From b45dd6f58765b4df848cb17cf70dac72060a5dfa Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Wed, 24 Jul 2024 13:11:22 +0000
Subject: [PATCH] fix xccdf_variable substitution with dotnotation

---
 .../openshift/api-server/api_server_request_timeout/rule.yml    | 2 +-
 .../openshift/authentication/oauth_inactivity_timeout/rule.yml  | 2 +-
 .../openshift/kubelet/kubelet_configure_event_creation/rule.yml | 2 +-
 .../kubelet_enable_streaming_connections_deprecated/rule.yml    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/applications/openshift/api-server/api_server_request_timeout/rule.yml b/applications/openshift/api-server/api_server_request_timeout/rule.yml
index 1c7d3d07563..4777aa3b674 100644
--- a/applications/openshift/api-server/api_server_request_timeout/rule.yml
+++ b/applications/openshift/api-server/api_server_request_timeout/rule.yml
@@ -50,7 +50,7 @@ ocil_clause: '<tt>min-request-timeout</tt> is not set or is not set to an approp
 ocil: |-
     Run the following command:
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'</pre>
-    The output should return <pre> {{{ xccdf_value("var_api_min_request_timeout") }}} </pre>.
+    The output should return <pre> {{ .var_api_min_request_timeout }} </pre>.
 
 warnings:
 - general: |-
diff --git a/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml b/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
index faa9a2ce587..733f733af52 100644
--- a/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
+++ b/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
@@ -61,7 +61,7 @@ ocil_clause: 'OAuth server inactivity timeout is not configured'
 ocil: |-
   To check if the OAuth server timeout is configured, run the following command:
   <pre>oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'</pre>
-  the output should return <pre> {{{ xccdf_value("var_oauth_inactivity_timeout") }}} </pre>.
+  the output should return <pre> {{ .var_oauth_inactivity_timeout }} </pre>.
 
 severity: medium
 
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
index 59a99692ab0..0b8e28cb2e6 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
@@ -49,7 +49,7 @@ ocil_clause: 'event creation limits are not configured'
 ocil: |-
     Run the following command on the kubelet node(s):
     <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_event_record_qps") }}}</tt>.
+    The output should return <tt>{{ .var_event_record_qps }}</tt>.
 
 references:
     cis@ocp4: 4.2.8
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/rule.yml
index d12b6cc5bae..15d46d9cd2b 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/rule.yml
@@ -31,7 +31,7 @@ ocil_clause: 'the streaming connection timeouts are not disabled'
 ocil: |-
     Run the following command on the kubelet node(s):
     <pre>$ sudo grep streamingConnectionIdleTimeout {{{ kubeletconf_path }}}</pre>
-    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
+    The output should return <tt>{{ .var_streaming_connection_timeouts }}</tt>.
 
 references:
     cis@eks: 3.2.5