kernel_build_config",
			"\tvars:",
			"\t\tconfig: ${1:# The kernel configuration to check}",
			"\t\tvalue: ${2:# The value the configuration should have When 'value' is \"n\", the check will pass when the config is absent, commented out or has the value 'n' in the '/boot/config-*' files.}",
			"\t\tvariable: ${3:# The variable to get the value from. This parameter is mutually exclusive with 'value'.}"
		],
		"description": "This template checks the configuration used to build the kernel by checking the '/boot/config-* 'files. The only way to remediate is to recompile and reinstall the kernel, so no remediation should be expected.\n\nLanguages: OVAL\n\n"
	},
	"Template kernel_module_disabled": {
		"prefix": "t_kernel_module_disabled",
		"body": [
			"template:",
			"\tname: kernel_module_disabled",
			"\tvars:",
			"\t\tkernmodule: ${1:# name of the Linux kernel module, eg. 'cramfs'}"
		],
		"description": "Checks if the given Linux kernel module is disabled. The default method is to check the 'install' keyword. On OL and RHEL products the 'blacklist' keyword is also checked. The SLE products only check for the 'blacklist' keyword.\n\nLanguages: Ansible, Bash, Kubernetes, OVAL\n\n"
	},
	"Template lineinfile": {
		"prefix": "t_lineinfile",
		"body": [
			"template:",
			"\tname: lineinfile",
			"\tvars:",
			"\t\tescape_text: ${1:# if set to true the given text is escaped to treat it as regex, when set to false the text is taken directly as it is.}",
			"\t\tpath: ${2:# path to the file to check.}",
			"\t\ttext: ${3:# the line that should be present in the file.}",
			"\t\toval_extend_definitions: ${4:# optional, list of additional OVAL definitions that have to pass along the generated check.}",
			"\t\tsed_path_separator: ${5:# optional, default is '/', sets the sed path separator. Set this to a character like '#' if '/' is in use in your text.}"
		],
		"description": "Checks that the given text is present in a file. This template doesn't work with a concept of keys and values - it is meant only for simple statements.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template mount": {
		"prefix": "t_mount",
		"body": [
			"template:",
			"\tname: mount",
			"\tvars:",
			"\t\tmountpoint: ${1:# path to the mount point, eg. '/var/tmp'}",
			"\t\tmin_size: ${1:# the minimum recommended partition size, in bytes}"
		],
		"description": "Checks that a given mount point is located on a separate partition.\n\nLanguages: Anaconda, OVAL, Blueprint\n\n"
	},
	"Template mount_option": {
		"prefix": "t_mount_option",
		"body": [
			"template:",
			"\tname: mount_option",
			"\tvars:",
			"\t\tmountpoint: ${1:# mount point on the filesystem eg. '/dev/shm'}",
			"\t\tmountoption: ${2:# mount option, eg. 'nosuid'}",
			"\t\tmountoption_arg_var: ${3:# variable which holds the argument for mount option, eg. 'var_mount_option_proc_hidepid'}",
			"\t\tfilesystem: ${4:# filesystem in '/etc/fstab', eg. 'tmpfs'. Used only in Bash remediation.}",
			"\t\ttype: ${5:# filesystem type. Used only in Bash remediation.}",
			"\t\tmount_has_to_exist: ${6:# Specifies if the 'mountpoint' entry has to exist in '/etc/fstab' before the remediation is executed. If set to 'yes' and the 'mountpoint' entry is not present in '/etc/fstab' the Bash remediation terminates. If set to 'no' the 'mountpoint' entry will be created in '/etc/fstab.'}"
		],
		"description": "Checks if a given partition is mounted with a specific option such as \"nosuid\". It is also possible to use options with arguments, such as \"logdev=device\". Finally, for options which expect an argument, like \"hidepid=2\", a variable can be informed for this argument.\n\nLanguages: Anaconda, Ansible, Bash, OVAL\n\n"
	},
	"Template mount_option_remote_filesystems": {
		"prefix": "t_mount_option_remote_filesystems",
		"body": [
			"template:",
			"\tname: mount_option_remote_filesystems",
			"\tvars:",
			"\t\tmountpoint: ${1:# always set to 'remote_filesystems'}",
			"\t\tmountoption: ${2:# mount option, eg. 'nodev'}",
			"\t\tfilesystem: ${3:# filesystem of new mount point (used when adding new entry in '/etc/fstab'), eg. 'tmpfs'. Used only in Bash remediation.}",
			"\t\tmount_has_to_exist: ${4:# Used only in Bash remediation. Specifies if the 'mountpoint' entry has to exist in '/etc/fstab' before the remediation is executed. If set to 'yes' and the 'mountpoint' entry is not present in '/etc/fstab' the Bash remediation terminates. If set to 'no' the 'mountpoint' entry will be created in '/etc/fstab'.}"
		],
		"description": "Checks if all remote filesystems (NFS mounts in '/etc/fstab') are mounted with a specific option.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template mount_option_removable_partitions": {
		"prefix": "t_mount_option_removable_partitions",
		"body": [
			"template:",
			"\tname: mount_option_removable_partitions",
			"\tvars:",
			"\t\tmountoption: ${2:# mount option, eg. 'nodev'}"
		],
		"description": "Checks if all removable media mounts are mounted with a specific option. Unlike other mount option templates, this template doesn't use the mount point, but the block device. The block device path (eg. '/dev/cdrom') is always set to 'var_removable_partition'. This is an XCCDF Value, defined in https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/partitions/var_removable_partition.var\n\nLanguages: Anaconda, Ansible, Bash, OVAL\n\n"
	},
	"Template package_installed": {
		"prefix": "t_package_installed",
		"body": [
			"template:",
			"\tname: package_installed",
			"\tvars:",
			"\t\tpkgname: ${1:# name of the RPM or DEB package, eg. 'tmux'}",
			"\t\tevr: ${2:# Optional parameter. It can be used to check if the package is of a specific version or newer. Provide epoch, version, release in 'epoch:version-release' format, eg. '0:2.17-55.0.4.el7_0.3'. Used only in OVAL checks. The OVAL state uses operation \"greater than or equal\" to compare the collected package version with the version in the OVAL state.}"
		],
		"description": "Checks if a given package is installed. Optionally, it can also check whether a specific version or newer is installed.\n\nLanguages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint\n\n"
	},
	"Template package_removed": {
		"prefix": "t_package_removed",
		"body": [
			"template:",
			"\tname: package_removed",
			"\tvars:",
			"\t\tpkgname: ${1:# name of the RPM or DEB package, eg. 'tmux'}"
		],
		"description": "Checks if the given package is not installed.\n\nLanguages: Anaconda, Ansible, Bash, OVAL, Puppet\n\n"
	},
	"Template pam_options": {
		"prefix": "t_pam_options",
		"body": [
			"template:",
			"\tname: pam_options",
			"\tvars:",
			"\t\tpath: ${1:# the complete path to the PAM configuration file, eg. '/etc/pam.d/common-password'}",
			"\t\ttype: ${2:# (required) PAM type, eg. 'password'}",
			"\t\tcontrol_flag: ${3:# (required) PAM control flag, eg. 'requisite'}",
			"\t\tmodule: ${4:# (required) PAM module, eg. 'pam_cracklib.so'}",
			"\t\targuments: ${5:# (optional) parameters or arguments for the PAM module. These are optional. A PAM module can have multiple arguments, specified as a list of dictionaries. Following are acceptable parameters for each argument.}",

			"\t\t\tvariable: ${6:# (optional) PAM module argument/parameter name, eg. 'ucredit', 'ocredit'. Use this parameter in a situation where the PAM module argument is configurable/selectable by the user. 'var_password_pam_<variable name>.var' XCCDF variable must be defined when using this parameter. This parameter must be used in conjunction with the 'operation' parameter. Also, this parameter is mutually exclusive with the 'argument' parameter.}",

			"\t\t\toperation: ${7:# (optional) OVAL operation, eg. 'less than or equal'. This parameter must be used in conjunction with the 'variable' parameter.}",

			"\t\t\targument: ${8:# (optional) the name of the PAM module argument, eg. 'dcredit'. It is mutually exclusive with the 'variable' parameter. Therefore, it must be absent when 'variable' is present.}",

			"\t\t\targument_match: ${9:# (optional) the regular expression to match the argument value. It is optional when the argument has no value, or when the argument is to be removed. In these cases the parameter is not required and will be ignored if present. It is required when a value argument needs to be added or modified.}",

			"\t\t\targument_value: ${10:# (optional) the expected argument value for a value argument to be added or modifed, when the 'argument_match' regular expression failed to yield a match. The argument's existing value will be replaced by 'argument_value'. When the argument has no value, or when the argument is to be removed, this parameter is not required and will be ignored. It is required when a value argument needs to be added or modified.}",

			"\t\t\tnew_argument: ${11:# (optional) the argument to be added if not already present, eg, 'dcredit=-1'. It is required when the argument is not already present and needs to be added.}",

			"\t\t\tremove_argument: ${12:# ((optional) the argument will be removed, if the argument is present. This parameter must not be specified when the argument is being added or modified.}"
		],
		"description": "Checks if the parameters or arguments of a given Linux-PAM (Pluggable Authentication Modules) module in a given PAM configuration file are correctly specified. This template is using regular expression to match the module parameters, and their respective values if any. A parameter can be added if absent, modified when it's value doesn't match the expected value, or removed when present. There are two ways to specify a PAM module parameter, either using XCCDF variable or argument value matching. Use XCCDF variable in a situation where the parameter value is expected to be configurable/selectable by the user. eg, 'ucredit=<var_pam_password_ucredit.var>'. Otherwise, use argument value matching is advised.\n\nLanguages: Ansible, OVAL\n\n"
	},
	"Template sebool": {
		"prefix": "t_sebool",
		"body": [
			"template:",
			"\tname: sebool",
			"\tvars:",
			"\t\tseboolid: ${1:# name of SELinux boolean, eg. 'cron_userdomain_transition'}",
			"\t\tsebool_bool: ${2:# the value of the SELinux Boolean. Can be either \"true\" or \"false\". If this parameter is not specified, the rule will use XCCDF Value 'var_<seboolid>'. These XCCDF Values are usually defined in the same directory where the 'rule.yml' that describes the rule is located. The 'seboolid' will be replaced by a SELinux boolean, for example: 'selinuxuser_execheap' and in the profile you can use 'var_selinuxuser_execheap' to turn on or off the SELinux boolean.}"
		],
		"description": "Checks values of SELinux booleans.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template service_disabled": {
		"prefix": "t_service_disabled",
		"body": [
			"template:",
			"\tname: service_disabled",
			"\tvars:",
			"\t\tservicename: ${1:# name of the service.}",
			"\t\tpackagename: ${2:# name of the package that provides this service. This argument is optional. If 'packagename' is not specified it means the name of the package is the same as the name of service.}",
			"\t\tdaemonname: ${3:# name of the daemon. This argument is optional. If 'daemonname' is not specified it means the name of the daemon is the same as the name of service.}"
		],
		"description": "Checks if a service is disabled. Uses either systemd or SysV init based on the product configuration in 'product.yml'.\n\nLanguages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint\n\n"
	},
	"Template service_enabled": {
		"prefix": "t_service_enabled",
		"body": [
			"template:",
			"\tname: service_enabled",
			"\tvars:",
			"\t\tservicename: ${1:# name of the service.}",
			"\t\tpackagename: ${2:# name of the package that provides this service. This argument is optional. If 'packagename' is not specified it means the name of the package is the same as the name of service.}",
			"\t\tdaemonname: ${3:# name of the daemon. This argument is optional. If 'daemonname' is not specified it means the name of the daemon is the same as the name of service.}"
		],
		"description": "Checks if a system service is enabled. Uses either systemd or SysV init based on the product configuration in 'product.yml'.\n\nLanguages: Ansible, Bash, OVAL, Puppet, Blueprint\n\n"
	},

	"Template shell_lineinfile": {
		"prefix": "t_shell_lineinfile",
		"body": [
			"template:",
			"\tname: shell_lineinfile",
			"\tvars:",
			"\t\tpath: ${1:# What file to check}",
			"\t\tparameter: ${2:# name of the shell variable, eg. SHELL.}",
			"\t\tvalue: ${3:# value of the configuration option specified by parameter, eg. \"/bin/bash\". Don't pass extra shell quoting - that will be handled on the lower level.}",
			"\t\tno_quotes: ${4:# If set to \"true\", the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.}",
			"\t\tmissing_parameter_pass: ${5:# effective only in OVAL checks, if set to \"false\" and the parameter is not present in the configuration file, the OVAL check will return false (default value: \"false\"}"
		],
		"description": "Checks shell variable assignments in files. Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered. The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.\n\nLanguages: Ansible, Bash, OVAL\n\nExample: A template invocation specifying that parameter HISTSIZE should be set to value 500 in /etc/profile will produce a check that passes if any of the following lines are present in /etc/profile:\n\nHISTSIZE=500\n\nHISTSIZE=\"500\"\n\nHISTSIZE='500'\n\nThe remediation would insert one of the quoted forms if the line was not present.\n\nIf the no_quotes would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present."
	},
	"Template sshd_lineinfile": {
		"prefix": "t_sshd_lineinfile",
		"body": [
			"template:",
			"\tname: sshd_lineinfile",
			"\tvars:",
			"\t\tparameter: ${1:# name of the SSH configuration option, eg. 'KerberosAuthentication'}",
			"\t\tvalue: ${2:# value of the SSH configuration option specified by 'parameter', eg. \"no\".}",
			"\t\tmissing_parameter_pass: ${3:# effective only in OVAL checks, if set to \"false\" and the parameter is not present in the configuration file, the OVAL check will return false (default value: \"false\"}",
			"\t\tis_default_value: ${4:# effective only in Ansible and Bash remediation, if set to \"true\", settings will be remediated into a file called (in case of Fedora or RHEL9 and newer): '/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf'}"
		],
		"description": "Checks SSH server configuration items in '/etc/ssh/sshd_config'.\n\nLanguages: Ansible, Bash, OVAL, Kubernetes\n\n"
	},
	"Template sudo_defaults_option": {
		"prefix": "t_sudo_defaults_option",
		"body": [
			"template:",
			"\tname: sudo_defaults_option",
			"\tvars:",
			"\t\toption: ${1:# name of sudo 'Defaults' option to enable.}",
			"\t\toption_regex_suffix: ${2:# suffix to the pattern-match to use after 'option'; defaults to '=(\\w+)\\b.'}",
			"\t\tparameter_variable: ${3:# name of the XCCDF variable to get the value for the option parameter. (optional, if not set the check and remediation won't use parameters)}",
			"\t\tdefault_is_enabled: ${4:# set to \"true\" if the option is enabled by default for the product. In this case, the check will pass even if the options is not explicitly set. If 'parameter_variable' is used this is forced to \"false\". As the Value selector can be changed by tailoring at scan-time the default value needs to be defined at compile-time, and this is not supported at the moment. (optional, default value is \"false\". )}"
		],
		"description": "This template ensures a sudo 'Defaults' options is enabled in '/etc/sudoers' or in '/etc/sudoers.d/*'.\nThe template can check for options with and without parameters.\nThe remediations add the 'Defaults' option to '/etc/sudoers' file.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template sysctl": {
		"prefix": "t_sysctl",
		"body": [
			"template:",
			"\tname: sysctl",
			"\tvars:",
			"\t\tsysctlvar: ${1:# name of the sysctl value, eg. 'net.ipv4.conf.all.secure_redirects'.}",
			"\t\tdatatype: ${2:# data type of the sysctl value, eg. 'int'.}",
			"\t\tsysctlval: ${3:# value of the sysctl value, eg. '1'. If this parameter is not specified, XCCDF Value is used instead.}",
			"\t\toperation: ${4:# operation used for comparison of collected object with sysctlval. Default value: 'equals'.}",
			"\t\tsysctlval_regex: ${5:# if 'operation' is 'pattern match', this parameter is used instead of 'sysctlval'.}"
		],
		"description": "Checks sysctl parameters. The OVAL definition checks both static configuration and runtime settings and require both of them to be set to the desired value to return true.\nThe following file and directories are checked for static sysctl configurations:\n\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf (does not apply to RHEL and OL)\n\nA sysctl option defined in more than one file within the scanned directories will result in 'fail'.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template timer_enabled": {
		"prefix": "t_timer_enabled",
		"body": [
			"template:",
			"\tname: timer_enabled",
			"\tvars:",
			"\t\ttimername: ${1:# name of the SystemD timer unit, without the 'timer' suffix, eg. 'dnf-automatic'.}",
			"\t\tpackagename: ${2:# name of the RPM package which provides the SystemD timer unit. This parameter is optional, if it is not provided it is assumed that the name of the RPM package is the same as the name of the SystemD timer unit.}"
		],
		"description": "Checks if a SystemD timer unit is enabled.\n\nLanguages: Ansible, Bash, OVAL\n\n"
	},
	"Template yamlfile_value": {
		"prefix": "t_yamlfile_value",
		"body": [
			"template:",
			"\tname: yamlfile_value",
			"\tvars:",
			"\t\tocp_data: ${1:# if set to \"true\" then the filepath would be treated as a part of the dump of OCP configuration with the 'ocp_data_root' prefix; optional.}",
			"\t\tfilepath: ${2:# full path to the file to check}",
			"\t\tyamlpath: ${3:# OVAL's https://github.com/OpenSCAP/yaml-filter/wiki/YAML-Path-Definition expression.}",
			"\t\tentity_check: ${4:# (https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#CheckEnumeration) - entity_check value for state's value, optional. If omitted, entity_check attribute would not be set and will be treated by OVAL as 'all'. Possible options are 'all', 'at least one', 'none satisfy' and 'only one'.}",
			"\t\tcheck_existence: ${5:# (https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#ExistenceEnumeration) - 'check_existence' value for the 'yamlfilecontent_test', optional. If omitted, check_existence attribute will default to 'only_one_exists'. Possible options are 'all_exist', 'any_exist', 'at_least_one_exists', 'none_exist', 'only_one_exists'.}",

			"\t\txccdf_variable: ${6:# XCCDF variable selector. Use this field if the comparison involves checking for a value selected by a XCCDF variable.}",

			"\t\tembedded_data: ${6:# if set to \"true\" and used combined with 'xccdf_variable', the data retrieved by 'yamlpath' is considered as a blob and the field 'value' has to contain a capture regex.}",

			"\t\tregex_data: ${7:# if set to \"true\" and combined with 'xccdf_variable', it will use the value of 'xccdf_variable' as a regex and does pattern match operation instead of equal operation.}",

			"\t\tcheck_existence_yamlpath: ${8:# optional YAML Path that could be set to ensure that the target sequence from 'yamlpath' has all required sub-elements. It is helpful when the 'yamlpath' is targeting a map inside a sequence, and the document could be missing a key in that map (i.e. '$.seq[:].obj.item.key_that_might_be_missing'). When 'check_existence_yamlpath' is set to a path like '$.seq[:].obj.item.key_that_always_exists' (or '$.seq[:].obj.key_that_always_exists') the template will create a check, that will count elements in both paths and would fail if amounts are not equal. This check has a limitation: both 'check_existence_yamlpath' and 'yamlpath' have to point to a scalar value for it to work correctly (that is, the path '$.seq[:].obj.item' won't work).}",

			"\t\tvalues: # a list of dictionaries with values to check, where:",

			"\t\t\tkey: ${9:# the yaml key to check, optional. Used when the yamlpath expression yields a map.}",

			"\t\t\tvalue: ${10:# the value to check. If used in combination with 'xccdf_variable' and 'embedded_data', this field must have a regex with a capture group. The value captured by the regex will be compared with value of variable referenced by 'xccdf_variable'.}",

			"\t\t\ttype: ${11:# (https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#---simpledatatypeenumeration---) - datatype for state's value_of, optional. If omitted, datatype would be treated as OVAL's default 'string'. Most common datatypes are string and int. For complete list check reference link.}",

			"\t\t\toperation: ${12:# (https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#---operationenumeration---) - operation value for state's value_of, optional. If omitted, operation attribute would not be set. OVAL's default operation is 'equals'. Most common operations are 'equals', 'not equal', 'pattern match', 'greater than or equal' and 'less than or equal'. For complete list of operations check the reference link.}",

			"\t\t\tentity_check: ${13:# (https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#CheckEnumeration) - entity_check value for state's field (child of value), optional. If omitted, entity_check attribute would not be set and will be treated by OVAL as all. Possible options are 'all', 'at least one', 'none satisfy' and 'only one'.}"
		],
		"description": "Check if value(s) of certain type is (are) present in a YAML (or JSON) file at a given path.\n\nLanguages: OVAL\n\n"
	}
}