From 0c828db4145db86d707e7d27ca84bcedd25981c6 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Tue, 20 Jun 2023 07:25:04 -0700 Subject: [PATCH] OCPBUGS-11932: Disable checks for Open vSwitch on NSX cluster This PR make open vSwitch rules only be check with SDN and OVN network type --- .../openshift/master/file_groupowner_openvswitch/rule.yml | 2 ++ .../openshift/master/file_groupowner_ovs_conf_db/rule.yml | 4 ++-- .../master/file_groupowner_ovs_conf_db_lock/rule.yml | 4 ++-- .../file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml | 4 ++-- .../master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml | 4 ++-- .../master/file_groupowner_ovs_conf_db_not_s390x/rule.yml | 4 ++-- .../master/file_groupowner_ovs_conf_db_s390x/rule.yml | 4 ++-- .../openshift/master/file_groupowner_ovs_pid/rule.yml | 4 ++-- .../openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml | 4 ++-- .../master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml | 4 ++-- .../master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml | 4 ++-- .../master/file_groupowner_ovs_vswitchd_pid/rule.yml | 4 ++-- .../master/file_groupowner_ovsdb_server_pid/rule.yml | 4 ++-- applications/openshift/master/file_owner_openvswitch/rule.yml | 2 ++ applications/openshift/master/file_owner_ovs_conf_db/rule.yml | 2 +- .../openshift/master/file_owner_ovs_conf_db_lock/rule.yml | 2 +- applications/openshift/master/file_owner_ovs_pid/rule.yml | 2 +- .../openshift/master/file_owner_ovs_sys_id_conf/rule.yml | 2 +- .../openshift/master/file_owner_ovs_vswitchd_pid/rule.yml | 2 +- .../openshift/master/file_owner_ovsdb_server_pid/rule.yml | 2 +- .../openshift/master/file_permissions_openvswitch/rule.yml | 2 ++ .../openshift/master/file_permissions_ovs_conf_db/rule.yml | 4 ++-- .../master/file_permissions_ovs_conf_db_lock/rule.yml | 4 ++-- .../openshift/master/file_permissions_ovs_pid/rule.yml | 4 ++-- .../master/file_permissions_ovs_sys_id_conf/rule.yml | 4 ++-- .../master/file_permissions_ovs_vswitchd_pid/rule.yml | 4 ++-- .../master/file_permissions_ovsdb_server_pid/rule.yml | 4 ++-- 27 files changed, 48 insertions(+), 42 deletions(-) diff --git a/applications/openshift/master/file_groupowner_openvswitch/rule.yml b/applications/openshift/master/file_groupowner_openvswitch/rule.yml index e3cef34bdf1..ea97563d5f8 100644 --- a/applications/openshift/master/file_groupowner_openvswitch/rule.yml +++ b/applications/openshift/master/file_groupowner_openvswitch/rule.yml @@ -20,6 +20,8 @@ severity: medium references: cis@ocp4: 1.1.10 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.*", group="root") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml index 8e43a0a0450..1a3142c5149 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Configuration Database' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: |- /etc/openvswitch/conf.db does not have a group owner of code>hugetlbfs on architectures other than s390x or openvswitch diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml index 0bea34b990d..b09a62c3d26 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: |- /etc/openvswitch/conf.db.~lock~ does not have a group owner of code>hugetlbfs on architectures other than s390x or openvswitch diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml index 119ade78382..17a517a7fb1 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and not_s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml index 7ae545c2995..24bdbad2b95 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml index 1b4cf49ee2f..cb0f59c3e6f 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and not_s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Configuration Database' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="hugetlbfs") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml index 563e625e52a..01a293697c5 100644 --- a/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Configuration Database' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="openvswitch") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_pid/rule.yml index 4b1939781b2..6f64611b37e 100644 --- a/applications/openshift/master/file_groupowner_ovs_pid/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Process ID File' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: '/var/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml index 34551da21f1..60773eed278 100644 --- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Persistent System ID' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: |- /etc/openvswitch/system-id.conf does not have a group owner of code>hugetlbfs on architectures other than s390x or openvswitch diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml index 4d3739ced11..6c9f67fefaa 100644 --- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and not_s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Persistent System ID' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml index 68ac1cbe339..8e201b8ae10 100644 --- a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node and s390x_arch - title: 'Verify Group Who Owns The Open vSwitch Persistent System ID' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml index 7cecd90e07a..6f7941f857f 100644 --- a/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml +++ b/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Daemon PID File' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: '/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs' ocil: |- diff --git a/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml index f6399eba5ac..14e80a97466 100644 --- a/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml +++ b/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Group Who Owns The Open vSwitch Database Server PID' description: |- @@ -28,6 +26,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: '/run/openvswitch/ovsdb-server.pid has group owner openvswitch or hugetlbfs' ocil: |- diff --git a/applications/openshift/master/file_owner_openvswitch/rule.yml b/applications/openshift/master/file_owner_openvswitch/rule.yml index b3ba820d50d..d2caee30aee 100644 --- a/applications/openshift/master/file_owner_openvswitch/rule.yml +++ b/applications/openshift/master/file_owner_openvswitch/rule.yml @@ -20,6 +20,8 @@ severity: medium references: cis@ocp4: 1.1.10 +platform: ocp4-node-on-sdn or ocp4-node-on-ovn + ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/openvswitch/.*", owner="root") }}}' ocil: |- diff --git a/applications/openshift/master/file_owner_ovs_conf_db/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db/rule.yml index a6f093ab1e7..d9b3585d5db 100644 --- a/applications/openshift/master/file_owner_ovs_conf_db/rule.yml +++ b/applications/openshift/master/file_owner_ovs_conf_db/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Configuration Database' diff --git a/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml index 5f815cc348a..589f0920e13 100644 --- a/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml +++ b/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Configuration Database Lock' diff --git a/applications/openshift/master/file_owner_ovs_pid/rule.yml b/applications/openshift/master/file_owner_ovs_pid/rule.yml index 60a46dba5b7..d244f47ba97 100644 --- a/applications/openshift/master/file_owner_ovs_pid/rule.yml +++ b/applications/openshift/master/file_owner_ovs_pid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Process ID File' diff --git a/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml index b3fd6c256a5..5de58d70170 100644 --- a/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml +++ b/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Persistent System ID' diff --git a/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml index 75f6ecc0e18..5f1ddf43407 100644 --- a/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml +++ b/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Daemon PID File' diff --git a/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml index acae328ee60..e5c71b10e52 100644 --- a/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml +++ b/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node +platform: ocp4-node-on-sdn or ocp4-node-on-ovn title: 'Verify User Who Owns The Open vSwitch Database Server PID' diff --git a/applications/openshift/master/file_permissions_openvswitch/rule.yml b/applications/openshift/master/file_permissions_openvswitch/rule.yml index b3dd67971fb..059a032040e 100644 --- a/applications/openshift/master/file_permissions_openvswitch/rule.yml +++ b/applications/openshift/master/file_permissions_openvswitch/rule.yml @@ -21,6 +21,8 @@ severity: medium references: cis@ocp4: 1.4.9 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.*", perms="-rw-r--r--") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml index 09401b38243..8c49e92d8f5 100644 --- a/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml +++ b/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Configuration Database' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/conf.db", perms="-rw-r-----") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml index e476491a918..ee965ddc5ee 100644 --- a/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml +++ b/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Configuration Database Lock' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.conf.db.~lock~", perms="-rw-------") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovs_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_pid/rule.yml index 40e140ecbeb..764dd308bea 100644 --- a/applications/openshift/master/file_permissions_ovs_pid/rule.yml +++ b/applications/openshift/master/file_permissions_ovs_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Process ID File' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml index 81b1ce83b2c..ce935384737 100644 --- a/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml +++ b/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Persistent System ID' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/system-id.conf", perms="-rw-r--r--") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml index d9ea022d28f..9021448b9b5 100644 --- a/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml +++ b/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Daemon PID File' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}' ocil: |- diff --git a/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml index a6d80924826..0c37c3cf7ac 100644 --- a/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml +++ b/applications/openshift/master/file_permissions_ovsdb_server_pid/rule.yml @@ -2,8 +2,6 @@ documentation_complete: true prodtype: ocp4 -platform: ocp4-node - title: 'Verify Permissions on the Open vSwitch Database Server PID' description: |- @@ -26,6 +24,8 @@ references: nist: CM-6,CM-6(1) srg: SRG-APP-000516-CTR-001325 +platform: ocp4-node-on-sdn + ocil_clause: '{{{ ocil_clause_file_permissions(file="/run/openvswitch/ovsdb-server.pid", perms="-rw-r--r--") }}}' ocil: |-