Skip to content

Refactor OCIL macros for installed/removed packages + rules#14595

Merged
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
macko1:fix_8579
Mar 27, 2026
Merged

Refactor OCIL macros for installed/removed packages + rules#14595
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
macko1:fix_8579

Conversation

@macko1
Copy link
Copy Markdown
Collaborator

@macko1 macko1 commented Mar 24, 2026
edited
Loading

Description:

  • Refactored shared/macros/10-ocil.jinja to unify OCIL instructions and clauses for package installation and removal.

  • Replaced the old complete_ocil_entry_package with:

    • complete_ocil_entry_package_installed(package) — rule requires the package to be installed (finding: package not installed).
    • complete_ocil_entry_package_removed(package) — rule requires the package to be absent (finding: package still installed).

  • Updated affected rule.yml files to call the appropriate macro.

  • Updated the playbook builder unit test fixture under tests/unit/ssg-module/test_playbook_builder_data/ so the checked rule matches the new macro call.

  • Updated rule product-related variables and conditions to match a single style, and updated the rules themselves to match.

  • Updated .claude/CLAUDE.md macro cheat sheet to reflect the new macros.
    Example of rendered OCIL in the data stream (typical package-removed rule):

         <ocil:boolean_question id="ocil:ssg-package_avahi_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the avahi package is installed:
-$ rpm -q avahi
-      Is it the case that the package is installed?
+          <ocil:question_text>Run the following command to determine if the avahi package is installed: $ rpm -q avahi
+      Is it the case that the avahi package is installed?
       </ocil:question_text>
         </ocil:boolean_question>

The following rules do not use complete_ocil_entry_package_installed / complete_ocil_entry_package_removed because their checks are not a single “is this package installed or removed” case (services, or multiple packages with custom OCIL):

  1. linux_os/guide/system/network/network-susefirewall2/susefirewall2_ddos_protection/rule.yml
  2. linux_os/guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml
  3. linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml (inline multi-package OCIL; aligned with the new check wording)

Rationale:

  • Macro usage was inconsistent; many rules used inline OCIL for packages.

  • Some ocil_clause text did not match rule intent (installed vs removed).

  • The previous complete_ocil_entry_package path did not clearly separate installed vs removed package checks.

  • The product-related variables were inconsistent, conditionals that set them were being duplicated.

  • Fixes Update OCIL macro for package removed rules #8579

Review Hints:

  • Build at least all products so Jinja renders the OCIL macros:

    $ ./build_product --datastream-only

  • Compare OCIL in data streams before and after the change (e.g. diff on built XML or utils/ds_compare.py).

  • Run unit tests, for example:

    $ pytest tests/unit/ssg-module/ -q --tb=short

  • Confirm ./build_product succeeds on the PR branch.

  • Manually review the affected rules.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 24, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 24, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed' differs.
--- ocil:ssg-package_aide_installed_ocil:questionnaire:1
+++ ocil:ssg-package_aide_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the aide package is installed: $ rpm -q aide
-      Is it the case that the package is not installed?
+      Is it the case that the aide package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed' differs.
--- ocil:ssg-package_crypto-policies_installed_ocil:questionnaire:1
+++ ocil:ssg-package_crypto-policies_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the crypto-policies package is installed: $ rpm -q crypto-policies
-      Is it the case that the package is not installed?
+      Is it the case that the crypto-policies package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed' differs.
--- ocil:ssg-package_mcafeetp_installed_ocil:questionnaire:1
+++ ocil:ssg-package_mcafeetp_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP
-      Is it the case that the package is not installed?
+      Is it the case that the McAfeeTP package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' differs.
--- ocil:ssg-package_sudo_installed_ocil:questionnaire:1
+++ ocil:ssg-package_sudo_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the sudo package is installed: $ rpm -q sudo
-      Is it the case that the package is not installed?
+      Is it the case that the sudo package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_binutils_installed' differs.
--- ocil:ssg-package_binutils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_binutils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the binutils package is installed: $ rpm -q binutils
-      Is it the case that the package is not installed?
+      Is it the case that the binutils package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed' differs.
--- ocil:ssg-package_dnf-plugin-subscription-manager_installed_ocil:questionnaire:1
+++ ocil:ssg-package_dnf-plugin-subscription-manager_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the dnf-plugin-subscription-manager package is installed: $ rpm -q dnf-plugin-subscription-manager
-      Is it the case that the package is not installed?
+      Is it the case that the dnf-plugin-subscription-manager package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed' differs.
--- ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils
-      Is it the case that the package is not installed?
+      Is it the case that the gnutls-utils package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed' differs.
--- ocil:ssg-package_libcap-ng-utils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_libcap-ng-utils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils
-      Is it the case that the package is not installed?
+      Is it the case that the libcap-ng-utils package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed' differs.
--- ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1
+++ ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools
-      Is it the case that the package is not installed?
+      Is it the case that the nss-tools package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed' differs.
--- ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1
+++ ocil:ssg-package_openscap-scanner_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner
-      Is it the case that the package is not installed?
+      Is it the case that the openscap-scanner package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rear_installed' differs.
--- ocil:ssg-package_rear_installed_ocil:questionnaire:1
+++ ocil:ssg-package_rear_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the rear package is installed: $ rpm -q rear
-      Is it the case that the package is not installed?
+      Is it the case that the rear package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' differs.
--- ocil:ssg-package_rng-tools_installed_ocil:questionnaire:1
+++ ocil:ssg-package_rng-tools_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools
-      Is it the case that the package is not installed?
+      Is it the case that the rng-tools package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed' differs.
--- ocil:ssg-package_scap-security-guide_installed_ocil:questionnaire:1
+++ ocil:ssg-package_scap-security-guide_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide
-      Is it the case that the package is not installed?
+      Is it the case that the scap-security-guide package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed' differs.
--- ocil:ssg-package_subscription-manager_installed_ocil:questionnaire:1
+++ ocil:ssg-package_subscription-manager_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the subscription-manager package is installed: $ rpm -q subscription-manager
-      Is it the case that the package is not installed?
+      Is it the case that the subscription-manager package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_tar_installed' differs.
--- ocil:ssg-package_tar_installed_ocil:questionnaire:1
+++ ocil:ssg-package_tar_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the tar package is installed: $ rpm -q tar
-      Is it the case that the package is not installed?
+      Is it the case that the tar package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_vim_installed' differs.
--- ocil:ssg-package_vim_installed_ocil:questionnaire:1
+++ ocil:ssg-package_vim_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the vim-enhanced package is installed: $ rpm -q vim-enhanced
-      Is it the case that the package is not installed?
+      Is it the case that the vim-enhanced package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed' differs.
--- ocil:ssg-package_abrt-addon-ccpp_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-addon-ccpp_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-addon-ccpp package is installed:
-$ rpm -q abrt-addon-ccpp
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-addon-ccpp package is installed: $ rpm -q abrt-addon-ccpp
+      Is it the case that the abrt-addon-ccpp package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed' differs.
--- ocil:ssg-package_abrt-addon-kerneloops_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-addon-kerneloops_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-addon-kerneloops package is installed:
-$ rpm -q abrt-addon-kerneloops
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-addon-kerneloops package is installed: $ rpm -q abrt-addon-kerneloops
+      Is it the case that the abrt-addon-kerneloops package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed' differs.
--- ocil:ssg-package_abrt-cli_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-cli_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-cli package is installed:
-$ rpm -q abrt-cli
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-cli package is installed: $ rpm -q abrt-cli
+      Is it the case that the abrt-cli package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed' differs.
--- ocil:ssg-package_abrt-plugin-logger_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-plugin-logger_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-plugin-logger package is installed:
-$ rpm -q abrt-plugin-logger
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-plugin-logger package is installed: $ rpm -q abrt-plugin-logger
+      Is it the case that the abrt-plugin-logger package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed' differs.
--- ocil:ssg-package_abrt-plugin-rhtsupport_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-plugin-rhtsupport_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-plugin-rhtsupport package is installed:
-$ rpm -q abrt-plugin-rhtsupport
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-plugin-rhtsupport package is installed: $ rpm -q abrt-plugin-rhtsupport
+      Is it the case that the abrt-plugin-rhtsupport package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed' differs.
--- ocil:ssg-package_abrt-plugin-sosreport_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt-plugin-sosreport_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt-plugin-sosreport package is installed:
-$ rpm -q abrt-plugin-sosreport
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt-plugin-sosreport package is installed: $ rpm -q abrt-plugin-sosreport
+      Is it the case that the abrt-plugin-sosreport package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-city_removed' differs.
--- ocil:ssg-package_geolite2-city_removed_ocil:questionnaire:1
+++ ocil:ssg-package_geolite2-city_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the geolite2-city package is installed:
-$ rpm -q geolite2-city
-      Is it the case that the package is installed?
+Run the following command to determine if the geolite2-city package is installed: $ rpm -q geolite2-city
+      Is it the case that the geolite2-city package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_geolite2-country_removed' differs.
--- ocil:ssg-package_geolite2-country_removed_ocil:questionnaire:1
+++ ocil:ssg-package_geolite2-country_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the geolite2-country package is installed:
-$ rpm -q geolite2-country
-      Is it the case that the package is installed?
+Run the following command to determine if the geolite2-country package is installed: $ rpm -q geolite2-country
+      Is it the case that the geolite2-country package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' differs.
--- ocil:ssg-package_gssproxy_removed_ocil:questionnaire:1
+++ ocil:ssg-package_gssproxy_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the gssproxy package is installed:
-$ rpm -q gssproxy
-      Is it the case that the package is installed?
+Run the following command to determine if the gssproxy package is installed: $ rpm -q gssproxy
+      Is it the case that the gssproxy package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_iprutils_removed' differs.
--- ocil:ssg-package_iprutils_removed_ocil:questionnaire:1
+++ ocil:ssg-package_iprutils_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the iprutils package is installed:
-$ rpm -q iprutils
-      Is it the case that the package is installed?
+Run the following command to determine if the iprutils package is installed: $ rpm -q iprutils
+      Is it the case that the iprutils package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed' differs.
--- ocil:ssg-package_krb5-workstation_removed_ocil:questionnaire:1
+++ ocil:ssg-package_krb5-workstation_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the krb5-workstation package is installed:
-$ rpm -q krb5-workstation
-      Is it the case that the package is installed?
+Run the following command to determine if the krb5-workstation package is installed: $ rpm -q krb5-workstation
+      Is it the case that the krb5-workstation package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed' differs.
--- ocil:ssg-package_libreport-plugin-logger_removed_ocil:questionnaire:1
+++ ocil:ssg-package_libreport-plugin-logger_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the libreport-plugin-logger package is installed:
-$ rpm -q libreport-plugin-logger
-      Is it the case that the package is installed?
+Run the following command to determine if the libreport-plugin-logger package is installed: $ rpm -q libreport-plugin-logger
+      Is it the case that the libreport-plugin-logger package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed' differs.
--- ocil:ssg-package_libreport-plugin-rhtsupport_removed_ocil:questionnaire:1
+++ ocil:ssg-package_libreport-plugin-rhtsupport_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the libreport-plugin-rhtsupport package is installed:
-$ rpm -q libreport-plugin-rhtsupport
-      Is it the case that the package is installed?
+Run the following command to determine if the libreport-plugin-rhtsupport package is installed: $ rpm -q libreport-plugin-rhtsupport
+      Is it the case that the libreport-plugin-rhtsupport package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_pigz_removed' differs.
--- ocil:ssg-package_pigz_removed_ocil:questionnaire:1
+++ ocil:ssg-package_pigz_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the pigz package is installed:
-$ rpm -q pigz
-      Is it the case that the package is installed?
+Run the following command to determine if the pigz package is installed: $ rpm -q pigz
+      Is it the case that the pigz package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed' differs.
--- ocil:ssg-package_python3-abrt-addon_removed_ocil:questionnaire:1
+++ ocil:ssg-package_python3-abrt-addon_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the python3-abrt-addon package is installed:
-$ rpm -q python3-abrt-addon
-      Is it the case that the package is installed?
+Run the following command to determine if the python3-abrt-addon package is installed: $ rpm -q python3-abrt-addon
+      Is it the case that the python3-abrt-addon package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed' differs.
--- ocil:ssg-package_tuned_removed_ocil:questionnaire:1
+++ ocil:ssg-package_tuned_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the tuned package is installed:
-$ rpm -q tuned
-      Is it the case that the package is installed?
+Run the following command to determine if the tuned package is installed: $ rpm -q tuned
+      Is it the case that the tuned package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed' differs.
--- ocil:ssg-package_dnf-automatic_installed_ocil:questionnaire:1
+++ ocil:ssg-package_dnf-automatic_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic
-      Is it the case that the package is not installed?
+      Is it the case that the dnf-automatic package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_authselect_installed' differs.
--- ocil:ssg-package_authselect_installed_ocil:questionnaire:1
+++ ocil:ssg-package_authselect_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the authselect package is installed: $ rpm -q authselect
-      Is it the case that the package is not installed?
+      Is it the case that the authselect package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_pam_installed' differs.
--- ocil:ssg-package_pam_installed_ocil:questionnaire:1
+++ ocil:ssg-package_pam_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the pam package is installed: $ rpm -q pam
-      Is it the case that the package is not installed?
+      Is it the case that the pam package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed' differs.
--- ocil:ssg-package_pam_pwquality_installed_ocil:questionnaire:1
+++ ocil:ssg-package_pam_pwquality_installed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the libpwquality package is installed:
-$ rpm -q libpwquality
-      Is it the case that the package is not installed?
+Run the following command to determine if the libpwquality package is installed: $ rpm -q libpwquality
+      Is it the case that the libpwquality package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_tmux_installed' differs.
--- ocil:ssg-package_tmux_installed_ocil:questionnaire:1
+++ ocil:ssg-package_tmux_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the tmux package is installed: $ rpm -q tmux
-      Is it the case that the package is not installed?
+      Is it the case that the tmux package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed' differs.
--- ocil:ssg-package_opensc_installed_ocil:questionnaire:1
+++ ocil:ssg-package_opensc_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the opensc package is installed: $ rpm -q opensc
-      Is it the case that the package is not installed?
+      Is it the case that the opensc package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed' differs.
--- ocil:ssg-package_pcsc-lite_installed_ocil:questionnaire:1
+++ ocil:ssg-package_pcsc-lite_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite
-      Is it the case that the package is not installed?
+      Is it the case that the pcsc-lite package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages' differs.
--- ocil:ssg-install_smartcard_packages_ocil:questionnaire:1
+++ ocil:ssg-install_smartcard_packages_ocil:questionnaire:1
@@ -1,6 +1,6 @@
 Check that Red Hat Enterprise Linux 8 has the packages for smart card support installed.
 
-Run the following command to determine if the openssl-pkcs11 package is installed:
-$ rpm -q openssl-pkcs11
+
+Run the following command to determine if the openssl-pkcs11 package is installed: $ rpm -q openssl-pkcs11
       Is it the case that smartcard software is not installed?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'.
--- xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
+++ xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
@@ -4,7 +4,6 @@
 
 [description]:
 TLS protocol support for rsyslog is installed.
-
 The rsyslog-gnutls package can be installed with the following command:
 
 $ sudo yum install rsyslog-gnutls

OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed' differs.
--- ocil:ssg-package_rsyslog-gnutls_installed_ocil:questionnaire:1
+++ ocil:ssg-package_rsyslog-gnutls_installed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the rsyslog-gnutls package is installed:
-$ rpm -q rsyslog-gnutls
-      Is it the case that the package is installed?
+Run the following command to determine if the rsyslog-gnutls package is installed: $ rpm -q rsyslog-gnutls
+      Is it the case that the rsyslog-gnutls package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed' differs.
--- ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1
+++ ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog
-      Is it the case that the package is not installed?
+      Is it the case that the rsyslog package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed' differs.
--- ocil:ssg-package_systemd-journal-remote_installed_ocil:questionnaire:1
+++ ocil:ssg-package_systemd-journal-remote_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the systemd-journal-remote package is installed: $ rpm -q systemd-journal-remote
-      Is it the case that the package is not installed?
+      Is it the case that the systemd-journal-remote package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_logrotate_installed' differs.
--- ocil:ssg-package_logrotate_installed_ocil:questionnaire:1
+++ ocil:ssg-package_logrotate_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the logrotate package is installed: $ rpm -q logrotate
-      Is it the case that the package is not installed?
+      Is it the case that the logrotate package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_syslogng_installed' differs.
--- ocil:ssg-package_syslogng_installed_ocil:questionnaire:1
+++ ocil:ssg-package_syslogng_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core
-      Is it the case that the package is not installed?
+      Is it the case that the syslog-ng-core package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_firewalld_installed' differs.
--- ocil:ssg-package_firewalld_installed_ocil:questionnaire:1
+++ ocil:ssg-package_firewalld_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld
-      Is it the case that the package is not installed?
+      Is it the case that the firewalld package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_libreswan_installed' differs.
--- ocil:ssg-package_libreswan_installed_ocil:questionnaire:1
+++ ocil:ssg-package_libreswan_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan
-      Is it the case that the package is not installed?
+      Is it the case that the libreswan package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' differs.
--- ocil:ssg-package_iptables_installed_ocil:questionnaire:1
+++ ocil:ssg-package_iptables_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the iptables package is installed: $ rpm -q iptables
-      Is it the case that the package is not installed?
+      Is it the case that the iptables package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_nftables_installed' differs.
--- ocil:ssg-package_nftables_installed_ocil:questionnaire:1
+++ ocil:ssg-package_nftables_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the nftables package is installed: $ rpm -q nftables
-      Is it the case that the package is not installed?
+      Is it the case that the nftables package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed' differs.
--- ocil:ssg-package_libselinux_installed_ocil:questionnaire:1
+++ ocil:ssg-package_libselinux_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux
-      Is it the case that the package is not installed?
+      Is it the case that the libselinux package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed' differs.
--- ocil:ssg-package_policycoreutils-python-utils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_policycoreutils-python-utils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the policycoreutils-python-utils package is installed: $ rpm -q policycoreutils-python-utils
-      Is it the case that the package is not installed?
+      Is it the case that the policycoreutils-python-utils package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed' differs.
--- ocil:ssg-package_setroubleshoot-plugins_removed_ocil:questionnaire:1
+++ ocil:ssg-package_setroubleshoot-plugins_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the setroubleshoot-plugins package is installed:
-$ rpm -q setroubleshoot-plugins
-      Is it the case that the package is installed?
+Run the following command to determine if the setroubleshoot-plugins package is installed: $ rpm -q setroubleshoot-plugins
+      Is it the case that the setroubleshoot-plugins package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed' differs.
--- ocil:ssg-package_setroubleshoot-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_setroubleshoot-server_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the setroubleshoot-server package is installed:
-$ rpm -q setroubleshoot-server
-      Is it the case that the package is installed?
+Run the following command to determine if the setroubleshoot-server package is installed: $ rpm -q setroubleshoot-server
+      Is it the case that the setroubleshoot-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_avahi-autoipd_removed' differs.
--- ocil:ssg-package_avahi-autoipd_removed_ocil:questionnaire:1
+++ ocil:ssg-package_avahi-autoipd_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the avahi-autoipd package is installed:
-$ rpm -q avahi-autoipd
-      Is it the case that the package is installed?
+Run the following command to determine if the avahi-autoipd package is installed: $ rpm -q avahi-autoipd
+      Is it the case that the avahi-autoipd package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_avahi_removed' differs.
--- ocil:ssg-package_avahi_removed_ocil:questionnaire:1
+++ ocil:ssg-package_avahi_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the avahi package is installed:
-$ rpm -q avahi
-      Is it the case that the package is installed?
+Run the following command to determine if the avahi package is installed: $ rpm -q avahi
+      Is it the case that the avahi package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_psacct_installed' differs.
--- ocil:ssg-package_psacct_installed_ocil:questionnaire:1
+++ ocil:ssg-package_psacct_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the psacct package is installed: $ rpm -q psacct
-      Is it the case that the package is not installed?
+      Is it the case that the psacct package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_abrt_removed' differs.
--- ocil:ssg-package_abrt_removed_ocil:questionnaire:1
+++ ocil:ssg-package_abrt_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the abrt package is installed:
-$ rpm -q abrt
-      Is it the case that the package is installed?
+Run the following command to determine if the abrt package is installed: $ rpm -q abrt
+      Is it the case that the abrt package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- ocil:ssg-package_cron_installed_ocil:questionnaire:1
+++ ocil:ssg-package_cron_installed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the cronie package is installed:
-$ rpm -q cronie
-      Is it the case that the package is installed?
+Run the following command to determine if the cronie package is installed: $ rpm -q cronie
+      Is it the case that the cronie package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_disable_anacron' differs.
--- ocil:ssg-disable_anacron_ocil:questionnaire:1
+++ ocil:ssg-disable_anacron_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the cronie-anacron package is installed:
-$ rpm -q cronie-anacron
-      Is it the case that the package is installed?
+Run the following command to determine if the cronie-anacron package is installed: $ rpm -q cronie-anacron
+      Is it the case that the cronie-anacron package is installed?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_dhcp_removed'.
--- xccdf_org.ssgproject.content_rule_package_dhcp_removed
+++ xccdf_org.ssgproject.content_rule_package_dhcp_removed
@@ -4,8 +4,7 @@
 
 [description]:
 If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
+the dhcp-server package can be uninstalled.
 The dhcp-server package can be removed with the following command:
 
 $ sudo yum erase dhcp-server

OCIL for rule 'xccdf_org.ssgproject.content_rule_package_dhcp_removed' differs.
--- ocil:ssg-package_dhcp_removed_ocil:questionnaire:1
+++ ocil:ssg-package_dhcp_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the dhcp-server package is installed:
-$ rpm -q dhcp-server
-      Is it the case that the package is installed?
+Run the following command to determine if the dhcp-server package is installed: $ rpm -q dhcp-server
+      Is it the case that the dhcp-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed' differs.
--- ocil:ssg-package_dnsmasq_removed_ocil:questionnaire:1
+++ ocil:ssg-package_dnsmasq_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the dnsmasq package is installed:
-$ rpm -q dnsmasq
-      Is it the case that the package is installed?
+Run the following command to determine if the dnsmasq package is installed: $ rpm -q dnsmasq
+      Is it the case that the dnsmasq package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_bind_removed' differs.
--- ocil:ssg-package_bind_removed_ocil:questionnaire:1
+++ ocil:ssg-package_bind_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the bind package is installed:
-$ rpm -q bind
-      Is it the case that the package is installed?
+Run the following command to determine if the bind package is installed: $ rpm -q bind
+      Is it the case that the bind package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' differs.
--- ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1
+++ ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the vsftpd package is installed:
-$ rpm -q vsftpd
-      Is it the case that the package is installed?
+Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd
+      Is it the case that the vsftpd package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_httpd_removed' differs.
--- ocil:ssg-package_httpd_removed_ocil:questionnaire:1
+++ ocil:ssg-package_httpd_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the httpd package is installed:
-$ rpm -q httpd
-      Is it the case that the package is installed?
+Run the following command to determine if the httpd package is installed: $ rpm -q httpd
+      Is it the case that the httpd package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_nginx_removed' differs.
--- ocil:ssg-package_nginx_removed_ocil:questionnaire:1
+++ ocil:ssg-package_nginx_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the nginx package is installed:
-$ rpm -q nginx
-      Is it the case that the package is installed?
+Run the following command to determine if the nginx package is installed: $ rpm -q nginx
+      Is it the case that the nginx package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_cyrus-imapd_removed' differs.
--- ocil:ssg-package_cyrus-imapd_removed_ocil:questionnaire:1
+++ ocil:ssg-package_cyrus-imapd_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the cyrus-imapd package is installed:
-$ rpm -q cyrus-imapd
-      Is it the case that the package is installed?
+Run the following command to determine if the cyrus-imapd package is installed: $ rpm -q cyrus-imapd
+      Is it the case that the cyrus-imapd package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_dovecot_removed' differs.
--- ocil:ssg-package_dovecot_removed_ocil:questionnaire:1
+++ ocil:ssg-package_dovecot_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the dovecot package is installed:
-$ rpm -q dovecot
-      Is it the case that the package is installed?
+Run the following command to determine if the dovecot package is installed: $ rpm -q dovecot
+      Is it the case that the dovecot package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' differs.
--- ocil:ssg-package_krb5-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_krb5-server_removed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the krb5-server package is installed: $ rpm -q krb5-server
-      Is it the case that the package is installed?
+      Is it the case that the krb5-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed' differs.
--- ocil:ssg-package_openldap-clients_removed_ocil:questionnaire:1
+++ ocil:ssg-package_openldap-clients_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the openldap-clients package is installed:
-$ rpm -q openldap-clients
-      Is it the case that the package is installed?
+Run the following command to determine if the openldap-clients package is installed: $ rpm -q openldap-clients
+      Is it the case that the openldap-clients package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed' differs.
--- ocil:ssg-package_openldap-servers_removed_ocil:questionnaire:1
+++ ocil:ssg-package_openldap-servers_removed_ocil:questionnaire:1
@@ -1,7 +1,3 @@
-To verify the openldap-servers package is not installed, run the
-following command:
-$ rpm -q openldap-servers
-The output should show the following:
-package openldap-servers is not installed
-      Is it the case that it does not?
+Run the following command to determine if the openldap-servers package is installed: $ rpm -q openldap-servers
+      Is it the case that the openldap-servers package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_mailx_installed' differs.
--- ocil:ssg-package_mailx_installed_ocil:questionnaire:1
+++ ocil:ssg-package_mailx_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the mailx package is installed: $ rpm -q mailx
-      Is it the case that the package is not installed?
+      Is it the case that the mailx package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_postfix_installed' differs.
--- ocil:ssg-package_postfix_installed_ocil:questionnaire:1
+++ ocil:ssg-package_postfix_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the postfix package is installed: $ rpm -q postfix
-      Is it the case that the package is not installed?
+      Is it the case that the postfix package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' differs.
--- ocil:ssg-package_sendmail_removed_ocil:questionnaire:1
+++ ocil:ssg-package_sendmail_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the sendmail package is installed:
-$ rpm -q sendmail
-      Is it the case that the package is installed?
+Run the following command to determine if the sendmail package is installed: $ rpm -q sendmail
+      Is it the case that the sendmail package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_nfs-utils_removed' differs.
--- ocil:ssg-package_nfs-utils_removed_ocil:questionnaire:1
+++ ocil:ssg-package_nfs-utils_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the nfs-utils package is installed:
-$ rpm -q nfs-utils
-      Is it the case that the package is installed?
+Run the following command to determine if the nfs-utils package is installed: $ rpm -q nfs-utils
+      Is it the case that the nfs-utils package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed' differs.
--- ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1
+++ ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the rpcbind package is installed:
-$ rpm -q rpcbind
-      Is it the case that the package is installed?
+Run the following command to determine if the rpcbind package is installed: $ rpm -q rpcbind
+      Is it the case that the rpcbind package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_chrony_installed' differs.
--- ocil:ssg-package_chrony_installed_ocil:questionnaire:1
+++ ocil:ssg-package_chrony_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the chrony package is installed: $ rpm -q chrony
-      Is it the case that the package is not installed?
+      Is it the case that the chrony package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_ntp_installed' differs.
--- ocil:ssg-package_ntp_installed_ocil:questionnaire:1
+++ ocil:ssg-package_ntp_installed_ocil:questionnaire:1
@@ -1,5 +1,3 @@
-
-Run the following command to determine if the ntp package is installed:
-  $ rpm -q ntp
-      Is it the case that the package is not installed?
+Run the following command to determine if the ntp package is installed: $ rpm -q ntp
+      Is it the case that the ntp package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rsync_removed' differs.
--- ocil:ssg-package_rsync_removed_ocil:questionnaire:1
+++ ocil:ssg-package_rsync_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the rsync-daemon package is installed:
-$ rpm -q rsync-daemon
-      Is it the case that the package is installed?
+Run the following command to determine if the rsync-daemon package is installed: $ rpm -q rsync-daemon
+      Is it the case that the rsync-daemon package is installed?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_xinetd_removed'.
--- xccdf_org.ssgproject.content_rule_package_xinetd_removed
+++ xccdf_org.ssgproject.content_rule_package_xinetd_removed
@@ -1,6 +1,6 @@
 
 [title]:
-Uninstall xinetd Package
+Uninstall xinetd package if not used by network services
 
 [description]:
 The xinetd package can be removed with the following command:

OCIL for rule 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' differs.
--- ocil:ssg-package_xinetd_removed_ocil:questionnaire:1
+++ ocil:ssg-package_xinetd_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the xinetd package is installed:
-$ rpm -q xinetd
-      Is it the case that the package is installed?
+Run the following command to determine if the xinetd package is installed: $ rpm -q xinetd
+      Is it the case that the xinetd package is installed and the network services are not using the xinetd service?
       
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' differs.
--- xccdf_org.ssgproject.content_rule_package_xinetd_removed
+++ xccdf_org.ssgproject.content_rule_package_xinetd_removed
@@ -15,7 +15,8 @@
   - no_reboot_needed
   - package_xinetd_removed
 
-- name: 'Uninstall xinetd Package: Ensure xinetd is removed'
+- name: 'Uninstall xinetd package if not used by network services: Ensure xinetd is
+    removed'
   ansible.builtin.package:
     name: xinetd
     state: absent

OCIL for rule 'xccdf_org.ssgproject.content_rule_package_ypserv_removed' differs.
--- ocil:ssg-package_ypserv_removed_ocil:questionnaire:1
+++ ocil:ssg-package_ypserv_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the ypserv package is installed:
-$ rpm -q ypserv
-      Is it the case that the package is installed?
+Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv
+      Is it the case that the ypserv package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' differs.
--- ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the rsh-server package is installed:
-$ rpm -q rsh-server
-      Is it the case that the package is installed?
+Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server
+      Is it the case that the rsh-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_talk-server_removed' differs.
--- ocil:ssg-package_talk-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_talk-server_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the talk-server package is installed:
-$ rpm -q talk-server
-      Is it the case that the package is installed?
+Run the following command to determine if the talk-server package is installed: $ rpm -q talk-server
+      Is it the case that the talk-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_talk_removed' differs.
--- ocil:ssg-package_talk_removed_ocil:questionnaire:1
+++ ocil:ssg-package_talk_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the talk package is installed:
-$ rpm -q talk
-      Is it the case that the package is installed?
+Run the following command to determine if the talk package is installed: $ rpm -q talk
+      Is it the case that the talk package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' differs.
--- ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the telnet-server package is installed:
-$ rpm -q telnet-server
-      Is it the case that the package is installed?
+Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server
+      Is it the case that the telnet-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' differs.
--- ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_tftp-server_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the tftp-server package is installed:
-$ rpm -q tftp-server
-      Is it the case that the package is installed?
+Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server
+      Is it the case that the tftp-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_cups_removed' differs.
--- ocil:ssg-package_cups_removed_ocil:questionnaire:1
+++ ocil:ssg-package_cups_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the cups package is installed:
-$ rpm -q cups
-      Is it the case that the package is installed?
+Run the following command to determine if the cups package is installed: $ rpm -q cups
+      Is it the case that the cups package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_squid_removed' differs.
--- ocil:ssg-package_squid_removed_ocil:questionnaire:1
+++ ocil:ssg-package_squid_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the squid package is installed:
-$ rpm -q squid
-      Is it the case that the package is installed?
+Run the following command to determine if the squid package is installed: $ rpm -q squid
+      Is it the case that the squid package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_freeradius_removed' differs.
--- ocil:ssg-package_freeradius_removed_ocil:questionnaire:1
+++ ocil:ssg-package_freeradius_removed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the freeradius package is installed: $ rpm -q freeradius
-      Is it the case that the package is installed?
+      Is it the case that the freeradius package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_quagga_removed' differs.
--- ocil:ssg-package_quagga_removed_ocil:questionnaire:1
+++ ocil:ssg-package_quagga_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the quagga package is installed:
-$ rpm -q quagga
-      Is it the case that the package is installed?
+Run the following command to determine if the quagga package is installed: $ rpm -q quagga
+      Is it the case that the quagga package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_samba-common_installed' differs.
--- ocil:ssg-package_samba-common_installed_ocil:questionnaire:1
+++ ocil:ssg-package_samba-common_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common
-      Is it the case that the package is not installed?
+      Is it the case that the samba-common package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_samba_removed' differs.
--- ocil:ssg-package_samba_removed_ocil:questionnaire:1
+++ ocil:ssg-package_samba_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the samba package is installed:
-$ rpm -q samba
-      Is it the case that the package is installed?
+Run the following command to determine if the samba package is installed: $ rpm -q samba
+      Is it the case that the samba package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed' differs.
--- ocil:ssg-package_net-snmp_removed_ocil:questionnaire:1
+++ ocil:ssg-package_net-snmp_removed_ocil:questionnaire:1
@@ -1,4 +1,3 @@
-Run the following command to determine if the net-snmp package is installed:
-$ rpm -q net-snmp
-      Is it the case that the package is installed?
+Run the following command to determine if the net-snmp package is installed: $ rpm -q net-snmp
+      Is it the case that the net-snmp package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openssh-clients_installed' differs.
--- ocil:ssg-package_openssh-clients_installed_ocil:questionnaire:1
+++ ocil:ssg-package_openssh-clients_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the openssh-clients package is installed: $ rpm -q openssh-clients
-      Is it the case that the package is not installed?
+      Is it the case that the openssh-clients package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed' differs.
--- ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1
+++ ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
-      Is it the case that the package is not installed?
+      Is it the case that the openssh-server package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_openssh-server_removed' differs.
--- ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1
+++ ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
-      Is it the case that the package is installed?
+      Is it the case that the openssh-server package is installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_sssd-ipa_installed' differs.
--- ocil:ssg-package_sssd-ipa_installed_ocil:questionnaire:1
+++ ocil:ssg-package_sssd-ipa_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa
-      Is it the case that the package is not installed?
+      Is it the case that the sssd-ipa package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs.
--- ocil:ssg-package_sssd_installed_ocil:questionnaire:1
+++ ocil:ssg-package_sssd_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the sssd package is installed: $ rpm -q sssd
-      Is it the case that the package is not installed?
+      Is it the case that the sssd package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed' differs.
--- ocil:ssg-package_usbguard_installed_ocil:questionnaire:1
+++ ocil:ssg-package_usbguard_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the usbguard package is installed: $ rpm -q usbguard
-      Is it the case that the package is not installed?
+      Is it the case that the usbguard package is not installed?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed' differs.
--- ocil:ssg-package_audispd-plugins_installed_ocil:questionnaire:1
+++ ocil:ssg-package_audispd-plugins_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins
-      Is it the case that the package is not installed?
+      Is it the case that the audispd-plugins package is not installed?

@macko1 macko1 force-pushed the fix_8579 branch 2 times, most recently from ebb6c1f to 2a51cab Compare March 24, 2026 11:35
@macko1 macko1 assigned macko1 and unassigned macko1 Mar 24, 2026
@Mab879 Mab879 added this to the 0.1.81 milestone Mar 24, 2026
@Mab879 Mab879 self-assigned this Mar 24, 2026
@macko1 macko1 marked this pull request as ready for review March 24, 2026 18:28
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 24, 2026
@macko1 macko1 added the OCIL OCIL update. Related to the systems assessments. label Mar 24, 2026
Mab879
Mab879 requested changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RHEL comment was only first one I found, please double check and fix others in this PR.

The second comment will need some discussion.

jan-cerny
jan-cerny reviewed Mar 25, 2026
View reviewed changes
@jan-cerny jan-cerny changed the title GH-8579: Refactor package installation OCIL macros + rules Refactor package installation OCIL macros + rules Mar 25, 2026
@macko1 macko1 changed the title Refactor package installation OCIL macros + rules Refactor OCIL macros for installed/removed packages + affected rules Mar 25, 2026
@macko1 macko1 changed the title Refactor OCIL macros for installed/removed packages + affected rules Refactor OCIL macros for installed/removed packages + rules Mar 25, 2026
macko1
macko1 commented Mar 25, 2026
View reviewed changes
macko1
macko1 commented Mar 25, 2026
View reviewed changes
@macko1 macko1 marked this pull request as draft March 25, 2026 13:19
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 25, 2026
Mab879
Mab879 requested changes Mar 25, 2026
View reviewed changes
Mab879
Mab879 requested changes Mar 26, 2026
View reviewed changes
ComplianceAsCodeGH-8579: Refactor package installation OCIL macros + …
07a2481 
…rules

- `shared/macros/10-ocil.jinja`:
  - Split to `complete_ocil_entry_package_installed` and
    `complete_ocil_entry_package_removed` instead of using a single
     macro with the `bool_package_installed` argument.
- Refactor and fix the affected rules to use the new macro.
- `linux_os/guide/**/rule.yml`: update to use the new macros
- `.claude/CLAUDE.md`: update macro examples.
- `test_playbook_builder_data/guide/package_abrt_removed/rule.yml`:
  update to use the new macro.
@macko1 macko1 marked this pull request as ready for review March 26, 2026 20:42
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Mar 26, 2026
@Mab879 Mab879 merged commit 8d1a484 into ComplianceAsCode:master Mar 27, 2026
63 of 65 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Mar 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@Mab879 Mab879

Labels

OCIL OCIL update. Related to the systems assessments.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

Update OCIL macro for package removed rules

3 participants

@macko1 @Mab879 @jan-cerny