Add automatic detection of platform_package_overrides when using automatus

[litios]

Description:

• Enable the use of platform_package_overrides product section when using automatus for rule testing.

Rationale:

• Before performing the install step when testing a rule, ensure that the package is not listed under platform_package_overrides. In case it is, replace the package to install with the one specified in platform_package_overrides.

• Fixes platform_package_overrides not working with automatus #9869

Review Hints:

• A conversation about implementing the solution with macros was discussed in issue platform_package_overrides not working with automatus #9869. I tested the proposed solution there and it works as expected.
• Nevertheless, in PR SSGTS-specific Jinja templates #7295, it was discussed that it would be better to handle package overrides on the level of the test framework and I also prefer this approach to avoid adding the macro for all tests, which is why I implemented the solution based on this other approach.

[openshift-ci]

Hi @litios. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -18,8 +18,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -154,8 +154,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - NIST-800-53-AC-2(4)
 - NIST-800-53-AC-6(9)
@@ -290,8 +290,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - NIST-800-53-AC-2(4)

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Traverse all of:
 #

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -22,8 +22,8 @@
 patterns: '*.rules'
 register: find_rules_d
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27097-5
 - CJIS-5.4.1.1
@@ -47,8 +47,8 @@
 loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
 }}'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27097-5
 - CJIS-5.4.1.1
@@ -74,8 +74,8 @@
 - /etc/audit/audit.rules
 - /etc/audit/rules.d/immutable.rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27097-5
 - CJIS-5.4.1.1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 # Create a list of audit *.rules files that should be inspected for presence and correctness

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -23,8 +23,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27168-4
 - CJIS-5.4.1.1
@@ -47,8 +47,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -71,8 +71,8 @@
 all_files:
 - /etc/audit/rules.d/MAC-policy.rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -95,8 +95,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -121,8 +121,8 @@
 create: true
 mode: '0640'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -147,8 +147,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27168-4
 - CJIS-5.4.1.1
@@ -172,8 +172,8 @@
 create: true
 mode: '0640'
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -22,8 +22,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27447-2
 - CJIS-5.4.1.1
@@ -162,8 +162,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-27447-2
 - CJIS-5.4.1.1
@@ -302,8 +302,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - audit_arch == "b64"
 tags:
 - CCE-27447-2

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -21,8 +21,8 @@
 set_fact:
 audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -162,8 +162,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -303,8 +303,8 @@
 state: present
 when: syscalls_found | length == 0
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - audit_arch == "b64"
 tags:
 - CCE-27076-9
@@ -329,8 +329,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -354,8 +354,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -380,8 +380,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -405,8 +405,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -432,8 +432,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -459,8 +459,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -485,8 +485,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -512,8 +512,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -537,8 +537,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -563,8 +563,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -588,8 +588,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -615,8 +615,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -642,8 +642,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -668,8 +668,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -695,8 +695,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -720,8 +720,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -746,8 +746,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -771,8 +771,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -798,8 +798,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -825,8 +825,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -851,8 +851,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -878,8 +878,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -903,8 +903,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -929,8 +929,8 @@
 all_files:
 - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -954,8 +954,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -981,8 +981,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -1008,8 +1008,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27076-9
 - CJIS-5.4.1.1
@@ -1034,8 +1034,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 # Create a list of audit *.rules files that should be inspected for presence and correctness

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -23,8 +23,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -47,8 +47,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -71,8 +71,8 @@
 all_files:
 - /etc/audit/rules.d/session.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -95,8 +95,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -121,8 +121,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -147,8 +147,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -172,8 +172,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -198,8 +198,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -222,8 +222,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -246,8 +246,8 @@
 all_files:
 - /etc/audit/rules.d/session.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -270,8 +270,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -296,8 +296,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -322,8 +322,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -347,8 +347,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:
@@ -373,8 +373,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -397,8 +397,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -421,8 +421,8 @@
 all_files:
 - /etc/audit/rules.d/session.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -445,8 +445,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -471,8 +471,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -497,8 +497,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27301-1
 - CJIS-5.4.1.1
@@ -522,8 +522,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
 == 0
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -20,8 +20,8 @@
 - name: Service facts
 service_facts: null
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-83555-3
 - DISA-STIG-RHEL-07-030360
@@ -42,8 +42,8 @@
 command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
 register: check_rules_scripts_result
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-83555-3
 - DISA-STIG-RHEL-07-030360
@@ -68,8 +68,8 @@
 - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
 - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 tags:
 - CCE-83555-3
 - DISA-STIG-RHEL-07-030360
@@ -92,8 +92,8 @@
 line: '{{ item }}'
 create: true
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - '"auditd.service" in ansible_facts.services'
 - '"augenrules" in check_rules_scripts_result.stdout'
 register: augenrules_audit_rules_privilege_function_update_result
@@ -120,8 +120,8 @@
 line: '{{ item }}'
 create: true
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - '"auditd.service" in ansible_facts.services'
 - '"auditctl" in check_rules_scripts_result.stdout'
 register: auditctl_audit_rules_privilege_function_update_result
@@ -145,8 +145,8 @@
 - name: Restart Auditd
 command: /usr/sbin/service auditd restart
 when:
+ - '"audit" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
 - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
 - ansible_facts.services["auditd.service"].state == "running"
 tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
+if rpm --quiet -q audit && [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 # Create a list of audit *.rules files that should be inspected for presence and correctness

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -27,8 +27,8 @@
 patterns: '*.rules'
 register: find_existing_watch_rules_d
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27461-3
 - CJIS-5.4.1.1
@@ -55,8 +55,8 @@
 patterns: '*.rules'
 register: find_watch_key
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -83,8 +83,8 @@
 all_files:
 - /etc/audit/rules.d/actions.rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -111,8 +111,8 @@
 all_files:
 - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
 is defined and find_existing_watch_rules_d.matched == 0
 tags:
@@ -141,8 +141,8 @@
 create: true
 mode: '0640'
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
 == 0
 tags:
@@ -171,8 +171,8 @@
 patterns: audit.rules
 register: find_existing_watch_audit_rules
 when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"audit" in ansible_facts.packages'
+ - '"audit" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27461-3
 - CJIS-5.4.1.1
@@ -200,8 +200,8 @@
 create: true
 mode: '0640'
 w

... The diff is trimmed here ...

[ggbecker]

I like this solution more than the macros solution I proposed in #9869 (comment).

The only thing here is that there would be an implicit behavior for the packages defined in the metadata, meaning that what you see is not what gets used by the system, for example if you specify a package it can be replaced by some other package during the runtime if the platform package overrides contain a matching package. This solution is definitely more clean but we have to keep this in mind. Maybe some form of the documentation can also be included to at least record this information.

https://github.com/ComplianceAsCode/content/blame/master/tests/README.md#L168

[dodys]

Hey David,

thanks for handling this!
I agree with Gabriel that it would be great to have some documentation about it.

Just a small request to improve maintenance, could you please break the first commit into two, one commit just for the test_suite code changes, and a second commit with just the test fixes?

Thanks in advance

[jan-cerny]

I also agree with the need for documentation. Also, please fix the issues reported by Code Climate.

[litios]

Thanks everyone for the input!

I broke the first commit as suggested by @dodys, provided documentation and fixed the codeclimate issues.

[codeclimate]

Code Climate has analyzed commit 8787b02 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 48.6% (0.0% change).

View more on Code Climate.

[dodys]

LGTM, thanks David!
@ggbecker can you just check the tests for fedora, cs8 and cs9, they are failing but not sure if that's really an issue.

[ggbecker]

I can confirm that the failures in the Automatus checks are expected and can be waived.

Thank you very much for the contribution and addressing the feedback.

I'd say this is a highlight because of the impact on code reduction it can have.