Conditions
It is possible to define if/then/else logic in the Unix policy. This allows the end-user to use a single file that is able to handle multiple configurations. For instance, the same policy file can check the settings for Postfix and Sendmail by using the proper if/then/else syntax.
The syntax to perform conditions is the following:
<if>
<condition type: "or">
<Insert your audit here>
</condition>
<then>
<Insert your audit here>
</then>
<else>
<Insert your audit here>
</else>
</if>
Example
<if>
<condition type: "or">
<custom_item>
type: FILE_CHECK
description: "Check that at.allow exists"
file: "/etc/at.allow"
</custom_item>
<custom_item>
type: FILE_CHECK
description: "Check that at.deny exists"
file: "/etc/at.deny"
</custom_item>
</condition>
<then>
<report type:"PASSED">
description: "Make sure 'at' is secured with an allow or deny list"
</report>
</then>
<else>
<report type:"FAILED">
description: "Make sure 'at' is secured with an allow or deny list"
</report>
</else>
</if>
Whether the condition fails or passes never shows up in the report because it is a “silent” check.
Conditions can be of type and or or.
Caveats
The Unix compliance plugin can use a system tag to control if a particular check applies to the target OS. Using a system tag inside the <condition></condition> block is not recommended as it can cause false logic flow. The check content is evaluated before the system tag; therefore, a conditional may pass to the <then> section and not actually apply.