JAORMX · ggbecker · Jan 21, 2021 · Jan 21, 2021 · Jan 21, 2021
diff --git a/applications/openshift/api-server/api_server_request_timeout/rule.yml b/applications/openshift/api-server/api_server_request_timeout/rule.yml
@@ -40,3 +40,17 @@ ocil: |-
     Run the following command:
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'</pre>
     The output should return <pre>300</pre>.
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    entity_check: "at least one"
+    filepath: /api/v1/namespaces/openshift-kube-apiserver/configmaps/config
+    yamlpath: '.data["config.yaml"]'
+    xccdf_variable: var_api_min_request_timeout
+    embedded_data: "true"
+    values:
+    - value: '"apiServerArguments":{.*"min-request-timeout":\["(\d*)"\]'
+      operation: "pattern match"
+      type: "string"
diff --git a/applications/openshift/api-server/var_api_min_request_timeout.var b/applications/openshift/api-server/var_api_min_request_timeout.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'API Server Request Timeout'
+
+description: 'Enter API Server Request Timeout'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    300: "300"
+    default: "3600"
diff --git a/...ications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml b/...ications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
@@ -69,7 +69,4 @@ template:
   vars:
     filepath: /etc/kubernetes/kubelet.conf
     yamlpath: ".evictionSoft['memory.available']"
-    values:
-      - value: {{{ xccdf_value("var_kubelet_evictionsoft_memory_available") }}}
-        operation: "equals"
-
+    xccdf_variable: var_kubelet_evictionsoft_memory_available
diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
@@ -1744,12 +1744,21 @@ The selected value can be changed in the profile (consult the actual variable fo
         Possible options are `all_exist`, `any_exist`,
         `at_least_one_exists`, `none_exist`, `only_one_exists`.
 
+    -   **xccdf_variable** - XCCDF variable selector. Use this field if the comparison involves
+        checking for a value selected by a XCCDF variable.
+
+    -   **embedded_data** - if set to `"true"` and used combined with `xccdf_variable`, the data retrieved by `yamlpath`
+        is considered as a blob and the field `value` has to contain a capture regex.
+
     -   **values** - a list of dictionaries with values to check, where:
 
         -   **key** - the yaml key to check, optional. Used when the
             yamlpath expression yields a map.
 
-        -   **value** - the value to check.
+        -   **value** - the value to check. If used in combination with
+            `xccdf_variable` and `embedded_data`, this field must have a
+            regex with a capture group. The value captured by the regex
+            will be compared with value of variable referenced by `xccdf_variable`.
 
         -   **type**
             ([SimpleDatatypeEnumeration](https://github.com/OVALProject/Language/blob/master/docs/oval-common-schema.md#---simpledatatypeenumeration---)) -

diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
@@ -93,7 +93,7 @@ selections:
     # (jhrozek) Temporarily disabling the rule because the benchmark
     #           specifies one value (60) for the request-timeout parameter, while we
     #           use 3600 in OCP. It is unclear if this value is appropriate...
-    # - api_server_request_timeout
+    - api_server_request_timeout
   # 1.2.27 Ensure that the --service-account-lookup argument is set to true
     - api_server_service_account_lookup
   # 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate

diff --git a/shared/templates/yamlfile_value/oval.template b/shared/templates/yamlfile_value/oval.template
@@ -25,12 +25,39 @@
       <literal_component>{{{ FILEPATH }}}</literal_component>
       {{% endif %}}
   </local_variable>
-
+{{% if not XCCDF_VARIABLE or (XCCDF_VARIABLE and not EMBEDDED_DATA) %}}
   <ind:yamlfilecontent_test id="test_{{{ rule_id }}}" check="all" check_existence="{{{ CHECK_EXISTENCE|default("only_one_exists") }}}"
     {{{ {'comment': "In the file '" + FILEPATH + "' find only one object at path '" + YAMLPATH + "'."}|xmlattr }}} version="1">
     <ind:object object_ref="object_{{{ rule_id }}}"/>
     <ind:state state_ref="state_{{{ rule_id }}}"/>
   </ind:yamlfilecontent_test>
+{{% else %}}
+  <ind:variable_test id="test_{{{ rule_id }}}" check="all" check_existence="all_exist" comment="comment1" version="1">
+    <ind:object object_ref="variable_object_{{{ rule_id }}}" />
+    <ind:state state_ref="variable_state_{{{ rule_id }}}" />
+  </ind:variable_test>
+
+  <ind:variable_object id="variable_object_{{{ rule_id }}}" version="1">
+    <ind:var_ref>local_variable_{{{ rule_id }}}</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="variable_state_{{{ rule_id }}}" version="1">
+    <ind:value datatype="string" operation="equals" var_ref="{{{ XCCDF_VARIABLE }}}"/>
+  </ind:variable_state>
+
+  {{% for val in VALUES %}}
+  <local_variable id="local_variable_{{{ rule_id }}}" datatype="string" comment="comment1" version="1">
+    <regex_capture pattern='{{{ val.value }}}'>
+       <object_component item_field="value" record_field="#" object_ref="object_{{{ rule_id }}}" />
+    </regex_capture>
+  </local_variable>
+  {{% endfor %}}
+
+{{% endif %}}
+
+{{% if XCCDF_VARIABLE %}}
+  <external_variable comment="variable" datatype="string" id="{{{ XCCDF_VARIABLE }}}" version="1" />
+{{% endif %}}
 
   {{% if OCP_DATA %}}
   <unix:file_test id="test_file_for_{{{ rule_id }}}" check="all" check_existence="only_one_exists"
@@ -48,17 +75,24 @@
     <ind:yamlpath>{{{ YAMLPATH }}}</ind:yamlpath>
   </ind:yamlfilecontent_object>
 
+  {{% if not XCCDF_VARIABLE or (XCCDF_VARIABLE and not EMBEDDED_DATA) %}}
   <ind:yamlfilecontent_state id="state_{{{ rule_id }}}" version="1">
     <ind:value datatype="record"{{% if ENTITY_CHECK %}} entity_check="{{{ ENTITY_CHECK }}}"{{% endif %}}>
+      {{% if XCCDF_VARIABLE and not EMBEDDED_DATA %}}
+      <field {{{ {'name': (VALUES|first).key|default("#")|escape_yaml_key, 'datatype': (VALUES|first).type|default("string"), 'operation': 'equals'}|xmlattr }}} var_ref="{{{ XCCDF_VARIABLE }}}" />
+      {{% else %}}
       {{% for val in VALUES %}}
       <field {{{ {'name': val.key|default("#")|escape_yaml_key, 'datatype': val.type,  'operation':  val.operation, 'entity_check': val.entity_check}|xmlattr }}}>{{{ val.value }}}</field>
       {{% endfor %}}
+      {{% endif %}}
     </ind:value>
   </ind:yamlfilecontent_state>
+  {{% endif %}}
 
   {{% if OCP_DATA %}}
   <external_variable comment="Root of OCP data dump" datatype="string" id="ocp_data_root" version="1" />
   {{% endif %}}
 
 </def-group>
 {{% endif %}}
+
diff --git a/shared/templates/yamlfile_value/template.py b/shared/templates/yamlfile_value/template.py
@@ -1,3 +1,12 @@
 def preprocess(data, lang):
+
+    if data.get("xccdf_variable") and data.get("embedded_data") == "true":
+        if not data.get("values"):
+            raise ValueError(
+                "You should specify a capture regex in the 'value' field "
+                "when querying for a 'xccdf_value' that returns an embedded value. "
+                "Rule ID: {}".format(data["_rule_id"]))
+
+    data["embedded_data"] = data.get("embedded_data", "false") == "true"
     data["ocp_data"] = data.get("ocp_data", "false") == "true"
     return data