Merge branch 'ComplianceAsCode:master' into patch-1

ComplianceAsCode · Feb 12, 2024 · ed7f4a7 · ed7f4a7
2 parents 0d9d616 + fcb26a4
commit ed7f4a7
Show file tree

Hide file tree

Showing 21 changed files with 219 additions and 47 deletions.
diff --git a/.github/workflows/k8s-content-pr.yaml b/.github/workflows/k8s-content-pr.yaml
@@ -64,10 +64,10 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/complianceascode/k8scontent
           tags: |

diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -572,8 +572,7 @@ controls:
     levels:
     - high
     notes: >-
-      As R18 configures hardened management of kernel modules we don't check nor remediate
-      for CONFIG_MODULES=n
+      If the system can function without support for kernel modules, module support should be disabled by setting CONFIG_MODULES=n.
     status: automated
     rules:
     - kernel_config_kexec
@@ -777,30 +776,19 @@ controls:
     - accounts_password_pam_unix_remember
 
   - id: R32
-    title: User session timeout
+    title: Configuring a timeout on local user sessions
     levels:
     - intermediary
     description: >-
-      Remote user sessions (shell access, graphical clients) must be closed
-      after a certain period of inactivity.
+      Local user sessions (console TTY, graphical session) must be locked after a certain period of inactivity.
     notes: >-
-      There is no specific capability to check remote user inactivity, but some shells allow the
-      session inactivity time out to be configured via TMOUT variable.
-      In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
-      The server is configured to disconnect sessions if no data has been received within the idle timeout,
-      regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
-      In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
-      The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
-      "don't disconnect network inactive sessions". The server either probes for the client liveness
-      or keeps inactive sessions connected.
-    status: supported
+      ANSSI doesn't specify the length of the inactivity period, we are choosing 10 minutes as reasonable number.
+    status: automated
     rules:
+    - logind_session_timeout
+    - var_logind_session_timeout=10_minutes
     - accounts_tmout
     - var_accounts_tmout=10_min
-    - sshd_set_idle_timeout
-    - sshd_idle_timeout_value=10_minutes
-    - sshd_set_keepalive
-    - var_sshd_set_keepalive=0
 
   - id: R33
     title: Use of dedicated administration accounts
@@ -913,15 +901,13 @@ controls:
     - sudo_add_env_reset
 
   - id: R40
-    title: User authentication running sudo
+    title: Privileges of target sudo users
+    description: The targeted users of a rule should be, as much as possible, non privileged users.
     levels:
-    - minimal
-    description: >-
-      The calling user must be authenticated before running any command with sudo.
+    - intermediary
     status: automated
     rules:
-    - sudo_remove_nopasswd
-    - sudo_remove_no_authenticate
+    - sudoers_no_root_target
 
   - id: R41
     title: Limiting the number of commands requiring the use of the EXEC option
@@ -1308,44 +1294,46 @@ controls:
     status: manual
 
   - id: R71
-    title: Implementation of a logging system
+    title: Implement a logging system
     levels:
     - enhanced
     description: >-
       The configuration of the service must be performed according to the
-      'Security Recommendations for the implementation of a logging system' (DAT-NT-012) accessible on the ANSSI website.
+      'Security Recommendations for the architecture of a logging system'
+      (DAT-PA-012 v2.0) accessible on the ANSSI website
+      (https://www.ssi.gouv.fr/journalisation).
     notes: >-
-      A lot of recommendations and requirements from the DAT-NT-012 document are administrative and hard to automate.
+      A lot of recommendations and requirements from the DAT-PA-012 document are administrative and hard to automate.
       The rules selected below address a few of the aspects that can be covered, keep in mind that these configurations should
       be customized for the systems deployment requirements.
     status: automated
     rules:
-    # Based on DAT-NT-012 R3
+    # Based on DAT-PA-012 R5
     - package_chrony_installed
     - service_chronyd_or_ntpd_enabled
     - chronyd_specify_remote_server
     - chronyd_configure_pool_and_server
 
-    # Derived from DAT-NT-012 R4
-    - partition_for_var_log_audit
-
-    # Derived from DAT-NT-012 R5, these are also covered in R7
+    # Derived from DAT-PA-012 R9
     # The default remote loghost is logcollector.
     # Change the default value to the hostname or IP of the system to send the logs to
     - rsyslog_remote_loghost
 
-    # Derived from DAT-NT-012 R12
+    # Derived from DAT-PA-012 R17
     - package_rsyslog-gnutls_installed
     - rsyslog_remote_tls
     - rsyslog_remote_tls_cacert
 
-    # Based on DAT-NT-012 R18
+    # Derived from DAT-PA-012 R21
+    - partition_for_var_log_audit
+
+    # Based on DAT-PA-012 R24
     # The rules sets the rotation frequency to daily
     - package_logrotate_installed
     - timer_logrotate_enabled
     - ensure_logrotate_activated
 
-    # Based on DAT-NT-012 R20
+    # Based on DAT-PA-012 R26, R27
     - rsyslog_files_ownership
     - rsyslog_files_groupownership
     - rsyslog_files_permissions
@@ -1509,7 +1497,7 @@ controls:
       basic integrity checking. System logs are configured as part of R43.
       Hardening of particular services should be done on a case by case basis and is
       not automated by this content.
-    status: automated
+    status: partial
     rules:
     - selinux_state
     - var_selinux_state=enforcing

diff --git a/...-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/...-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -4,12 +4,12 @@
 # complexity = low
 # disruption = low
 
-if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
+if ! grep -x '  case "$name" in (sshd|login) exec tmux ;; esac' /etc/bashrc; then
     cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in (sshd|login) exec tmux ;; esac
 fi
 EOF
     chmod 0644 /etc/profile.d/tmux.sh

diff --git a/...physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/...physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
@@ -14,7 +14,7 @@
   <ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
     <ind:behaviors singleline="true" multiline="false" />
     <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
-    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
+    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in \(?sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
diff --git a/...counts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/...counts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -63,7 +63,7 @@ fixtext: |-
     if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) exec tmux ;; esac
+        case "$name" in (sshd|login) exec tmux ;; esac
     fi
 
     Then, ensure a correct mode of /etc/profile.d/tmux.sh using this command:

diff --git a/...een_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/...een_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
@@ -5,7 +5,7 @@ cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in (sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/...console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
@@ -6,7 +6,7 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in (sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...le_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/...le_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
@@ -5,15 +5,15 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in (sshd|login) exec tmux ;; esac
 fi
 EOF
 
 cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in (sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/...auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml
@@ -63,5 +63,13 @@
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}}
 {{{ ansible_audit_augenrules_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+
+{{% if 'ubuntu' in product -%}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/networks', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/networks', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/network/', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/network/', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+{{% else -%}}
 {{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}}
+{{% endif %}}
diff --git a/...tem/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/...tem/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -25,5 +25,13 @@ done
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/issue.net", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/hosts", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/hosts", "wa", "audit_rules_networkconfig_modification") }}}
+
+{{% if 'ubuntu' in product -%}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
+{{% else -%}}
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
+{{% endif %}}
diff --git a/...em/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml b/...em/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml
@@ -0,0 +1,125 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_networkconfig_modification" version="1">
+    {{{ oval_metadata("The network environment should not be modified by anything other than
+      administrator action. Any change to network parameters should be audited.") }}}
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit /etc/issue augenrules" test_ref="test_arnm_etc_issue_augenrules" />
+        <criterion comment="audit /etc/issue.net augenrules" test_ref="test_arnm_etc_issue_net_augenrules" />
+        <criterion comment="audit /etc/hosts augenrules" test_ref="test_arnm_etc_hosts_augenrules" />
+        <criterion comment="audit /etc/networks augenrules" test_ref="test_arnm_etc_networks_augenrules" />
+        <criterion comment="audit /etc/network/ augenrules" test_ref="test_arnm_etc_networkdir_augenrules" />
+        <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
+        <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
+      </criteria>
+
+      <!-- Test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit /etc/issue auditctl" test_ref="test_arnm_etc_issue_auditctl" />
+        <criterion comment="audit /etc/issue.net auditctl" test_ref="test_arnm_etc_issue_net_auditctl" />
+        <criterion comment="audit /etc/hosts auditctl" test_ref="test_arnm_etc_hosts_auditctl" />
+        <criterion comment="audit /etc/networks auditctl" test_ref="test_arnm_etc_networks_auditctl" />
+        <criterion comment="audit /etc/network/ auditctl" test_ref="test_arnm_etc_networkdir_auditctl" />
+        <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
+        <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/issue augenrules" id="test_arnm_etc_issue_augenrules" version="1">
+    <ind:object object_ref="object_arnm_etc_issue_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_issue_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net augenrules" id="test_arnm_etc_issue_net_augenrules" version="1">
+    <ind:object object_ref="object_arnm_etc_issue_net_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_issue_net_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/hosts augenrules" id="test_arnm_etc_hosts_augenrules" version="1">
+    <ind:object object_ref="object_arnm_etc_hosts_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_hosts_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/networks augenrules" id="test_arnm_etc_networks_augenrules" version="1">
+    <ind:object object_ref="object_arnm_etc_networks_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_networks_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/networks[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/network/ augenrules" id="test_arnm_etc_networkdir_augenrules" version="1">
+    <ind:object object_ref="object_arnm_etc_networkdir_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_networkdir_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/network/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/issue auditctl" id="test_arnm_etc_issue_auditctl" version="1">
+    <ind:object object_ref="object_arnm_etc_issue_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_issue_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net auditctl" id="test_arnm_etc_issue_net_auditctl" version="1">
+    <ind:object object_ref="object_arnm_etc_issue_net_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_issue_net_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/hosts auditctl" id="test_arnm_etc_hosts_auditctl" version="1">
+    <ind:object object_ref="object_arnm_etc_hosts_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_hosts_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/networks auditctl" id="test_arnm_etc_networks_auditctl" version="1">
+    <ind:object object_ref="object_arnm_etc_networks_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_networks_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/networks[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit /etc/network/ auditctl" id="test_arnm_etc_networkdir_auditctl" version="1">
+    <ind:object object_ref="object_arnm_etc_networkdir_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arnm_etc_networkdir_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/network/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>