From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001
From: vojtapolasek <vpolasek@redhat.com>
Date: Tue, 2 Aug 2022 13:21:45 +0200
Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728

Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile
---
 docs/templates/template_reference.md          |  24 +-
 .../rule.yml                                  |  82 +++++++
 .../tests/system_default.pass.sh              |   5 +
 .../tests/test_config.yml                     |   6 +
 .../tests/value_0.fail.sh                     |  11 +
 .../tests/value_1.pass.sh                     |  11 +
 .../tests/value_2.pass.sh                     |  11 +
 ...kernel_unprivileged_bpf_disabled_value.var |  18 ++
 products/rhel9/profiles/ospp.profile          |   4 +-
 .../oval/sysctl_kernel_ipv6_disable.xml       |   4 +-
 shared/references/cce-redhat-avail.txt        |   1 -
 shared/templates/sysctl/ansible.template      |   2 +-
 shared/templates/sysctl/bash.template         |   2 +-
 shared/templates/sysctl/oval.template         | 213 +++++++++++-------
 shared/templates/sysctl/template.py           |  24 +-
 15 files changed, 316 insertions(+), 102 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index a439e3dca9..e73b95450f 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo
 
     -   **datatype** - data type of the sysctl value, eg. `int`.
 
-    -   **sysctlval** - value of the sysctl value, eg. `'1'`. If this
-        parameter is not specified, XCCDF Value is used instead.
+    -   **sysctlval** - value of the sysctl value. This can be either not
+        specified, or an atomic value, eg. `'1'`, or a list of values,
+        eg. `['1','2']`.
+        -   If this parameter is not specified, an XCCDF Value is used instead
+            in OVAL check and remediations. The XCCDF Value should have a file
+            name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`,
+            where the `escaped_sysctlvar` is a value of the **sysctlvar**
+            parameter in which all characters that don't match the `\w` regular
+            expression are replaced by an underscore (`_`).
+        -   If this parameter is set to an atomic value, this atomic value
+            will be used in OVAL check and remediations.
+        -   If this parameter is set to a list of values, the list will be used
+            in the OVAL check, but won't be used in the remediations.
+            All remediations will use an XCCDF value instead.
+
+    -   **wrong_sysctlval_for_testing** - the value that is always wrong. This
+        will be used in templated test scenarios when **sysctlval** is a list.
+
+    -   **missing_parameter_pass** - if set to `true` the check will pass if the
+        setting for the given **sysctlvar** is not present in sysctl
+        configuration files. In other words, the check will pass if the system
+        default isn't overriden by configuration. Default value: `false`.
 
     -   **operation** - operation used for comparison of collected object
         with **sysctlval**. Default value: `equals`.
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
new file mode 100644
index 0000000000..259d1f901c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
@@ -0,0 +1,82 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes'
+
+description: |-
+    To prevent unprivileged processes from using the <code>bpf()</code> syscall
+    the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter must
+    be set to <code>1</code> or <code>2</code>.
+
+    Writing <code>1</code> to this entry will disable unprivileged calls to <code>bpf()</code>; once
+    disabled, calling <code>bpf()</code> without <code>CAP_SYS_ADMIN</code> or <code>CAP_BPF</code> will return <code>-EPERM</code>.
+    Once set to <code>1</code>, this can't be cleared from the running kernel anymore.
+
+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}
+
+    Writing <code>2</code> to this entry will also disable unprivileged calls to <code>bpf()</code>,
+    however, an admin can still change this setting later on, if needed, by
+    writing <code>0</code> or <code>1</code> to this entry.
+
+    {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}}
+
+rationale: |-
+    Loading and accessing the packet filters programs and maps using the bpf()
+    syscall has the potential of revealing sensitive information about the kernel state.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-87712-6
+
+references:
+    disa: CCI-000366
+    nist: AC-6,SC-7(10)
+    ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227
+
+ocil: |-
+    The runtime status of the <code>kernel.unprivileged_bpf_disabled</code>
+    kernel parameter can be queried by running the following command:
+    <pre>$ sysctl kernel.unprivileged_bpf_disabled</pre>
+    The output of the command should indicate either:
+    kernel.unprivileged_bpf_disabled = 1
+    or:
+    kernel.unprivileged_bpf_disabled = 2
+    The output of the command should not indicate:
+    kernel.unprivileged_bpf_disabled = 0
+
+    The preferable way how to assure the runtime compliance is to have
+    correct persistent configuration, and rebooting the system.
+
+    The persistent kernel parameter configuration is performed by specifying the appropriate
+    assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+    Verify that there is not any existing incorrect configuration by executing the following command:
+    <pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+    The command should not find any assignments other than:
+    kernel.unprivileged_bpf_disabled = 1
+    or:
+    kernel.unprivileged_bpf_disabled = 2
+
+    Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2.
+
+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0"
+
+fixtext: |-
+    Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall.
+
+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.'
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.unprivileged_bpf_disabled
+        sysctlval:
+        - '1'
+        - '2'
+        wrong_sysctlval_for_testing: "0"
+        missing_parameter_pass: "true"
+        datatype: int
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
new file mode 100644
index 0000000000..b9776227bd
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
new file mode 100644
index 0000000000..5cf6807405
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
@@ -0,0 +1,6 @@
+deny_templated_scenarios:
+  # this rule uses missing_parameter_pass: true which means the check should pass
+  # if the configuration is missing (or commented out) therefore we disable
+  # line_not_there.fail.sh and comment.fail.sh test scenarios
+  - line_not_there.fail.sh
+  - comment.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
new file mode 100644
index 0000000000..9f19e0140b
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="0"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
new file mode 100644
index 0000000000..e976db594c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="1"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
new file mode 100644
index 0000000000..b1537175eb
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="2"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
new file mode 100644
index 0000000000..b8bf965a25
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: kernel.unprivileged_bpf_disabled
+
+description: |-
+    Prevent unprivileged processes from using the bpf() syscall.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 2
+    0: "0"
+    1: "1"
+    2: "2"
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index feb96501a9..f27f961a7a 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -74,8 +74,8 @@ selections:
     - sysctl_kernel_yama_ptrace_scope
     - sysctl_kernel_perf_event_paranoid
     - sysctl_user_max_user_namespaces
-    - sysctl_kernel_unprivileged_bpf_disabled
-    - sysctl_net_core_bpf_jit_harden
+    - sysctl_kernel_unprivileged_bpf_disabled_accept_default
+    - sysctl_kernel_unprivileged_bpf_disabled_value=2
     - service_kdump_disabled
 
     ### Audit
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index 1195cea518..f971d28a04 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -19,8 +19,8 @@
     </metadata>
     <criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
       <criteria operator="AND">
-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_static_net_ipv6_conf_all_disable_ipv6" />
-        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" />
+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_static" />
+        <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" />
       </criteria>
     </criteria>
   </definition>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index fb2f59fd09..a613a152ae 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1443,7 +1443,6 @@ CCE-87708-4
 CCE-87709-2
 CCE-87710-0
 CCE-87711-8
-CCE-87712-6
 CCE-87713-4
 CCE-87714-2
 CCE-87715-9
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index c13bb6637f..edc4d3fb66 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -21,7 +21,7 @@
     replace: '#{{{ SYSCTLVAR }}}'
   loop: "{{ find_sysctl_d.files }}"
 
-{{%- if SYSCTLVAL == "" %}}
+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string  %}}
 - (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
 
 - name: Ensure sysctl {{{ SYSCTLVAR }}} is set
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index d67a59c388..cd3424b022 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
   fi
 done
 
-{{%- if SYSCTLVAL == "" %}}
+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
 {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
 
 #
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 74583dbee1..1a7c4979bb 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -1,12 +1,20 @@
 {{%- if SYSCTLVAL == "" %}}
 {{%- set COMMENT_VALUE="the appropriate value" %}}
+{{%- elif SYSCTLVAL is sequence %}}
+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}
 {{%- else %}}
 {{%- set COMMENT_VALUE=SYSCTLVAL %}}
 {{%- endif %}}
 
 {{% macro state_static_sysctld(prefix) -%}}
-    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}"/>
-    <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}"/>
+    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>
+{{% if SYSCTLVAL is string %}}
+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
 {{%- endmacro -%}}
 {{%- macro sysctl_match() -%}}
 {{%- if SYSCTLVAL == "" -%}}
@@ -20,13 +28,13 @@
 {{%- if "P" in FLAGS -%}}
 
 <def-group>
-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">
+  <definition class="compliance" id="{{{ rule_id }}}" version="3">
     {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
     <criteria operator="AND">
       <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
-                         definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
+                         definition_ref="{{{ rule_id }}}_static"/>
       <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
-                         definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
+                         definition_ref="{{{ rule_id }}}_runtime"/>
     </criteria>
   </definition>
 </def-group>
@@ -34,7 +42,7 @@
 {{%- elif "I" in FLAGS -%}}
 
 <def-group>
-  <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">
+  <definition class="compliance" id="{{{ rule_id }}}" version="4">
     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
     <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
 {{% if product in ["ubuntu1604", "ubuntu1804"] %}}
@@ -46,9 +54,9 @@
 {{% endif %}}
       <criteria operator="AND">
         <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
-                           definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
+                           definition_ref="{{{ rule_id }}}_static"/>
         <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
-                           definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
+                           definition_ref="{{{ rule_id }}}_runtime"/>
       </criteria>
     </criteria>
   </definition>
@@ -58,33 +66,41 @@
 {{%- if "R" in FLAGS -%}}
 
 <def-group>
-  <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
+  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">
     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
     <criteria operator="AND">
       <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
-                 test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
+                 test_ref="test_{{{ rule_id }}}_runtime"/>
     </criteria>
   </definition>
-  <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1"
+
+  <unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1"
                     comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
-                    check="all" check_existence="all_exist">
-    <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}"/>
-    <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}"/>
+                    check="all" check_existence="all_exist" state_operator="OR">
+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>
+{{% if SYSCTLVAL is string %}}
+    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
   </unix:sysctl_test>
 
-  <unix:sysctl_object id="object_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">
     <unix:name>{{{ SYSCTLVAR }}}</unix:name>
   </unix:sysctl_object>
+{{% if SYSCTLVAL is string %}}
 {{% if SYSCTLVAL == "" %}}
-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
     <unix:value datatype="{{{ DATATYPE }}}" operation="equals"
-                var_ref="sysctl_{{{ SYSCTLID }}}_value"/>
+                var_ref="{{{ rule_id }}}_value"/>
   </unix:sysctl_state>
 
-  <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
+  <external_variable id="{{{ rule_id }}}_value" version="1"
                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
 {{%- else %}}
-  <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
 {{% if OPERATION == "pattern match" %}}
     <unix:value datatype="{{{ DATATYPE }}}"
                 operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>
@@ -94,133 +110,156 @@
 {{% endif %}}
   </unix:sysctl_state>
 {{%- endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">
+    <unix:value datatype="{{{ DATATYPE }}}"
+                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>
+  </unix:sysctl_state>
+{{% endfor %}}
+{{% endif %}}
 </def-group>
 
 {{%- endif -%}}
 {{%- if "S" in FLAGS -%}}
 
 <def-group>
-  <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
+  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+    <criteria operator="OR">
+{{% endif %}}
     <criteria operator="AND">
       <criteria operator="OR">
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
-                   test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
+                   test_ref="test_{{{ rule_id }}}_static"/>
         <!-- see sysctl.d(5) -->
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
-                   test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
+                   test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
-                   test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+                   test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
-                   test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+                   test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
 {{% endif %}}
       </criteria>
 {{% if target_oval_version >= [5, 11] %}}
-      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
 {{% endif %}}
     </criteria>
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+      <criterion comment="Check that {{{ SYSCTLID }}} is not defined in any file" test_ref="test_{{{ rule_id }}}_not_defined" />
+    </criteria>
+{{% endif %}}
   </definition>
 
-  <ind:textfilecontent54_test id="test_static_sysctl_{{{ SYSCTLID }}}" version="1"
-                              check="all" check_existence="all_exist"
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_not_defined" version="1"
+                              check="all" check_existence="none_exist"
                               comment="{{{ SYSCTLVAR }}} static configuration">
+    <ind:object object_ref="object_{{{ rule_id }}}_static_set_sysctls" />
+  </ind:textfilecontent54_test>
+{{% endif %}}
+
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static" version="1"
+                              check="all" check_existence="all_exist"
+                              comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
     {{{ state_static_sysctld("sysctl") }}}
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test id="test_static_etc_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_etc_sysctld" version="1" check="all"
+                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
     {{{ state_static_sysctld("etc_sysctld") }}}
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test id="test_static_run_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_run_sysctld" version="1" check="all"
+                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">
     {{{ state_static_sysctld("run_sysctld") }}}
   </ind:textfilecontent54_test>
 
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-  <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_lib_sysctld" version="1"
                           check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
     {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
 {{% endif %}}
 
 {{% if target_oval_version >= [5, 11] %}}
   <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
-  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
-    <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
-    <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+  id="test_{{{ rule_id }}}_defined_in_one_file" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_defined_in_one_file" />
+    <ind:state state_ref="state_{{{ rule_id }}}_defined_in_one_file" />
   </ind:variable_test>
 
-  <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
-    <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
+  <ind:variable_object id="object_{{{ rule_id }}}_defined_in_one_file" version="1">
+    <ind:var_ref>local_var_{{{ rule_id }}}_counter</ind:var_ref>
   </ind:variable_object>
 
-  <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+  <ind:variable_state id="state_{{{ rule_id }}}_defined_in_one_file" version="1">
     <ind:value operation="equals" datatype="int">1</ind:value>
   </ind:variable_state>
 
-  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_{{{ rule_id }}}_counter" version="1">
     <count>
       <unique>
-        <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+        <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls" item_field="filepath" />
       </unique>
     </count>
   </local_variable>
 
-  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls" version="1">
     <set>
-      <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
-      <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
+      <object_reference>object_{{{ rule_id }}}_static_set_sysctls_unfiltered</object_reference>
+      <filter action="exclude">state_{{{ rule_id }}}_filepath_is_symlink</filter>
     </set>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
-    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_filepath_is_symlink" version="1">
+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_{{{ rule_id }}}_safe_symlinks" datatype="string" />
   </ind:textfilecontent54_state>
 
-  <!-- <no simlink handling> -->
+  <!-- <no symlink handling> -->
   <!-- We craft a variable with blank string to combine with the symlink paths found.
        This ultimately avoids referencing a variable with "no values",
        we reference a variable with a blank string -->
-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_{{{ rule_id }}}_safe_symlinks" version="1">
     <unique>
-      <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
+      <object_component object_ref="var_object_symlink_{{{ rule_id }}}" item_field="value" />
     </unique>
   </local_variable>
 
-  <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
+  <ind:variable_object id="var_object_symlink_{{{ rule_id }}}" comment="combine the blank string with symlink paths found" version="1">
     <set>
-      <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>var_obj_symlink_{{{ rule_id }}}</object_reference>
+      <object_reference>var_obj_blank_{{{ rule_id }}}</object_reference>
     </set>
   </ind:variable_object>
 
-  <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
-    <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
+  <ind:variable_object id="var_obj_blank_{{{ rule_id }}}" comment="variable object of the blank string" version="1">
+    <ind:var_ref>local_var_blank_path_{{{ rule_id }}}</ind:var_ref>
   </ind:variable_object>
 
-  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ rule_id }}}" version="1">
     <literal_component datatype="string"></literal_component>
   </local_variable>
 
-  <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
-    <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
+  <ind:variable_object id="var_obj_symlink_{{{ rule_id }}}" comment="variable object of the symlinks found" version="1">
+    <ind:var_ref>local_var_symlinks_{{{ rule_id }}}</ind:var_ref>
   </ind:variable_object>
-  <!-- </no simlink handling> -->
+  <!-- </no symlink handling> -->
 
-  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ rule_id }}}" version="1">
     <unique>
-      <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+      <object_component object_ref="object_{{{ rule_id }}}_symlinks" item_field="filepath" />
     </unique>
   </local_variable>
 
   <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
        Workaround by querying for all conf files found -->
-  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
-    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
-    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ rule_id }}}_symlinks" version="1">
+    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ rule_id }}}" />
+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ rule_id }}}</filter>
   </unix:symlink_object>
 
   <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
@@ -228,75 +267,76 @@
        ^/etc/sysctl.d/.*$
        ^/run/sysctl.d/.*$
        ^/usr/lib/sysctl.d/.*$ -->
-  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ rule_id }}}" version="1">
     <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
   </unix:symlink_state>
 {{% endif %}}
 
-  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
-    <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
+    <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
   </local_variable>
 
   <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
        variable to have no value even when there are valid objects. -->
-  <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
     <set>
-      <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
     </set>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">
     <set>
-      <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
-      <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>
     </set>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
     <set>
-      <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-      <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>
 {{% endif %}}
     </set>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
     <ind:filepath>/etc/sysctl.conf</ind:filepath>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/etc/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/run/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
 {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/usr/lib/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 {{% endif %}}
+{{% if SYSCTLVAL is string %}}
 {{% if SYSCTLVAL == "" %}}
 
-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
-    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="sysctl_{{{ SYSCTLID }}}_value"
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value"
                        datatype="{{{ DATATYPE }}}" />
   </ind:textfilecontent54_state>
 
-  <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
+  <external_variable id="{{{ rule_id }}}_value" version="1"
                      comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
 {{% else %}}
-  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
 {{% if OPERATION == "pattern match" %}}
     <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
 {{% else %}}
@@ -304,5 +344,12 @@
 {{% endif %}}
   </ind:textfilecontent54_state>
 {{% endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1">
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+{{% endfor %}}
+{{% endif %}}
 </def-group>
 {{%- endif -%}}
diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py
index fa981a9dce..9083a6a418 100644
--- a/shared/templates/sysctl/template.py
+++ b/shared/templates/sysctl/template.py
@@ -11,8 +11,19 @@ def preprocess(data, lang):
     data["flags"] = "SR" + ipv6_flag
     if "operation" not in data:
         data["operation"] = "equals"
+    if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0:
+        raise ValueError(
+            "The sysctlval parameter of {0} is an empty list".format(
+                data["_rule_id"]))
 
     # Configure data for test scenarios
+    if data["datatype"] not in ["string", "int"]:
+        raise ValueError(
+            "Test scenarios for data type '{0}' are not implemented yet.\n"
+            "Please check if rule '{1}' has correct data type and edit "
+            "{2} to add tests for it.".format(
+                data["datatype"], data["_rule_id"], __file__))
+
     if data["sysctlval"] == "":
         if data["datatype"] == "int":
             data["sysctl_correct_value"] = "0"
@@ -20,20 +31,13 @@ def preprocess(data, lang):
         elif data["datatype"] == "string":
             data["sysctl_correct_value"] = "correct_value"
             data["sysctl_wrong_value"] = "wrong_value"
-        else:
-            raise ValueError(
-                "Test scenarios for data type '{0}' are not implemented yet.\n"
-                "Please check if rule '{1}' has correct data type and edit "
-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
+    elif isinstance(data["sysctlval"], list):
+        data["sysctl_correct_value"] = data["sysctlval"][0]
+        data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"]
     else:
         data["sysctl_correct_value"] = data["sysctlval"]
         if data["datatype"] == "int":
             data["sysctl_wrong_value"] = "1" + data["sysctlval"]
         elif data["datatype"] == "string":
             data["sysctl_wrong_value"] = "wrong_value"
-        else:
-            raise ValueError(
-                "Test scenarios for data type '{0}' are not implemented yet.\n"
-                "Please check if rule '{1}' has correct data type and edit "
-                "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
     return data
-- 
2.37.1