Conditions
It is possible to define if/then/else logic in the Unix policy. This allows the end-user to use a single file that is able to handle multiple configurations. For instance, the same policy file can check the settings for Postfix and Sendmail by using the proper if/then/else syntax.
The syntax to perform conditions is the following:
<if>
<condition type: "or">
<Insert your audit here>
</condition>
<then>
<Insert your audit here>
</then>
<else>
<Insert your audit here>
</else>
</if>
Example
<if>
<condition type: "or">
<custom_item>
type: FILE_CHECK
description: "Check that at.allow exists"
file: "/etc/at.allow"
</custom_item>
<custom_item>
type: FILE_CHECK
description: "Check that at.deny exists"
file: "/etc/at.deny"
</custom_item>
</condition>
<then>
<report type:"PASSED">
description: "Make sure 'at' is secured with an allow or deny list"
</report>
</then>
<else>
<report type:"FAILED">
description: "Make sure 'at' is secured with an allow or deny list"
</report>
</else>
</if>
Whether the condition fails or passes never shows up in the report because it is a “silent” check.
Conditions can be of type and or or.
Additionally, you can use a rolled up check with multiple components. For example:
<if>
<condition type: "AND">
<custom_item>
type : RPM_CHECK
description : "at is installed"
rpm : "at-0.0.0-0"
operator : "gt"
required : YES
</custom_item>
</condition>
<then>
<if>
<condition type: "AND" auto: "FAILED">
<custom_item>
type : FILE_CHECK
description : "/etc/at.allow file permissions"
file : "/etc/at.allow"
owner : "root"
group : "root" || "daemon"
mask : "137"
</custom_item>
<custom_item>
type : FILE_CHECK
description : "/etc/at.deny file permissions"
file : "/etc/at.deny"
owner : "root"
group : "root" || "daemon"
mask : "137"
file_required : NO
</custom_item>
</condition>
<then>
<report type: "PASSED">
description : "Make sure 'at' is secured with an allow or deny list"
show_output : YES
</report>
</then>
</if>
</then>
<else>
<report type: "PASSED">
description : "Make sure 'at' is secured with an allow or deny list"
</report>
</else>
</if>
In this example, the auto attribute allows the plugin to present an automatic result if the conditions do not evaluate as true.
Caveats
The Unix compliance plugin can use a system tag to control if a particular check applies to the target OS. Using a system tag inside the <condition></condition> block is not recommended as it can cause false logic flow. The check content is evaluated before the system tag; therefore, a conditional may pass to the <then> section and not actually apply.