From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Fri, 8 Jul 2022 17:51:57 +0200

Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP

Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP.  This rule

requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default

is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf

programs and all users, and it turns on constants blinding by using

random value + XOR for CAP_BPF; so the only thing in which value 1 and 2

differ is the constants blinding for CAP_SYS_ADMIN processes in the

initial user namespaces. The extra constants blinding with

bpf_jit_harden=2 does not really help with CVE mitigation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728

---

 products/rhel9/profiles/ospp.profile | 1 -

 1 file changed, 1 deletion(-)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile

index 244a421fb48..a7ba9532d2c 100644

--- a/products/rhel9/profiles/ospp.profile

+++ b/products/rhel9/profiles/ospp.profile

@@ -75,7 +75,6 @@ selections:

     - sysctl_kernel_perf_event_paranoid

     - sysctl_user_max_user_namespaces

     - sysctl_kernel_unprivileged_bpf_disabled

-    - sysctl_net_core_bpf_jit_harden

     - service_kdump_disabled

     ### Audit

From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Tue, 12 Jul 2022 11:24:42 +0200

Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template

The sysctl template uses its sysctlvar parameter value as a part of OVAL

object IDs, test IDs and state IDs. That means we can't have multiple

rules using the sysctl template with the same value of sysctlvar

parameter (only differ in other parameters) because there would be

duplicate elements. We will fix this by using the rule ID as a part of

OVAL object IDs, test IDs and state IDs.  That will allow to use the

template for the same sysctlvar in different rules.

---

 .../oval/sysctl_kernel_ipv6_disable.xml       |   4 +-

 shared/templates/sysctl/oval.template         | 156 +++++++++---------

 2 files changed, 80 insertions(+), 80 deletions(-)

diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

index 1195cea518f..f971d28a047 100644

--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

@@ -19,8 +19,8 @@

     </metadata>

     <criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">

       <criteria operator="AND">

-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_static_net_ipv6_conf_all_disable_ipv6" />

-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" />

+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_static" />

+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" />

       </criteria>

     </criteria>

   </definition>

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template

index 74583dbee1d..52671c06402 100644

--- a/shared/templates/sysctl/oval.template

+++ b/shared/templates/sysctl/oval.template

@@ -5,8 +5,8 @@

 {{%- endif %}}

 {{% macro state_static_sysctld(prefix) -%}}

-    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}"/>

-    <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}"/>

+    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>

 {{%- endmacro -%}}

 {{%- macro sysctl_match() -%}}

 {{%- if SYSCTLVAL == "" -%}}

@@ -20,13 +20,13 @@

 {{%- if "P" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}" version="3">

     {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}

     <criteria operator="AND">

-                         definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>

+                         definition_ref="{{{ rule_id }}}_static"/>

-                         definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>

+                         definition_ref="{{{ rule_id }}}_runtime"/>

     </criteria>

   </definition>

 </def-group>

@@ -34,7 +34,7 @@

 {{%- elif "I" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">

+  <definition class="compliance" id="{{{ rule_id }}}" version="4">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}

     <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">

 {{% if product in ["ubuntu1604", "ubuntu1804"] %}}

@@ -46,9 +46,9 @@

 {{% endif %}}

       <criteria operator="AND">

-                           definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>

+                           definition_ref="{{{ rule_id }}}_static"/>

-                           definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>

+                           definition_ref="{{{ rule_id }}}_runtime"/>

       </criteria>

     </criteria>

   </definition>

@@ -58,33 +58,33 @@

 {{%- if "R" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}

     <criteria operator="AND">

-                 test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>

+                 test_ref="test_{{{ rule_id }}}_runtime"/>

     </criteria>

   </definition>

-  

+  

                     comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"

                     check="all" check_existence="all_exist">

-    <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}"/>

-    <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}"/>

+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>

+    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>

   </unix:sysctl_test>

-  <unix:sysctl_object id="object_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">

     <unix:name>{{{ SYSCTLVAR }}}</unix:name>

   </unix:sysctl_object>

 {{% if SYSCTLVAL == "" %}}

-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">

-                var_ref="sysctl_{{{ SYSCTLID }}}_value"/>

+                var_ref="{{{ rule_id }}}_value"/>

   </unix:sysctl_state>

-  

+  

                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>

 {{%- else %}}

-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">

 {{% if OPERATION == "pattern match" %}}

                 operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>

@@ -100,46 +100,46 @@

 {{%- if "S" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}

     <criteria operator="AND">

       <criteria operator="OR">

-                   test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static"/>

-                   test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>

-                   test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-                   test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>

 {{% endif %}}

       </criteria>

 {{% if target_oval_version >= [5, 11] %}}

-      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

+      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />

 {{% endif %}}

     </criteria>

   </definition>

-  

+  

                               check="all" check_existence="all_exist"

                               comment="{{{ SYSCTLVAR }}} static configuration">

     {{{ state_static_sysctld("sysctl") }}}

   </ind:textfilecontent54_test>

-  

+  

                           comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">

     {{{ state_static_sysctld("etc_sysctld") }}}

   </ind:textfilecontent54_test>

-  

+  

                           comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">

     {{{ state_static_sysctld("run_sysctld") }}}

   </ind:textfilecontent54_test>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-  

+  

                           check="all"

                           comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">

     {{{ state_static_sysctld("usr_lib_sysctld") }}}

@@ -148,79 +148,79 @@

 {{% if target_oval_version >= [5, 11] %}}

-  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

-    <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

-    <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

+  id="test_{{{ rule_id }}}_defined_in_one_file" version="1">

+    <ind:object object_ref="object_{{{ rule_id }}}_defined_in_one_file" />

+    <ind:state state_ref="state_{{{ rule_id }}}_defined_in_one_file" />

   </ind:variable_test>

-  <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

-    <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>

+  <ind:variable_object id="object_{{{ rule_id }}}_defined_in_one_file" version="1">

+    <ind:var_ref>local_var_{{{ rule_id }}}_counter</ind:var_ref>

   </ind:variable_object>

-  <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

+  <ind:variable_state id="state_{{{ rule_id }}}_defined_in_one_file" version="1">

     <ind:value operation="equals" datatype="int">1</ind:value>

   </ind:variable_state>

-  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">

+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_{{{ rule_id }}}_counter" version="1">

     <count>

       <unique>

-        <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

+        <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls" item_field="filepath" />

       </unique>

     </count>

   </local_variable>

-  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls" version="1">

     <set>

-      <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>

-      <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>

+      <object_reference>object_{{{ rule_id }}}_static_set_sysctls_unfiltered</object_reference>

+      <filter action="exclude">state_{{{ rule_id }}}_filepath_is_symlink</filter>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">

-    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />

+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_filepath_is_symlink" version="1">

+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_{{{ rule_id }}}_safe_symlinks" datatype="string" />

   </ind:textfilecontent54_state>

-  

+  

        This ultimately avoids referencing a variable with "no values",

        we reference a variable with a blank string -->

-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_{{{ rule_id }}}_safe_symlinks" version="1">

     <unique>

-      <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />

+      <object_component object_ref="var_object_symlink_{{{ rule_id }}}" item_field="value" />

     </unique>

   </local_variable>

-  <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">

+  <ind:variable_object id="var_object_symlink_{{{ rule_id }}}" comment="combine the blank string with symlink paths found" version="1">

     <set>

-      <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>var_obj_symlink_{{{ rule_id }}}</object_reference>

+      <object_reference>var_obj_blank_{{{ rule_id }}}</object_reference>

     </set>

   </ind:variable_object>

-  <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">

-    <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>

+  <ind:variable_object id="var_obj_blank_{{{ rule_id }}}" comment="variable object of the blank string" version="1">

+    <ind:var_ref>local_var_blank_path_{{{ rule_id }}}</ind:var_ref>

   </ind:variable_object>

-  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ rule_id }}}" version="1">

     <literal_component datatype="string"></literal_component>

   </local_variable>

-  <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">

-    <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>

+  <ind:variable_object id="var_obj_symlink_{{{ rule_id }}}" comment="variable object of the symlinks found" version="1">

+    <ind:var_ref>local_var_symlinks_{{{ rule_id }}}</ind:var_ref>

   </ind:variable_object>

-  

+  

-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ rule_id }}}" version="1">

     <unique>

-      <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />

+      <object_component object_ref="object_{{{ rule_id }}}_symlinks" item_field="filepath" />

     </unique>

   </local_variable>

        Workaround by querying for all conf files found -->

-  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">

-    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />

-    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>

+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ rule_id }}}_symlinks" version="1">

+    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ rule_id }}}" />

+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ rule_id }}}</filter>

   </unix:symlink_object>

@@ -228,59 +228,59 @@

        ^/etc/sysctl.d/.*$

        ^/run/sysctl.d/.*$

        ^/usr/lib/sysctl.d/.*$ -->

-  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">

+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ rule_id }}}" version="1">

     <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>

   </unix:symlink_state>

 {{% endif %}}

-  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">

-    <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">

+    <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />

   </local_variable>

        variable to have no value even when there are valid objects. -->

-  <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">

     <set>

-      <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>

+      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">

     <set>

-      <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>

+      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">

     <set>

-      <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-      <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>

 {{% endif %}}

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">

     <ind:filepath>/etc/sysctl.conf</ind:filepath>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/etc/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/run/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/usr/lib/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

@@ -288,15 +288,15 @@

 {{% endif %}}

 {{% if SYSCTLVAL == "" %}}

-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">

-    

+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">

+    

                        datatype="{{{ DATATYPE }}}" />

   </ind:textfilecontent54_state>

-  

+  

                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>

 {{% else %}}

-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">

 {{% if OPERATION == "pattern match" %}}

     <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>

 {{% else %}}

From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Jul 2022 10:16:45 +0200

Subject: [PATCH 03/23] Use a list of values in sysctl template

This patch adds an ability to use a list of values instead of a single

value in the sysctlval parameter of the sysctl template.  This is useful

for situations when we want to create a rule that passes for multiple

different sysctl values.  This commit modifies the OVAL for the runtime

configuration.  The runtime configuration will be allowed to be any of

the values in the list.  There is an OR relation between the values.  In

fact, this is a first step to enable multiple values in the sysctlval

parameter in the sysctl template, because we will also need to check the

static configuration, which is not done in this commit.

---

 shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++

 shared/templates/sysctl/template.py   | 24 ++++++++++++--------

 2 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template

index 52671c06402..b73ccc94f72 100644

--- a/shared/templates/sysctl/oval.template

+++ b/shared/templates/sysctl/oval.template

@@ -1,5 +1,7 @@

 {{%- if SYSCTLVAL == "" %}}

 {{%- set COMMENT_VALUE="the appropriate value" %}}

+{{%- elif SYSCTLVAL is sequence %}}

+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}

 {{%- else %}}

 {{%- set COMMENT_VALUE=SYSCTLVAL %}}

 {{%- endif %}}

@@ -60,21 +62,43 @@

 <def-group>

   <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}

+{{% if SYSCTLVAL is string %}}

     <criteria operator="AND">

                  test_ref="test_{{{ rule_id }}}_runtime"/>

     </criteria>

+{{% elif SYSCTLVAL is sequence %}}

+    <criteria operator="OR">

+{{% for x in SYSCTLVAL %}}

+      

+                 test_ref="test_{{{ rule_id }}}_runtime_{{{ x }}}"/>

+{{% endfor %}}

+    </criteria>

+{{% endif %}}

   </definition>

+

+{{% if SYSCTLVAL is string %}}

                     comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"

                     check="all" check_existence="all_exist">

     <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>

     <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>

   </unix:sysctl_test>

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+  

+                    comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ x }}}"

+                    check="all" check_existence="all_exist">

+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>

+    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />

+  </unix:sysctl_test>

+{{% endfor %}}

+{{% endif %}}

   <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">

     <unix:name>{{{ SYSCTLVAR }}}</unix:name>

   </unix:sysctl_object>

+{{% if SYSCTLVAL is string %}}

 {{% if SYSCTLVAL == "" %}}

   <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">

@@ -94,6 +118,14 @@

 {{% endif %}}

   </unix:sysctl_state>

 {{%- endif %}}

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">

+    

+                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>

+  </unix:sysctl_state>

+{{% endfor %}}

+{{% endif %}}

 </def-group>

 {{%- endif -%}}

diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py

index fa981a9dce9..c62591357c0 100644

--- a/shared/templates/sysctl/template.py

+++ b/shared/templates/sysctl/template.py

@@ -12,6 +12,13 @@ def preprocess(data, lang):

     if "operation" not in data:

         data["operation"] = "equals"

+    if data["datatype"] not in ["string", "int"]:

+        raise ValueError(

+            "Test scenarios for data type '{0}' are not implemented yet.\n"

+            "Please check if rule '{1}' has correct data type and edit "

+            "{2} to add tests for it.".format(

+                data["datatype"], data["_rule_id"], __file__))

+

     # Configure data for test scenarios

     if data["sysctlval"] == "":

         if data["datatype"] == "int":

@@ -20,20 +27,19 @@ def preprocess(data, lang):

         elif data["datatype"] == "string":

             data["sysctl_correct_value"] = "correct_value"

             data["sysctl_wrong_value"] = "wrong_value"

-        else:

+    elif isinstance(data["sysctlval"], list):

+        if len(data["sysctlval"]) == 0:

             raise ValueError(

-                "Test scenarios for data type '{0}' are not implemented yet.\n"

-                "Please check if rule '{1}' has correct data type and edit "

-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))

+                "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"]))

+        data["sysctl_correct_value"] = data["sysctlval"][0]

+        if data["datatype"] == "int":

+            data["sysctl_wrong_value"] = "1" + data["sysctlval"][0]

+        elif data["datatype"] == "string":

+            data["sysctl_wrong_value"] = "wrong_value"

     else:

         data["sysctl_correct_value"] = data["sysctlval"]

         if data["datatype"] == "int":

             data["sysctl_wrong_value"] = "1" + data["sysctlval"]

         elif data["datatype"] == "string":

             data["sysctl_wrong_value"] = "wrong_value"

-        else:

-            raise ValueError(

-                "Test scenarios for data type '{0}' are not implemented yet.\n"

-                "Please check if rule '{1}' has correct data type and edit "

-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))

     return data

From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Jul 2022 10:47:51 +0200

Subject: [PATCH 04/23] Move check unrelated to the test scenarios

The check for an mepty list is unrelated to the test scenarios,

rather is a generic check to avoid problems during the build.

Therefore, it shouldn't be inside code block that is handling

data for test scenarios, but can be extracted to a sooner position.

---

 shared/templates/sysctl/template.py | 9 +++++----

 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py

index c62591357c0..421e42c6ca1 100644

--- a/shared/templates/sysctl/template.py

+++ b/shared/templates/sysctl/template.py

@@ -11,7 +11,12 @@ def preprocess(data, lang):

     data["flags"] = "SR" + ipv6_flag

     if "operation" not in data:

         data["operation"] = "equals"

+    if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0:

+        raise ValueError(

+            "The sysctlval parameter of {0} is an empty list".format(

+                data["_rule_id"]))

+    # Configure data for test scenarios

     if data["datatype"] not in ["string", "int"]:

         raise ValueError(

             "Test scenarios for data type '{0}' are not implemented yet.\n"

@@ -19,7 +24,6 @@ def preprocess(data, lang):

             "{2} to add tests for it.".format(

                 data["datatype"], data["_rule_id"], __file__))

-    # Configure data for test scenarios

     if data["sysctlval"] == "":

         if data["datatype"] == "int":

             data["sysctl_correct_value"] = "0"

@@ -28,9 +32,6 @@ def preprocess(data, lang):

             data["sysctl_correct_value"] = "correct_value"

             data["sysctl_wrong_value"] = "wrong_value"

     elif isinstance(data["sysctlval"], list):

-        if len(data["sysctlval"]) == 0:

-            raise ValueError(

-                "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"]))

         data["sysctl_correct_value"] = data["sysctlval"][0]

         if data["datatype"] == "int":

             data["sysctl_wrong_value"] = "1" + data["sysctlval"][0]

From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 13 Jul 2022 11:57:50 +0200

Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration

This extends the OVAL checks for sysctl static configuration

to enable a list of values instead of a single value in the

sysctlval parameter of the sysctl template. The template

will generate OVAL tests for each value in the sysctlval

list.

---

 shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++

 1 file changed, 56 insertions(+)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template

index b73ccc94f72..4e1bf3cfce3 100644

--- a/shared/templates/sysctl/oval.template

+++ b/shared/templates/sysctl/oval.template

@@ -136,6 +136,7 @@

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}

     <criteria operator="AND">

       <criteria operator="OR">

+{{% if SYSCTLVAL is string %}}

                    test_ref="test_{{{ rule_id }}}_static"/>

@@ -146,6 +147,21 @@

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

                    test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>

+{{% endif %}}

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+        

+                   test_ref="test_{{{ rule_id }}}_static_{{{ x }}}"/>

+        

+        

+                   test_ref="test_{{{ rule_id }}}_static_{{{ x }}}_etc_sysctld"/>

+        

+                   test_ref="test_{{{ rule_id }}}_static_{{{ x }}}_run_sysctld"/>

+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

+        

+                   test_ref="test_{{{ rule_id }}}_static_{{{ x }}}_usr_lib_sysctld"/>

+{{% endif %}}

+{{% endfor %}}

 {{% endif %}}

       </criteria>

 {{% if target_oval_version >= [5, 11] %}}

@@ -154,6 +170,7 @@

     </criteria>

   </definition>

+{{% if SYSCTLVAL is string %}}

                               check="all" check_existence="all_exist"

                               comment="{{{ SYSCTLVAR }}} static configuration">

@@ -177,6 +194,37 @@

     {{{ state_static_sysctld("usr_lib_sysctld") }}}

   </ind:textfilecontent54_test>

 {{% endif %}}

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+  

+                              check="all" check_existence="all_exist"

+                              comment="{{{ SYSCTLVAR }}} static configuration">

+    <ind:object object_ref="object_static_sysctl_{{{ rule_id }}}"/>

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}"/>

+  </ind:textfilecontent54_test>

+

+  

+                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">

+    <ind:object object_ref="object_static_etc_sysctld_{{{ rule_id }}}"/>

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}"/>

+  </ind:textfilecontent54_test>

+

+  

+                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">

+    <ind:object object_ref="object_static_run_sysctld_{{{ rule_id }}}"/>

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}"/>

+  </ind:textfilecontent54_test>

+

+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

+  

+                          check="all"

+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">

+    <ind:object object_ref="object_static_usr_lib_sysctld_{{{ rule_id }}}"/>

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}"/>

+  </ind:textfilecontent54_test>

+{{% endif %}}

+{{% endfor %}}

+{{% endif %}}

 {{% if target_oval_version >= [5, 11] %}}

@@ -318,6 +366,7 @@

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

 {{% endif %}}

+{{% if SYSCTLVAL is string %}}

 {{% if SYSCTLVAL == "" %}}

   <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">

@@ -336,5 +385,12 @@

 {{% endif %}}

   </ind:textfilecontent54_state>

 {{% endif %}}

+{{% elif SYSCTLVAL is sequence %}}