From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001

From: vojtapolasek <vpolasek@redhat.com>

Date: Tue, 2 Aug 2022 13:21:45 +0200

Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728

Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch

Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile

---

 docs/templates/template_reference.md          |  24 +-

 .../rule.yml                                  |  82 +++++++

 .../tests/system_default.pass.sh              |   5 +

 .../tests/test_config.yml                     |   6 +

 .../tests/value_0.fail.sh                     |  11 +

 .../tests/value_1.pass.sh                     |  11 +

 .../tests/value_2.pass.sh                     |  11 +

 ...kernel_unprivileged_bpf_disabled_value.var |  18 ++

 products/rhel9/profiles/ospp.profile          |   4 +-

 .../oval/sysctl_kernel_ipv6_disable.xml       |   4 +-

 shared/references/cce-redhat-avail.txt        |   1 -

 shared/templates/sysctl/ansible.template      |   2 +-

 shared/templates/sysctl/bash.template         |   2 +-

 shared/templates/sysctl/oval.template         | 213 +++++++++++-------

 shared/templates/sysctl/template.py           |  24 +-

 15 files changed, 316 insertions(+), 102 deletions(-)

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh

 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md

index a439e3dca9..e73b95450f 100644

--- a/docs/templates/template_reference.md

+++ b/docs/templates/template_reference.md

@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo

     -   **datatype** - data type of the sysctl value, eg. `int`.

-    -   **sysctlval** - value of the sysctl value, eg. `'1'`. If this

-        parameter is not specified, XCCDF Value is used instead.

+    -   **sysctlval** - value of the sysctl value. This can be either not

+        specified, or an atomic value, eg. `'1'`, or a list of values,

+        eg. `['1','2']`.

+        -   If this parameter is not specified, an XCCDF Value is used instead

+            in OVAL check and remediations. The XCCDF Value should have a file

+            name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`,

+            where the `escaped_sysctlvar` is a value of the **sysctlvar**

+            parameter in which all characters that don't match the `\w` regular

+            expression are replaced by an underscore (`_`).

+        -   If this parameter is set to an atomic value, this atomic value

+            will be used in OVAL check and remediations.

+        -   If this parameter is set to a list of values, the list will be used

+            in the OVAL check, but won't be used in the remediations.

+            All remediations will use an XCCDF value instead.

+

+    -   **wrong_sysctlval_for_testing** - the value that is always wrong. This

+        will be used in templated test scenarios when **sysctlval** is a list.

+

+    -   **missing_parameter_pass** - if set to `true` the check will pass if the

+        setting for the given **sysctlvar** is not present in sysctl

+        configuration files. In other words, the check will pass if the system

+        default isn't overriden by configuration. Default value: `false`.

     -   **operation** - operation used for comparison of collected object

         with **sysctlval**. Default value: `equals`.

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml

new file mode 100644

index 0000000000..259d1f901c

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml

@@ -0,0 +1,82 @@

+documentation_complete: true

+

+prodtype: rhel9

+

+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes'

+

+description: |-

+    To prevent unprivileged processes from using the bpf() syscall

+    the kernel.unprivileged_bpf_disabled kernel parameter must

+    be set to 1 or 2.

+

+    Writing 1 to this entry will disable unprivileged calls to bpf(); once

+    disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM.

+    Once set to 1, this can't be cleared from the running kernel anymore.

+

+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}

+

+    Writing 2 to this entry will also disable unprivileged calls to bpf(),

+    however, an admin can still change this setting later on, if needed, by

+    writing 0 or 1 to this entry.

+

+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}}

+

+rationale: |-

+    Loading and accessing the packet filters programs and maps using the bpf()

+    syscall has the potential of revealing sensitive information about the kernel state.

+

+severity: medium

+

+identifiers:

+    cce@rhel9: CCE-87712-6

+

+references:

+    disa: CCI-000366

+    nist: AC-6,SC-7(10)

+    ospp: FMT_SMF_EXT.1

+    srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227

+

+ocil: |-

+    The runtime status of the kernel.unprivileged_bpf_disabled

+    kernel parameter can be queried by running the following command:

+    
$ sysctl kernel.unprivileged_bpf_disabled

+    The output of the command should indicate either:

+    kernel.unprivileged_bpf_disabled = 1

+    or:

+    kernel.unprivileged_bpf_disabled = 2

+    The output of the command should not indicate:

+    kernel.unprivileged_bpf_disabled = 0

+

+    The preferable way how to assure the runtime compliance is to have

+    correct persistent configuration, and rebooting the system.

+

+    The persistent kernel parameter configuration is performed by specifying the appropriate

+    assignment in any file located in the 
/etc/sysctl.d
 directory.

+    Verify that there is not any existing incorrect configuration by executing the following command:

+    
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d

+    The command should not find any assignments other than:

+    kernel.unprivileged_bpf_disabled = 1

+    or:

+    kernel.unprivileged_bpf_disabled = 2

+

+    Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2.

+

+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0"

+

+fixtext: |-

+    Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall.

+

+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.'

+

+platform: machine

+

+template:

+    name: sysctl

+    vars:

+        sysctlvar: kernel.unprivileged_bpf_disabled

+        sysctlval:

+        - '1'

+        - '2'

+        wrong_sysctlval_for_testing: "0"

+        missing_parameter_pass: "true"

+        datatype: int

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh

new file mode 100644

index 0000000000..b9776227bd

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 9

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml

new file mode 100644

index 0000000000..5cf6807405

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml

@@ -0,0 +1,6 @@

+deny_templated_scenarios:

+  # this rule uses missing_parameter_pass: true which means the check should pass

+  # if the configuration is missing (or commented out) therefore we disable

+  # line_not_there.fail.sh and comment.fail.sh test scenarios

+  - line_not_there.fail.sh

+  - comment.fail.sh

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh

new file mode 100644

index 0000000000..9f19e0140b

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 9

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf

+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w kernel.unprivileged_bpf_disabled="0"

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh

new file mode 100644

index 0000000000..e976db594c

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 9

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf

+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w kernel.unprivileged_bpf_disabled="1"

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh

new file mode 100644

index 0000000000..b1537175eb

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 9

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf

+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w kernel.unprivileged_bpf_disabled="2"

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

new file mode 100644

index 0000000000..b8bf965a25

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

@@ -0,0 +1,18 @@

+documentation_complete: true

+

+title: kernel.unprivileged_bpf_disabled

+

+description: |-

+    Prevent unprivileged processes from using the bpf() syscall.

+

+type: number

+

+operator: equals

+

+interactive: false

+

+options:

+    default: 2

+    0: "0"

+    1: "1"

+    2: "2"

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile

index feb96501a9..f27f961a7a 100644

--- a/products/rhel9/profiles/ospp.profile

+++ b/products/rhel9/profiles/ospp.profile

@@ -74,8 +74,8 @@ selections:

     - sysctl_kernel_yama_ptrace_scope

     - sysctl_kernel_perf_event_paranoid

     - sysctl_user_max_user_namespaces

-    - sysctl_kernel_unprivileged_bpf_disabled

-    - sysctl_net_core_bpf_jit_harden

+    - sysctl_kernel_unprivileged_bpf_disabled_accept_default

+    - sysctl_kernel_unprivileged_bpf_disabled_value=2

     - service_kdump_disabled

     ### Audit

diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

index 1195cea518..f971d28a04 100644

--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml

@@ -19,8 +19,8 @@

     </metadata>

     <criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">

       <criteria operator="AND">

-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_static_net_ipv6_conf_all_disable_ipv6" />

-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" />

+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_static" />

+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" />

       </criteria>

     </criteria>

   </definition>

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index fb2f59fd09..a613a152ae 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -1443,7 +1443,6 @@ CCE-87708-4

 CCE-87709-2

 CCE-87710-0

 CCE-87711-8

-CCE-87712-6

 CCE-87713-4

 CCE-87714-2

 CCE-87715-9

diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template

index c13bb6637f..edc4d3fb66 100644

--- a/shared/templates/sysctl/ansible.template

+++ b/shared/templates/sysctl/ansible.template

@@ -21,7 +21,7 @@

     replace: '#{{{ SYSCTLVAR }}}'

   loop: "{{ find_sysctl_d.files }}"

-{{%- if SYSCTLVAL == "" %}}

+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string  %}}

 - (xccdf-var sysctl_{{{ SYSCTLID }}}_value)

 - name: Ensure sysctl {{{ SYSCTLVAR }}} is set

diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template

index d67a59c388..cd3424b022 100644

--- a/shared/templates/sysctl/bash.template

+++ b/shared/templates/sysctl/bash.template

@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do

   fi

 done

-{{%- if SYSCTLVAL == "" %}}

+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}

 {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}

 #

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template

index 74583dbee1..1a7c4979bb 100644

--- a/shared/templates/sysctl/oval.template

+++ b/shared/templates/sysctl/oval.template

@@ -1,12 +1,20 @@

 {{%- if SYSCTLVAL == "" %}}

 {{%- set COMMENT_VALUE="the appropriate value" %}}

+{{%- elif SYSCTLVAL is sequence %}}

+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}

 {{%- else %}}

 {{%- set COMMENT_VALUE=SYSCTLVAL %}}

 {{%- endif %}}

 {{% macro state_static_sysctld(prefix) -%}}

-    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}"/>

-    <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}"/>

+    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>

+{{% if SYSCTLVAL is string %}}

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />

+{{% endfor %}}

+{{% endif %}}

 {{%- endmacro -%}}

 {{%- macro sysctl_match() -%}}

 {{%- if SYSCTLVAL == "" -%}}

@@ -20,13 +28,13 @@

 {{%- if "P" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}" version="3">

     {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}

     <criteria operator="AND">

-                         definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>

+                         definition_ref="{{{ rule_id }}}_static"/>

-                         definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>

+                         definition_ref="{{{ rule_id }}}_runtime"/>

     </criteria>

   </definition>

 </def-group>

@@ -34,7 +42,7 @@

 {{%- elif "I" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">

+  <definition class="compliance" id="{{{ rule_id }}}" version="4">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}

     <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">

 {{% if product in ["ubuntu1604", "ubuntu1804"] %}}

@@ -46,9 +54,9 @@

 {{% endif %}}

       <criteria operator="AND">

-                           definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>

+                           definition_ref="{{{ rule_id }}}_static"/>

-                           definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>

+                           definition_ref="{{{ rule_id }}}_runtime"/>

       </criteria>

     </criteria>

   </definition>

@@ -58,33 +66,41 @@

 {{%- if "R" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}

     <criteria operator="AND">

-                 test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>

+                 test_ref="test_{{{ rule_id }}}_runtime"/>

     </criteria>

   </definition>

-  

+

+  

                     comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"

-                    check="all" check_existence="all_exist">

-    <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}"/>

-    <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}"/>

+                    check="all" check_existence="all_exist" state_operator="OR">

+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>

+{{% if SYSCTLVAL is string %}}

+    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />

+{{% endfor %}}

+{{% endif %}}

   </unix:sysctl_test>

-  <unix:sysctl_object id="object_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">

     <unix:name>{{{ SYSCTLVAR }}}</unix:name>

   </unix:sysctl_object>

+{{% if SYSCTLVAL is string %}}

 {{% if SYSCTLVAL == "" %}}

-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">

-                var_ref="sysctl_{{{ SYSCTLID }}}_value"/>

+                var_ref="{{{ rule_id }}}_value"/>

   </unix:sysctl_state>

-  

+  

                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>

 {{%- else %}}

-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">

 {{% if OPERATION == "pattern match" %}}

                 operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>

@@ -94,133 +110,156 @@

 {{% endif %}}

   </unix:sysctl_state>

 {{%- endif %}}

+{{% elif SYSCTLVAL is sequence %}}

+{{% for x in SYSCTLVAL %}}

+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">

+    

+                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>

+  </unix:sysctl_state>

+{{% endfor %}}

+{{% endif %}}

 </def-group>

 {{%- endif -%}}

 {{%- if "S" in FLAGS -%}}

 <def-group>

-  <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">

+  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">

     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}

+{{% if MISSING_PARAMETER_PASS == "true" %}}

+    <criteria operator="OR">

+{{% endif %}}

     <criteria operator="AND">

       <criteria operator="OR">

-                   test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static"/>

-                   test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>

-                   test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-                   test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>

+                   test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>

 {{% endif %}}

       </criteria>

 {{% if target_oval_version >= [5, 11] %}}

-      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

+      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />

 {{% endif %}}

     </criteria>

+{{% if MISSING_PARAMETER_PASS == "true" %}}

+      <criterion comment="Check that {{{ SYSCTLID }}} is not defined in any file" test_ref="test_{{{ rule_id }}}_not_defined" />

+    </criteria>

+{{% endif %}}

   </definition>

-  

-                              check="all" check_existence="all_exist"

+{{% if MISSING_PARAMETER_PASS == "true" %}}

+  

+                              check="all" check_existence="none_exist"

                               comment="{{{ SYSCTLVAR }}} static configuration">

+    <ind:object object_ref="object_{{{ rule_id }}}_static_set_sysctls" />

+  </ind:textfilecontent54_test>

+{{% endif %}}

+

+  

+                              check="all" check_existence="all_exist"

+                              comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">

     {{{ state_static_sysctld("sysctl") }}}

   </ind:textfilecontent54_test>

-  

-                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">

+  

+                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">

     {{{ state_static_sysctld("etc_sysctld") }}}

   </ind:textfilecontent54_test>

-  

-                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">

+  

+                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">

     {{{ state_static_sysctld("run_sysctld") }}}

   </ind:textfilecontent54_test>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-  

+  

                           check="all"

-                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">

+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">

     {{{ state_static_sysctld("usr_lib_sysctld") }}}

   </ind:textfilecontent54_test>

 {{% endif %}}

 {{% if target_oval_version >= [5, 11] %}}

-  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

-    <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

-    <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />

+  id="test_{{{ rule_id }}}_defined_in_one_file" version="1">

+    <ind:object object_ref="object_{{{ rule_id }}}_defined_in_one_file" />

+    <ind:state state_ref="state_{{{ rule_id }}}_defined_in_one_file" />

   </ind:variable_test>

-  <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

-    <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>

+  <ind:variable_object id="object_{{{ rule_id }}}_defined_in_one_file" version="1">

+    <ind:var_ref>local_var_{{{ rule_id }}}_counter</ind:var_ref>

   </ind:variable_object>

-  <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">

+  <ind:variable_state id="state_{{{ rule_id }}}_defined_in_one_file" version="1">

     <ind:value operation="equals" datatype="int">1</ind:value>

   </ind:variable_state>

-  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">

+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_{{{ rule_id }}}_counter" version="1">

     <count>

       <unique>

-        <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

+        <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls" item_field="filepath" />

       </unique>

     </count>

   </local_variable>

-  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls" version="1">

     <set>

-      <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>

-      <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>

+      <object_reference>object_{{{ rule_id }}}_static_set_sysctls_unfiltered</object_reference>

+      <filter action="exclude">state_{{{ rule_id }}}_filepath_is_symlink</filter>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">

-    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />

+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_filepath_is_symlink" version="1">

+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_{{{ rule_id }}}_safe_symlinks" datatype="string" />

   </ind:textfilecontent54_state>

-  

+  

        This ultimately avoids referencing a variable with "no values",

        we reference a variable with a blank string -->

-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_{{{ rule_id }}}_safe_symlinks" version="1">

     <unique>

-      <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />

+      <object_component object_ref="var_object_symlink_{{{ rule_id }}}" item_field="value" />

     </unique>

   </local_variable>

-  <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">

+  <ind:variable_object id="var_object_symlink_{{{ rule_id }}}" comment="combine the blank string with symlink paths found" version="1">

     <set>

-      <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>var_obj_symlink_{{{ rule_id }}}</object_reference>

+      <object_reference>var_obj_blank_{{{ rule_id }}}</object_reference>

     </set>

   </ind:variable_object>

-  <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">

-    <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>

+  <ind:variable_object id="var_obj_blank_{{{ rule_id }}}" comment="variable object of the blank string" version="1">

+    <ind:var_ref>local_var_blank_path_{{{ rule_id }}}</ind:var_ref>

   </ind:variable_object>

-  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ rule_id }}}" version="1">

     <literal_component datatype="string"></literal_component>

   </local_variable>

-  <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">

-    <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>

+  <ind:variable_object id="var_obj_symlink_{{{ rule_id }}}" comment="variable object of the symlinks found" version="1">

+    <ind:var_ref>local_var_symlinks_{{{ rule_id }}}</ind:var_ref>

   </ind:variable_object>

-  

+  

-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">

+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ rule_id }}}" version="1">

     <unique>

-      <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />

+      <object_component object_ref="object_{{{ rule_id }}}_symlinks" item_field="filepath" />

     </unique>

   </local_variable>

        Workaround by querying for all conf files found -->

-  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">

-    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />

-    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>

+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ rule_id }}}_symlinks" version="1">

+    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ rule_id }}}" />

+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ rule_id }}}</filter>

   </unix:symlink_object>

@@ -228,75 +267,76 @@

        ^/etc/sysctl.d/.*$

        ^/run/sysctl.d/.*$

        ^/usr/lib/sysctl.d/.*$ -->

-  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">

+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ rule_id }}}" version="1">

     <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>

   </unix:symlink_state>

 {{% endif %}}

-  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">

-    <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">

+    <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />

   </local_variable>

        variable to have no value even when there are valid objects. -->

-  <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">

     <set>

-      <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>

+      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">

     <set>

-      <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>

-      <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>

+      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">

     <set>

-      <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-      <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>

+      <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>

 {{% endif %}}

     </set>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">

     <ind:filepath>/etc/sysctl.conf</ind:filepath>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/etc/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/run/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}

-  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">

+  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">

     <ind:path>/usr/lib/sysctl.d</ind:path>

     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

     {{{ sysctl_match() }}}

   </ind:textfilecontent54_object>

 {{% endif %}}