diff --git a/applications/openshift/api-server/api_server_request_timeout/rule.yml b/applications/openshift/api-server/api_server_request_timeout/rule.yml
index 67e87df03acd..8a7562e14dda 100644
--- a/applications/openshift/api-server/api_server_request_timeout/rule.yml
+++ b/applications/openshift/api-server/api_server_request_timeout/rule.yml
@@ -40,3 +40,17 @@ ocil: |-
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'
The output should return 300
.
+
+template:
+ name: yamlfile_value
+ vars:
+ ocp_data: "true"
+ entity_check: "at least one"
+ filepath: /api/v1/namespaces/openshift-kube-apiserver/configmaps/config
+ yamlpath: '.data["config.yaml"]'
+ xccdf_variable: var_api_min_request_timeout
+ embedded_data: "true"
+ values:
+ - value: '"apiServerArguments":{.*"min-request-timeout":\["(\d*)"\]'
+ operation: "pattern match"
+ type: "string"
diff --git a/applications/openshift/api-server/var_api_min_request_timeout.var b/applications/openshift/api-server/var_api_min_request_timeout.var
new file mode 100644
index 000000000000..ac2b992bed6f
--- /dev/null
+++ b/applications/openshift/api-server/var_api_min_request_timeout.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'API Server Request Timeout'
+
+description: 'Enter API Server Request Timeout'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ 300: "300"
+ default: "3600"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
index 36ba8b734cf5..faca91a8061a 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
@@ -69,7 +69,4 @@ template:
vars:
filepath: /etc/kubernetes/kubelet.conf
yamlpath: ".evictionSoft['memory.available']"
- values:
- - value: {{{ xccdf_value("var_kubelet_evictionsoft_memory_available") }}}
- operation: "equals"
-
+ xccdf_variable: var_kubelet_evictionsoft_memory_available
diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
index 00497ec4d0a4..eb59939ccbb4 100644
--- a/docs/manual/developer/06_contributing_with_content.md
+++ b/docs/manual/developer/06_contributing_with_content.md
@@ -1744,12 +1744,21 @@ The selected value can be changed in the profile (consult the actual variable fo
Possible options are `all_exist`, `any_exist`,
`at_least_one_exists`, `none_exist`, `only_one_exists`.
+ - **xccdf_variable** - XCCDF variable selector. Use this field if the comparison involves
+ checking for a value selected by a XCCDF variable.
+
+ - **embedded_data** - if set to `"true"` and used combined with `xccdf_variable`, the data retrieved by `yamlpath`
+ is considered as a blob and the field `value` has to contain a capture regex.
+
- **values** - a list of dictionaries with values to check, where:
- **key** - the yaml key to check, optional. Used when the
yamlpath expression yields a map.
- - **value** - the value to check.
+ - **value** - the value to check. If used in combination with
+ `xccdf_variable` and `embedded_data`, this field must have a
+ regex with a capture group. The value captured by the regex
+ will be compared with value of variable referenced by `xccdf_variable`.
- **type**
([SimpleDatatypeEnumeration](https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#---simpledatatypeenumeration---)) -
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
index 6f42136c52a2..0cff9c162e5d 100644
--- a/ocp4/profiles/cis.profile
+++ b/ocp4/profiles/cis.profile
@@ -93,7 +93,7 @@ selections:
# (jhrozek) Temporarily disabling the rule because the benchmark
# specifies one value (60) for the request-timeout parameter, while we
# use 3600 in OCP. It is unclear if this value is appropriate...
- # - api_server_request_timeout
+ - api_server_request_timeout
# 1.2.27 Ensure that the --service-account-lookup argument is set to true
- api_server_service_account_lookup
# 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate
diff --git a/shared/templates/yamlfile_value/oval.template b/shared/templates/yamlfile_value/oval.template
index 3821bbf62ec7..e79234f75cf7 100644
--- a/shared/templates/yamlfile_value/oval.template
+++ b/shared/templates/yamlfile_value/oval.template
@@ -25,12 +25,39 @@
{{{ FILEPATH }}}
{{% endif %}}
-
+{{% if not XCCDF_VARIABLE or (XCCDF_VARIABLE and not EMBEDDED_DATA) %}}
+{{% else %}}
+
+
+
+
+
+
+ local_variable_{{{ rule_id }}}
+
+
+
+
+
+
+ {{% for val in VALUES %}}
+
+
+
+
+
+ {{% endfor %}}
+
+{{% endif %}}
+
+{{% if XCCDF_VARIABLE %}}
+
+{{% endif %}}
{{% if OCP_DATA %}}
{{{ YAMLPATH }}}
+ {{% if not XCCDF_VARIABLE or (XCCDF_VARIABLE and not EMBEDDED_DATA) %}}
+ {{% if XCCDF_VARIABLE and not EMBEDDED_DATA %}}
+
+ {{% else %}}
{{% for val in VALUES %}}
{{{ val.value }}}
{{% endfor %}}
+ {{% endif %}}
+ {{% endif %}}
{{% if OCP_DATA %}}
@@ -62,3 +95,4 @@
{{% endif %}}
+
diff --git a/shared/templates/yamlfile_value/template.py b/shared/templates/yamlfile_value/template.py
index 1c9347a195ac..60168da305b3 100644
--- a/shared/templates/yamlfile_value/template.py
+++ b/shared/templates/yamlfile_value/template.py
@@ -1,3 +1,12 @@
def preprocess(data, lang):
+
+ if data.get("xccdf_variable") and data.get("embedded_data") == "true":
+ if not data.get("values"):
+ raise ValueError(
+ "You should specify a capture regex in the 'value' field "
+ "when querying for a 'xccdf_value' that returns an embedded value. "
+ "Rule ID: {}".format(data["_rule_id"]))
+
+ data["embedded_data"] = data.get("embedded_data", "false") == "true"
data["ocp_data"] = data.get("ocp_data", "false") == "true"
return data