Skip to content

Update jinja2 related doc #13593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 30, 2025
Merged

Update jinja2 related doc #13593

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fd0d47
Update jinja2 related doc
AlexXuan233 Jun 18, 2025
11df9ff
Update docs/manual/developer/03_creating_content.md
AlexXuan233 Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions docs/manual/developer/03_creating_content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -717,8 +717,7 @@ XCCDF rules in our project.
In the example below we identified that:

* R1 can be automatically scanned by SCAP and we already have 3 existing rules
in our repository. However, we want one of them to be selected only on RHEL 9,
but the rule is applicable to all platforms.
in our repository.
* R2 is up to manual checking, but we have systemd_target_multi_user which is
related to this control.
* R3 can be automatically scanned by SCAP but unfortunately we don't have any
Expand All @@ -742,8 +741,15 @@ between XCCDF rules which directly implement the given controls (represented by
The `rules` and `related_rules` keys consist of a list of rule IDs and variable
selections.

If a rule needs to be chosen only in some of the products we can use Jinja macros
inside the controls file to choose products.
There might be cases, specially in product agnostic policies such as PCI-DSS, ANSSI and HIPAA,
that rules included in `rules` field need to be removed in profiles for specific products.
These exceptions can be managed by unselecting the relevant rules in product's profile `selections` field,
e.g. we add `!cockpit_session_timeout` to `products/rhel10/profiles/anssi_bp28_high.profile` to unselect rule
`cockpit_session_timeout`.

Similarly there might be cases where a particular product needs a specific rule not applicable to other
products consuming the same control file. This exception can also be managed by selecting the rule in
the product's profile `selections` field of the particular product.

After we finish our analysis, we will insert our findings to the controls file,
the file will look like this:
Expand All @@ -766,9 +772,7 @@ controls:
- sshd_set_idle_timeout
- accounts_tmout
- var_accounts_tmout=10_min
{{% if product == "rhel9" %}}
- cockpit_session_timeout
{{% endif %}}
- id: R2
title: Minimization of configuration
description: |-
Expand Down Expand Up @@ -820,9 +824,7 @@ controls:
- sshd_set_idle_timeout
- accounts_tmout
- var_accounts_tmout=10_min
{{% if product == "rhel9" %}}
- cockpit_session_timeout
{{% endif %}}
```

```
Expand Down
Loading