Linux: Systemd Unit Dependency

Description

The Linux: Systemd Unit Dependency test is used to retrieve information about dependencies of a single systemd unit in the form of a list. This list contains all dependencies, including transitive dependencies. For more information see the output generated by systemctl list-dependencies –plain $unit.

The systemdunitdependency_object element is used by a systemdunitdependency_test to define the specific units to be evaluated for dependencies.

The systemdunitdependency_state element holds dependencies of a specific systemd unit.

Technical Details

Artifact Parameters

linux.systemd_unit_dependency_v1

Name

Type

Description

unit

string

The full systemd unit name, usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.

operation

string

Determines how the unit name should be evaluated (the default operation is ‘equals’).
NOTE: The operation parameter is governed by a constraint allowing only the following values:

  • equals

  • not equal

  • case insensitive equals

  • case insensitive not equal

  • greater than

  • less than

  • greater than or equal

  • less than or equal

  • bitwise and

  • bitwise or

  • pattern match

  • subset of

  • superset of

Supported Test Types

  • Linux: Systemd Unit Dependency

Test Type Parameters

linux.systemd_unit_dependency_v1

Name

Type

Description

unit

string

The full systemd unit name, usually also the filename of the unitconfiguration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.

unit_operation

string

Determines how the unit name should be evaluated (the default operation is ‘equals’).

dependency

string

The name of a unit which is to be confirmed as a dependency of the given unit.

dependency_operation

string

Determines how the dependency name should be evaluated (the default operation is ‘equals’).
NOTE: The unit_operation and dependency_operation parameters are governed by a constraint allowing only the following values:

  • equals

  • not equal

Generated Content

linux.systemd_unit_dependency_v1

XCCDF+AE

This is what the AE check looks like, inside a Rule, in the XCCDF.

<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
  <xccdf:check-content>
    <ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
      <ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
      <ae:title>[ARTIFACT-TITLE]</ae:title>
      <ae:artifact type="[ARTIFACT-TYPE-NAME]">
        <ae:parameters>
          <ae:parameter dt="string" name="unit">[unit.value]</ae:parameter>
          <ae:parameter dt="string" name="operation">[operation.value]</ae:parameter>
        </ae:parameters>
      </ae:artifact>
      <ae:test type="[TEST-TYPE-NAME]">
        <ae:parameters>
          <ae:parameter dt="string" name="unit">[unit.value]</ae:parameter>
          <ae:parameter dt="string" name="unit_operation">[unit_operation.value]</ae:parameter>
          <ae:parameter dt="string" name="dependency">[dependency.value]</ae:parameter>
          <ae:parameter dt="string" name="dependency_operation">[dependency_operation.value]</ae:parameter>
        </ae:parameters>
      </ae:test>
      <ae:profiles>
        <ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
      </ae:profiles>
    </ae:artifact_expression>
  </xccdf:check-content>
</xccdf:check>

SCAP

XCCDF

For linux.systemd_unit_dependency_v1 linux.systemd_unit_dependency_v1 artifacts, the XCCDF check looks like this. There is no Value element in the XCCDF for this artifact.

<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <check-content-ref
    href="[BENCHMARK-TITLE]-oval.xml"
    name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL

Test

<systemdunitdependency_test
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
  check_existence="any_exist"
  check="all"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
  <state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</systemdunitdependency_test>

Object

<systemdunitdependency_object
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <unit operation="[operation.value]">[unit.value]</unit>
</systemdunitdependency_object>

State

<systemdunitdependency_state
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <unit
    datatype="string"
    operation="[operation.value]">
      [unit.value]
  </unit>
  <dependency
    entity_check="at least one"
    operation="[operation.value]">
      [dependency.value]
  </dependency>
</systemdunitdependency_state>

YAML

artifact-expression:
  artifact-unique-id: "[ARTIFACT-OVAL-ID]"
  artifact-title: "[ARTIFACT-TITLE]"
  artifact:
    type: "[ARTIFACT-TYPE-NAME]"
    parameters:
      - parameter:
          name: "unit"
          dt: "string"
          value: "[unit.value]"
      - parameter:
          name: "operation"
          dt: "string"
          value: "[operation.value]"
  test:
    type: "[TEST-TYPE-NAME]"
    parameters:
      - parameter:
          name: "dependency_operation"
          dt: "string"
          value: "[dependency_operation.value]"
      - parameter:
          name: "unit"
          dt: "string"
          value: "[unit.value]"
      - parameter:
          name: "unit_operation"
          dt: "string"
          value: "[unit_operation.value]"
      - parameter:
          name: "dependency"
          dt: "string"
          value: "[dependency.value]"

JSON

{
  "artifact-expression": {
    "artifact-unique-id":"[ARTIFACT-OVAL-ID]",
    "artifact-title": "[ARTIFACT-TITLE]",
    "artifact": {
      "type": "[ARTIFACT-TYPE-NAME]",
      "parameters": [
        {
          "parameter": {
            "name": "unit",
            "type": "string",
            "value": "[unit.value]"
          }
        },
        {
          "parameter": {
            "name": "operation",
            "type": "string",
            "value": "[operation.value]"
          }
        }
      ]
    },
    "test": {
      "type": "[TEST-TYPE-NAME]",
      "parameters": [
        {
          "parameter": {
            "name": "dependency_operation",
            "type": "string",
            "value": "[dependency_operation.value]"
          }
        },
        {
          "parameter": {
            "name": "unit",
            "type": "string",
            "value": "[unit.value]"
          }
        },
        {
          "parameter": {
            "name": "unit_operation",
            "type": "string",
            "value": "[unit_operation.value]"
          }
        },
        {
          "parameter": {
            "name": "dependency",
            "type": "string",
            "value": "[dependency.value]"
          }
        }
      ]
    }
  }
}