diff --git a/applications/openshift/master/file_groupowner_openvswitch/rule.yml b/applications/openshift/master/file_groupowner_openvswitch/rule.yml
index e3cef34bdf1..ea97563d5f8 100644
--- a/applications/openshift/master/file_groupowner_openvswitch/rule.yml
+++ b/applications/openshift/master/file_groupowner_openvswitch/rule.yml
@@ -20,6 +20,8 @@ severity: medium
references:
cis@ocp4: 1.1.10
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.*", group="root") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml
index 8e43a0a0450..1a3142c5149 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: |-
/etc/openvswitch/conf.db does not have a group owner of
code>hugetlbfs on architectures other than s390x or openvswitch
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml
index 0bea34b990d..b09a62c3d26 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: |-
/etc/openvswitch/conf.db.~lock~ does not have a group owner of
code>hugetlbfs on architectures other than s390x or openvswitch
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml
index 119ade78382..17a517a7fb1 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and not_s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml
index 7ae545c2995..24bdbad2b95 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml
index 1b4cf49ee2f..cb0f59c3e6f 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and not_s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="hugetlbfs") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml
index 563e625e52a..01a293697c5 100644
--- a/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="openvswitch") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_pid/rule.yml
index 4b1939781b2..6f64611b37e 100644
--- a/applications/openshift/master/file_groupowner_ovs_pid/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Process ID File'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: '/var/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml
index 34551da21f1..60773eed278 100644
--- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: |-
/etc/openvswitch/system-id.conf does not have a group owner of
code>hugetlbfs on architectures other than s390x or openvswitch
diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml
index 4d3739ced11..6c9f67fefaa 100644
--- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and not_s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml
index 68ac1cbe339..8e201b8ae10 100644
--- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node and s390x_arch
-
title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml
index 7cecd90e07a..6f7941f857f 100644
--- a/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Daemon PID File'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: '/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs'
ocil: |-
diff --git a/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml
index f6399eba5ac..14e80a97466 100644
--- a/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml
+++ b/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Group Who Owns The Open vSwitch Database Server PID'
description: |-
@@ -28,6 +26,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: '/run/openvswitch/ovsdb-server.pid has group owner openvswitch or hugetlbfs'
ocil: |-
diff --git a/applications/openshift/master/file_owner_openvswitch/rule.yml b/applications/openshift/master/file_owner_openvswitch/rule.yml
index b3ba820d50d..d2caee30aee 100644
--- a/applications/openshift/master/file_owner_openvswitch/rule.yml
+++ b/applications/openshift/master/file_owner_openvswitch/rule.yml
@@ -20,6 +20,8 @@ severity: medium
references:
cis@ocp4: 1.1.10
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/openvswitch/.*", owner="root") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_owner_ovs_conf_db/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db/rule.yml
index a6f093ab1e7..d9b3585d5db 100644
--- a/applications/openshift/master/file_owner_ovs_conf_db/rule.yml
+++ b/applications/openshift/master/file_owner_ovs_conf_db/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Configuration Database'
diff --git a/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml
index 5f815cc348a..589f0920e13 100644
--- a/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml
+++ b/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Configuration Database Lock'
diff --git a/applications/openshift/master/file_owner_ovs_pid/rule.yml b/applications/openshift/master/file_owner_ovs_pid/rule.yml
index 60a46dba5b7..d244f47ba97 100644
--- a/applications/openshift/master/file_owner_ovs_pid/rule.yml
+++ b/applications/openshift/master/file_owner_ovs_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Process ID File'
diff --git a/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml
index b3fd6c256a5..5de58d70170 100644
--- a/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml
+++ b/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Persistent System ID'
diff --git a/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml
index 75f6ecc0e18..5f1ddf43407 100644
--- a/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml
+++ b/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Daemon PID File'
diff --git a/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml
index acae328ee60..e5c71b10e52 100644
--- a/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml
+++ b/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
title: 'Verify User Who Owns The Open vSwitch Database Server PID'
diff --git a/applications/openshift/master/file_permissions_openvswitch/rule.yml b/applications/openshift/master/file_permissions_openvswitch/rule.yml
index b3dd67971fb..059a032040e 100644
--- a/applications/openshift/master/file_permissions_openvswitch/rule.yml
+++ b/applications/openshift/master/file_permissions_openvswitch/rule.yml
@@ -21,6 +21,8 @@ severity: medium
references:
cis@ocp4: 1.4.9
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.*", perms="-rw-r--r--") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml
index 09401b38243..8c49e92d8f5 100644
--- a/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml
+++ b/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Configuration Database'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/conf.db", perms="-rw-r-----") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml
index e476491a918..ee965ddc5ee 100644
--- a/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml
+++ b/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Configuration Database Lock'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.conf.db.~lock~", perms="-rw-------") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovs_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_pid/rule.yml
index 40e140ecbeb..764dd308bea 100644
--- a/applications/openshift/master/file_permissions_ovs_pid/rule.yml
+++ b/applications/openshift/master/file_permissions_ovs_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Process ID File'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml
index 81b1ce83b2c..ce935384737 100644
--- a/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml
+++ b/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Persistent System ID'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/system-id.conf", perms="-rw-r--r--") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml
index d9ea022d28f..9021448b9b5 100644
--- a/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml
+++ b/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Daemon PID File'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}'
ocil: |-
diff --git a/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml
index a6d80924826..0c37c3cf7ac 100644
--- a/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml
+++ b/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
prodtype: ocp4
-platform: ocp4-node
-
title: 'Verify Permissions on the Open vSwitch Database Server PID'
description: |-
@@ -26,6 +24,8 @@ references:
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
+platform: ocp4-node-on-sdn
+
ocil_clause: '{{{ ocil_clause_file_permissions(file="/run/openvswitch/ovsdb-server.pid", perms="-rw-r--r--") }}}'
ocil: |-