Pre-load Jinja macros

applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1"> {{{
-    oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} <criteria
+    oval_metadata("One of the flowschema versions should exist, but it doesn't matter which", rule_title=rule_title) }}} <criteria
       operator="OR">
       <extend_definition comment="flowschema v1alpha1"
         definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />

applications/openshift/api-server/api_server_oauth_https_serving_cert/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="api_server_oauth_https_serving_cert" version="1">
-    {{{ oval_metadata("TLS security profile configured must use secure protocols in OpenShift OAuth API Server") }}}
+    {{{ oval_metadata("TLS security profile configured must use secure protocols in OpenShift OAuth API Server", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="APIServer tlsSecurityProfile=Old is not configured" definition_ref="api_server_tls_security_profile_not_old" />

applications/openshift/api-server/api_server_openshift_https_serving_cert/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="api_server_openshift_https_serving_cert" version="1">
-    {{{ oval_metadata("TLS security profile configured must use secure protocols in OpenShift API Server") }}}
+    {{{ oval_metadata("TLS security profile configured must use secure protocols in OpenShift API Server", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="APIServer tlsSecurityProfile=Old is not configured" definition_ref="api_server_tls_security_profile_not_old" />

applications/openshift/api-server/api_server_tls_security_profile/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="api_server_tls_security_profile" version="1">
-    {{{ oval_metadata("TLS security profile configured must use secure protocols") }}}
+    {{{ oval_metadata("TLS security profile configured must use secure protocols", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="APIServer tlsSecurityProfile=Old is not configured" definition_ref="api_server_tls_security_profile_not_old" />

applications/openshift/api-server/audit_log_forwarding_enabled/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
-    oval_metadata("A ClusterlogForwarder should be configured to forward logs, doesn't matter from which API") }}} <criteria
+    oval_metadata("A ClusterlogForwarder should be configured to forward logs, doesn't matter from which API", rule_title=rule_title) }}} <criteria
       operator="OR">
       <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
         definition_ref="audit_log_forwarding_enabled_observability_api" />

applications/openshift/api-server/audit_log_forwarding_webhook/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
-    oval_metadata("Audit webhook should be configure, regardless of which API") }}} <criteria
+    oval_metadata("Audit webhook should be configure, regardless of which API", rule_title=rule_title) }}} <criteria
       operator="OR">
       <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
         definition_ref="audit_log_forwarding_webhook_observability_api" />

applications/openshift/authentication/oauth_or_oauthclient_inactivity_timeout/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="oauth_or_oauthclient_inactivity_timeout" version="1">
-    {{{ oval_metadata("The inactivity timeout must be specified either per client or globally") }}}
+    {{{ oval_metadata("The inactivity timeout must be specified either per client or globally", rule_title=rule_title) }}}
 
     <criteria operator="OR">
       <extend_definition comment="global inactivity timeout" definition_ref="oauth_inactivity_timeout" />

applications/openshift/authentication/oauth_or_oauthclient_token_maxage/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="oauth_or_oauthclient_token_maxage" version="1">
-    {{{ oval_metadata("The tokan max age must be specified either per client or globally") }}}
+    {{{ oval_metadata("The tokan max age must be specified either per client or globally", rule_title=rule_title) }}}
 
     <criteria operator="OR">
       <extend_definition comment="global token max age" definition_ref="oauth_token_maxage" />

applications/openshift/etcd/etcd_unique_ca/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="etcd_unique_ca" version="1">
-    {{{ oval_metadata("The etcd CA should be different from the Kubernetes CA.") }}}
+    {{{ oval_metadata("The etcd CA should be different from the Kubernetes CA.", rule_title=rule_title) }}}
     <criteria>
       <criterion test_ref="test_etcd_different_ca_than_k8s"
       comment="Check that etcd uses a different CA than Kubernetes." />

applications/openshift/general/banner_or_login_template_set/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="banner_or_login_template_set" version="1">
-    {{{ oval_metadata("A Legal notice must be displayed by some means.") }}}
+    {{{ oval_metadata("A Legal notice must be displayed by some means.", rule_title=rule_title) }}}
 
     <criteria operator="OR">
       <extend_definition comment="classification banner" definition_ref="classification_banner" />

applications/openshift/general/file_owner_groupowner_permissions_pod_logs/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="file_owner_groupowner_permissions_pod_logs" version="1">
-    {{{ oval_metadata("The pod logs must have the expected permissions and ownership") }}}
+    {{{ oval_metadata("The pod logs must have the expected permissions and ownership", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="user ownership" definition_ref="file_owner_pod_logs" />

applications/openshift/general/project_config_and_template_resource_quota/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="project_config_and_template_resource_quota" version="1">
-    {{{ oval_metadata("A project template with ResourceQuotas must be created and referenced from the cluster project config") }}}
+    {{{ oval_metadata("A project template with ResourceQuotas must be created and referenced from the cluster project config", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="project template with ResourceQuotas set" definition_ref="project_template_resource_quota" />

applications/openshift/general/resource_requests_quota/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="resource_requests_quota" version="1">
-    {{{ oval_metadata("The sysctl parameter needs to be set before enabling kernel protection") }}}
+    {{{ oval_metadata("The sysctl parameter needs to be set before enabling kernel protection", rule_title=rule_title) }}}
 
     <criteria operator="OR">
       <extend_definition comment="cluster quotas enabled" definition_ref="resource_requests_quota_cluster" />

applications/openshift/general/resource_requests_quota_per_project/oval/shared.xml

@@ -4,7 +4,7 @@
 {{% set resourcequota_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and .metadata.namespace != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.namespace | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
 {{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
   <definition class="compliance" id="resource_requests_quota_per_project" version="1">
-    {{{ oval_metadata("Ensure that application Namespaces have Network Policies defined") }}}
+    {{{ oval_metadata("Ensure that application Namespaces have Network Policies defined", rule_title=rule_title) }}}
     <criteria>
       <criterion comment="Make sure that the file '{{{ openshift_filtered_path(resourcequota_api_path, resourcequota_for_non_ctlplane_namespaces_filter) }}} exists."
                  test_ref="test_file_for_resource_requests_quota_per_project"/>

applications/openshift/integrity/crypto/machine_volume_encrypted/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="machine_volume_encrypted" version="1">
-    {{{ oval_metadata("Full disk encryption should be enabled, either through the cloud provider or using FIPS") }}}
+    {{{ oval_metadata("Full disk encryption should be enabled, either through the cloud provider or using FIPS", rule_title=rule_title) }}}
 
     <criteria operator="OR">
       <extend_definition comment="Azure disk encryption enabled" definition_ref="azure_disk_encryption_enabled" />

applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="kubelet_enable_protect_kernel_sysctl" version="1">
-    {{{ oval_metadata("The sysctl parameter needs to be set before enabling kernel protection") }}}
+    {{{ oval_metadata("The sysctl parameter needs to be set before enabling kernel protection", rule_title=rule_title) }}}
   <criteria operator="OR">
     <criteria operator="AND">
       <extend_definition comment="sysctl kernel_panic" definition_ref="kubelet_enable_protect_kernel_sysctl_kernel_panic" />

applications/openshift/logging/audit_log_forwarding_uses_tls/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
-    oval_metadata("A ClusterlogForwarder should be configured to use tls, doesn't matter from which API") }}} <criteria
+    oval_metadata("A ClusterlogForwarder should be configured to use tls, doesn't matter from which API", rule_title=rule_title) }}} <criteria
       operator="OR">
       <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
         definition_ref="audit_log_forwarding_uses_tls_observability_api" />

applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
-    oval_metadata("Cluster Logging operator is installed and scanning") }}} <criteria
+    oval_metadata("Cluster Logging operator is installed and scanning", rule_title=rule_title) }}} <criteria
       operator="OR">
       <extend_definition comment="Ensure clusterlogforwarder object exists"
         definition_ref="cluster_logging_operator_exists_observability_api" />

applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="directory_access_var_log_kube_audit" version="1">
-    {{{ oval_metadata("Audit rules about the read events to /var/log/kube-apiserver") }}}
+    {{{ oval_metadata("Audit rules about the read events to /var/log/kube-apiserver", rule_title=rule_title) }}}
 
     <criteria operator="OR">
 

applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="directory_access_var_log_oauth_audit" version="1">
-    {{{ oval_metadata("Audit rules about the read events to /var/log/oauth-apiserver") }}}
+    {{{ oval_metadata("Audit rules about the read events to /var/log/oauth-apiserver", rule_title=rule_title) }}}
 
     <criteria operator="OR">
 

applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="directory_access_var_log_ocp_audit" version="1">
-    {{{ oval_metadata("Audit rules about the read events to /var/log/openshift-apiserver") }}}
+    {{{ oval_metadata("Audit rules about the read events to /var/log/openshift-apiserver", rule_title=rule_title) }}}
 
     <criteria operator="OR">
 

applications/openshift/master/file_groupowner_ovs_pid/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="file_groupowner_ovs_pid" version="1">
-    {{{ oval_metadata("This test makes sure that /run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.") }}}
+    {{{ oval_metadata("This test makes sure that /run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.", rule_title=rule_title) }}}
     <criteria operator="OR">
       <criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="test_file_groupowner_run_ovs_vswitchd_pid_800" />
       <criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="test_file_groupowner_run_ovs_vswitchd_pid_801" />

applications/openshift/master/file_groupowner_ovs_vswitchd_pid/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="file_groupowner_ovs_vswitchd_pid" version="1">
-    {{{ oval_metadata("This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.") }}}
+    {{{ oval_metadata("This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.", rule_title=rule_title) }}}
     <criteria operator="OR">
       <criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="test_file_groupowner_var_run_ovs_vswitchd_pid_800" />
       <criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="test_file_groupowner_var_run_ovs_vswitchd_pid_801" />

applications/openshift/master/file_groupowner_ovsdb_server_pid/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="file_groupowner_ovsdb_server_pid" version="1">
-    {{{ oval_metadata("This test makes sure that /run/openvswitch/ovsdb-server.pid is group owned by 800 or 801.") }}}
+    {{{ oval_metadata("This test makes sure that /run/openvswitch/ovsdb-server.pid is group owned by 800 or 801.", rule_title=rule_title) }}}
     <criteria operator="OR">
       <criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 800" test_ref="test_file_groupowner_ovsdb_server_pid_800" />
       <criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 801" test_ref="test_file_groupowner_ovsdb_server_pid_801" />

applications/openshift/master/file_permissions_cni_conf/oval/shared.xml

@@ -1,5 +1,5 @@
 <def-group oval_version="5.11">
-  <definition class="compliance" id="file_permissions_cni_conf" version="1"> {{{ oval_metadata("One of the permission checks must pass") }}} 
+  <definition class="compliance" id="file_permissions_cni_conf" version="1"> {{{ oval_metadata("One of the permission checks must pass", rule_title=rule_title) }}} 
     <criteria operator="OR">
       <extend_definition comment="cni conf outside s390x" definition_ref="file_permissions_cni_conf_not_s390x" />
       <extend_definition comment="cni conf on s390x" definition_ref="file_permissions_cni_conf_s390x" />

applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml

@@ -4,7 +4,7 @@
 {{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
 {{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
   <definition class="compliance" id="configure_network_policies_namespaces" version="1">
-    {{{ oval_metadata("Ensure that application Namespaces have Network Policies defined") }}}
+    {{{ oval_metadata("Ensure that application Namespaces have Network Policies defined", rule_title=rule_title) }}}
     <criteria>
       <criterion comment="Make sure that the file '{{{ openshift_filtered_path(networkpolicies_api_path, networkpolicies_for_non_ctlplane_namespaces_filter) }}} exists."
                  test_ref="test_file_for_configure_network_policies_namespaces"/>

applications/openshift/networking/ingress_controller_tls_security_profile/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="ingress_controller_tls_security_profile" version="1">
-    {{{ oval_metadata("TLS security profile configured for IngressController must use secure protocols") }}}
+    {{{ oval_metadata("TLS security profile configured for IngressController must use secure protocols", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="IngressController tlsSecurityProfile=Old is not configured" definition_ref="ingress_controller_tls_security_profile_not_old" />

applications/openshift/networking/project_config_and_template_network_policy/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group oval_version="5.11">
   <definition class="compliance" id="project_config_and_template_network_policy" version="1">
-    {{{ oval_metadata("A project template with NetworkPolicies must be created and referenced from the cluster project config") }}}
+    {{{ oval_metadata("A project template with NetworkPolicies must be created and referenced from the cluster project config", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="project template with NetworkPolicies set" definition_ref="project_template_network_policy" />

build-scripts/build_templated_content.py

@@ -59,6 +59,7 @@ def parse_args():
 
     env_yaml = ssg.environment.open_environment(
         args.build_config_yaml, args.product_yaml)
+    ssg.jinja.initialize(env_yaml)
     builder = ssg.templates.Builder(
         env_yaml, args.resolved_rules_dir, args.templates_dir,
         args.remediations_dir, args.checks_dir, args.platforms_dir, args.cpe_items_dir)

build-scripts/collect_remediations.py

@@ -126,6 +126,7 @@ def main():
 
     env_yaml = ssg.environment.open_environment(
         args.build_config_yaml, args.product_yaml)
+    ssg.jinja.initialize(env_yaml)
 
     product = ssg.utils.required_key(env_yaml, "product")
     output_dirs = prepare_output_dirs(args.output_dir, args.remediation_type)

build-scripts/compile_all.py

@@ -5,6 +5,7 @@
 
 import ssg.build_profile
 import ssg.build_yaml
+import ssg.jinja
 import ssg.utils
 import ssg.controls
 import ssg.products
@@ -190,6 +191,7 @@ def main():
     project_root_abspath = os.path.abspath(args.project_root)
 
     env_yaml = get_env_yaml(args.build_config_yaml, args.product_yaml)
+    ssg.jinja.initialize(env_yaml)
     product_yaml = ssg.products.Product(args.product_yaml)
 
     product_cpes = ProductCPEs()

build-scripts/expand_jinja.py

@@ -7,7 +7,7 @@
 import ssg.jinja
 
 
-SUBS_DICT = ssg.jinja.load_macros()
+SUBS_DICT = {}
 
 
 def expand_jinja(filepath):

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="audit_rules_dac_modification_umount" version="1">
-    {{{ oval_metadata("The changing of file permissions and attributes should be audited.") }}}
+    {{{ oval_metadata("The changing of file permissions and attributes should be audited.", rule_title=rule_title) }}}
     <criteria operator="OR">
 
       <!-- Test the augenrules case -->

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="audit_rules_file_deletion_events" version="1">
-    {{{ oval_metadata("Audit files deletion events.") }}}
+    {{{ oval_metadata("Audit files deletion events.", rule_title=rule_title) }}}
     <criteria operator="AND">
       <extend_definition comment="audit rmdir" definition_ref="audit_rules_file_deletion_events_rmdir" />
       <extend_definition comment="audit unlink" definition_ref="audit_rules_file_deletion_events_unlink" />

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="audit_rules_unsuccessful_file_modification" version="1">
-    {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}
+    {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.", rule_title=rule_title) }}}
 
     <criteria operator="AND">
       <extend_definition comment="audit creat" definition_ref="audit_rules_unsuccessful_file_modification_creat" />

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml

@@ -1,6 +1,6 @@
 <def-group>
   <definition class="compliance" id="audit_rules_kernel_module_loading" version="1">
-    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.", rule_title=rule_title) }}}
     <criteria operator="AND">
       <extend_definition comment="audit init_module" definition_ref="audit_rules_kernel_module_loading_init" />
       <extend_definition comment="audit delete_module" definition_ref="audit_rules_kernel_module_loading_delete" />