From 49ea644c88772fa1b5b7926c7cf2e9a2f3217657 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 22 May 2023 16:14:15 -0600
Subject: [PATCH 1/4] Update sysctl template OVAL

There are configurations set by packages in /usr/lib, so it is possible
to find there the expected configuration, but it is not recommended to
modify those files in case of a non compliant configuration. So
modified OVAL to check those files in a way that not touching them
would fix any non compliant scenario.

This means that the rule can pass if the expected conf is included in a
file in /usr/lib. But also if there is a non compliant value there, and
it is overwritten by a configuration in a different file.

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 shared/templates/sysctl/oval.template | 89 ++++++++-------------------
 1 file changed, 26 insertions(+), 63 deletions(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 3fe6de1c185..39bd45ebfab 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -122,81 +122,54 @@
   <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
     {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
 
-{{% if MISSING_PARAMETER_PASS == "true" %}}
     <criteria operator="OR">
-{{% endif %}}
+      <!--  Processing differently files in /usr/lib/sysctl.d/ as they are managed by packages and
+            won't be fixed by remediations, see sysctl.d(5) -->
+      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages"
+                    test_ref="test_{{{ rule_id }}}_static_user" />
       <criteria operator="AND">
-        <criteria operator="AND">
-          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
-                    test_ref="test_{{{ rule_id }}}_static"/>
-          <!-- see sysctl.d(5) -->
-          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
-                    test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>
-          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
-                    test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
-                    test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
-{{% endif %}}
-          <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/local/lib/sysctl.d/*.conf"
-                    test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
-        </criteria>
-        <criterion comment="Check that {{{ SYSCTLID }}} is defined in at least one file" test_ref="test_{{{ rule_id }}}_not_defined"
-                   negate="true"/>
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages"
+                    test_ref="test_{{{ rule_id }}}_static_user_missing" />
+        {{% if MISSING_PARAMETER_PASS == "true" %}}
+          <criterion comment="{{{ "kernel static parameter"  + SYSCTLVAR + " set to " +
+                      COMMENT_VALUE + " or missing in sysctl files managed by packages" }}}"
+                    test_ref="test_{{{ rule_id }}}_static_pkg_not_wrong" />
+        {{% else %}}
+          <criterion comment="{{{ "kernel static parameter " + SYSCTLVAR + " set to " +
+                      COMMENT_VALUE + " in sysctl files managed by packages" }}}"
+                    test_ref="test_{{{ rule_id }}}_static_pkg_correct" />
+        {{% endif %}}
       </criteria>
-{{% if MISSING_PARAMETER_PASS == "true" %}}
-      <criterion comment="Check that {{{ SYSCTLID }}} is not defined in any file" test_ref="test_{{{ rule_id }}}_not_defined" />
     </criteria>
-{{% endif %}}
   </definition>
 
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_not_defined" version="2"
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user_missing" version="1"
                               check="all" check_existence="none_exist"
                               comment="{{{ SYSCTLVAR }}} static configuration">
-    <ind:object object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" />
+    <ind:object object_ref="object_static_user_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static" version="2"
-                              check="all" check_existence="any_exist"
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user" version="1"
+                              check="all" check_existence="all_exist"
                               comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
-    {{{ state_static_sysctld("sysctl") }}}
+    {{{ state_static_sysctld("user") }}}
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_etc_sysctld" version="2" check="all"
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_not_wrong" version="2" check="all"
                           check_existence="any_exist"
                           comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-    {{{ state_static_sysctld("etc_sysctld") }}}
+    {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_run_sysctld" version="2" check="all"
-                          check_existence="any_exist"
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_correct" version="2" check="all"
+                          check_existence="all_exist"
                           comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-    {{{ state_static_sysctld("run_sysctld") }}}
-  </ind:textfilecontent54_test>
-
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_lib_sysctld" version="2"
-                          check_existence="any_exist"
-                          check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
     {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
-{{% endif %}}
-
-  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_local_lib_sysctld" version="1"
-                          check_existence="any_exist"
-                          check="all"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
-    {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
-  </ind:textfilecontent54_test>
-
-  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
-    <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
-  </local_variable>
 
   <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
        variable to have no value even when there are valid objects. -->
-  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
+  <ind:textfilecontent54_object id="object_static_user_{{{ rule_id }}}" version="1">
     <set>
       <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
       <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
@@ -213,16 +186,7 @@
   <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
     <set>
       <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
-      <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
-    </set>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
-    <set>
       <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-      <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>
-{{% endif %}}
     </set>
   </ind:textfilecontent54_object>
 
@@ -249,13 +213,12 @@
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/usr/lib/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
-{{% endif %}}
+
 {{% if SYSCTLVAL is string %}}
 {{% if SYSCTLVAL == "" %}}
 

From 584583e910693375aee7bc248cc236ce088a8985 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Tue, 23 May 2023 11:59:57 -0600
Subject: [PATCH 2/4] Add two tests to sysctl template

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../sysctl/tests/correct_value_usr_lib.pass.sh     | 14 ++++++++++++++
 .../sysctl/tests/wrong_usr_lib_correct_etc.pass.sh | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 shared/templates/sysctl/tests/correct_value_usr_lib.pass.sh
 create mode 100644 shared/templates/sysctl/tests/wrong_usr_lib_correct_etc.pass.sh

diff --git a/shared/templates/sysctl/tests/correct_value_usr_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_lib.pass.sh
new file mode 100644
index 00000000000..cf34728f96c
--- /dev/null
+++ b/shared/templates/sysctl/tests/correct_value_usr_lib.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+mkdir -p /usr/lib/sysctl.d
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/lib/sysctl.d/correct.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
diff --git a/shared/templates/sysctl/tests/wrong_usr_lib_correct_etc.pass.sh b/shared/templates/sysctl/tests/wrong_usr_lib_correct_etc.pass.sh
new file mode 100644
index 00000000000..69d60ed5ab7
--- /dev/null
+++ b/shared/templates/sysctl/tests/wrong_usr_lib_correct_etc.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/lib/sysctl.d/01-first.conf
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.d/50-second.conf
+
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"

From 13f96f5bcfc06c7418cacaa87ae97704c061739b Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 12 Jun 2023 10:39:48 -0600
Subject: [PATCH 3/4] Add fail test to sysctl template

Adding test wrong_usr_lib_wrong_etc.fail.sh, to complement
wrong_usr_lib_correct_etc.pass.sh

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../sysctl/tests/wrong_usr_lib_wrong_etc.fail.sh    | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 shared/templates/sysctl/tests/wrong_usr_lib_wrong_etc.fail.sh

diff --git a/shared/templates/sysctl/tests/wrong_usr_lib_wrong_etc.fail.sh b/shared/templates/sysctl/tests/wrong_usr_lib_wrong_etc.fail.sh
new file mode 100644
index 00000000000..3412c726376
--- /dev/null
+++ b/shared/templates/sysctl/tests/wrong_usr_lib_wrong_etc.fail.sh
@@ -0,0 +1,13 @@
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/lib/sysctl.d/01-first.conf
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.d/50-second.conf
+
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"

From b39c0079012d14ac95e8e3061adedb3959aadcb1 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 12 Jun 2023 10:50:57 -0600
Subject: [PATCH 4/4] Polish OVAL in sysctl template

- Fix comments in OVAL tests
- Remove OVAL test whith jinja when the criterion is also removed

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 shared/templates/sysctl/oval.template | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 39bd45ebfab..988aee9f59c 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -155,17 +155,21 @@
     {{{ state_static_sysctld("user") }}}
   </ind:textfilecontent54_test>
 
+  {{% if MISSING_PARAMETER_PASS == "true" %}}
   <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_not_wrong" version="2" check="all"
                           check_existence="any_exist"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
     {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
-
+  {{% else %}}
   <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_correct" version="2" check="all"
                           check_existence="all_exist"
-                          comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf"
+                          state_operator="OR">
     {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
+  {{% endif %}}
+
 
   <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
        variable to have no value even when there are valid objects. -->