ComplianceAsCode · yuumasato · Apr 4, 2023 · Mar 26, 2023 · Apr 2, 2023 · Apr 2, 2023
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -872,6 +872,10 @@ The selected value can be changed in the profile (consult the actual variable fo
  - **sysctlval_regex** - if **operation** is `pattern match`, this
  parameter is used instead of **sysctlval**.
 
+ In case the **sysctl_remediate_drop_in_file** property is set to true in the product file,
+ the remediation scripts will set the variable with correct value to a drop-in file in
+ `/etc/sysctl.d/var_name.conf` file.
+
 - Languages: Ansible, Bash, OVAL
 
 #### timer_enabled

diff --git a/products/sle12/product.yml b/products/sle12/product.yml
@@ -39,3 +39,5 @@ reference_uris:
  cis: 'https://www.cisecurity.org/benchmark/suse_linux/'
 
 dconf_gdm_dir: "gdm.d"
+
+sysctl_remediate_drop_in_file: "true"
diff --git a/products/sle15/product.yml b/products/sle15/product.yml
@@ -44,3 +44,5 @@ reference_uris:
  cis: 'https://www.cisecurity.org/benchmark/suse_linux/'
 
 dconf_gdm_dir: "gdm.d"
+
+sysctl_remediate_drop_in_file: "true"
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -32,6 +32,14 @@
  replace: '#{{{ SYSCTLVAR }}}'
  loop: "{{ find_sysctl_d.files }}"
 
+{{% if sysctl_remediate_drop_in_file == "true" %}}
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf
+ replace:
+ path: "/etc/sysctl.conf"
+ regexp: '^[\s]*{{{ SYSCTLVAR }}}'
+ replace: '#{{{ SYSCTLVAR }}}'
+{{% endif %}}
+
 {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
 - (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
 
@@ -45,6 +53,11 @@
  name: "{{{ SYSCTLVAR }}}"
  value: "{{{ SYSCTLVAL }}}"
 {{%- endif %}}
+{{% if sysctl_remediate_drop_in_file == "true" %}}
+ sysctl_file: "/etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') }}}.conf"
+{{% else %}}
+ sysctl_file: "/etc/sysctl.conf"
+{{% endif %}}
  state: present
  reload: yes
 
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -22,6 +22,15 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.con
  fi
 done
 
+#
+# Set sysctl config file which to save the desired value
+#
+{{% if sysctl_remediate_drop_in_file == "true" %}}
+SYSCONFIG_FILE='/etc/sysctl.d/{{{ SYSCTLVAR | replace(".","_") }}}.conf'
+{{% else %}}
+SYSCONFIG_FILE="/etc/sysctl.conf"
+{{% endif %}}
+
 {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
 {{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}}
 
@@ -34,7 +43,11 @@ done
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value
 # else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf
 #
-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}}
+{{% if sysctl_remediate_drop_in_file == "true" %}}
+sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
+{{% endif %}}
+{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}}
+
 {{%- else %}}
 
 #
@@ -46,5 +59,8 @@ done
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}"
 # else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf
 #
-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}}
+{{% if sysctl_remediate_drop_in_file == "true" %}}
+sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
+{{% endif %}}
+{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}}
 {{%- endif %}}
diff --git a/ssg/constants.py b/ssg/constants.py
@@ -471,3 +471,4 @@
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
+DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
diff --git a/ssg/products.py b/ssg/products.py
@@ -98,6 +98,9 @@ def _get_implied_properties(existing_properties):
  if "faillock_path" not in existing_properties:
  result["faillock_path"] = DEFAULT_FAILLOCK_PATH
 
+ if "sysctl_remediate_drop_in_file" not in existing_properties:
+ result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE
+
  return result