Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't scan dir with preconfigured sysctls #8718

Merged
merged 5 commits into from
May 16, 2022
Merged

Don't scan dir with preconfigured sysctls #8718

merged 5 commits into from
May 16, 2022

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented May 5, 2022
edited
Loading

Description:

  • Do not scan /usr/lib/sysctl.d when checking for sysctl options.
    • The option will be configured in /etc/sysctl.conf and the system will be compliant.
  • The sysctl remediations now fix files in /etc/sysctl.d/ and /run/sysctl.d/.

Rationale:

With the introduction of checks for options defined in multiple files
the pre-configured sysctls became prominent and started to cause rules
to fail.

In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule rpm_verify_hashes,
as these files are not RPM config files.

As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.

The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.

  • Fixes error results in RHEL for sysctl options that are pre-configured, like:
    • sysctl_kernel_yama_ptrace_scope
    • sysctl_kernel_core_pattern

@yuumasato
Don't scan dir with preconfigured sysctls in RHEL
0fc94c3 
With the introduction of checks for options defined in multiple files
the pre-configured sysctls became prominent and started to cause rules
to fail.

In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule rpm_verify_hashes,
as these files are not RPM config files.

As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.

The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.
@github-actions
Copy link

github-actions bot commented May 5, 2022
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

Open in Gitpod

@Xeicker
Copy link
Contributor

Xeicker commented May 5, 2022

I was reviewing OL STIG latest update and noticed that DISA requires to check the sysctl options in:

  • /etc/sysctl.d/*.conf
  • /run/sysctl.d/*.conf
  • /usr/local/lib/sysctl.d/*.conf
  • /usr/lib/sysctl.d/*.conf
  • /lib/sysctl.d/*.conf
  • /etc/sysctl.conf

This is the same for RHEL.
I see here you are removing the /usr/lib/sysctl.d/*.conf. So I wanted to confirm if this logic also applies to

  • /usr/local/lib/sysctl.d/*.conf
  • /lib/sysctl.d/*.conf

@yuumasato yuumasato requested a review from ggbecker May 6, 2022 07:46
@yuumasato
Copy link
Member Author

yuumasato commented May 6, 2022
edited
Loading

This is the same for RHEL. I see here you are removing the /usr/lib/sysctl.d/*.conf. So I wanted to confirm if this logic also applies to

* /usr/local/lib/sysctl.d/*.conf

* /lib/sysctl.d/*.conf

This logic can apply to any directory where the distro ships sysctl configuration options.
In case of RHEL /lib/ is a symlink to /usr/lib/, and /usr/local/lib/sysctl.d/ doesn't exist by default.

@yuumasato yuumasato requested a review from Mab879 May 6, 2022 08:14
@yuumasato
Copy link
Member Author

@Xeicker Should I make the same changes for OL too?

@Xeicker
Copy link
Contributor

Xeicker commented May 6, 2022
edited
Loading

@Xeicker Should I make the same changes for OL too?

Yes please.

@Xeicker
Copy link
Contributor

Xeicker commented May 6, 2022

Also because of the OVAL criterion
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
The remediation won't fix a scenario where the sysctl option is set in a /run/sysctl.d/*.conf file. Since both bash and ansible only comment out the occurrences in /etc/sysctl.d/*.conf

@Vincent056 Vincent056 mentioned this pull request May 10, 2022
Merged
@yuumasato
Document recent changes to sysctl template
149fd27
@yuumasato
Don't scan /usr/lib/sysctl.d/ for conf files
219d97b 
The config files in this directory should not be edited,
they should be overwritten by settings in /etc/sysctl.d and
/etc/sysctl.conf
@yuumasato
Sysctl: template Remediate files in /run/sysctl.d
66020fc 
Also comment sysctl config file in /run/sysctl.d.
@yuumasato yuumasato force-pushed the dont_check_preconfigured_sysctls_just_override_them branch from 2a70b26 to 66020fc Compare May 10, 2022 13:41
@yuumasato
Copy link
Member Author

The remediation won't fix a scenario where the sysctl option is set in a /run/sysctl.d/*.conf file. Since both bash and ansible only comment out the occurrences in /etc/sysctl.d/*.conf

@Xeicker Do you know how of exapmles of sysctl config files in /run/sysctl.d/? Who and how they use it?

Although FHS states that /run/ should contain information describing the system [0] it seems sysctl uses /run/sysctl.d to configure the system [1]. So I'm not sure if we should actually be checking and changing files in /run/sysctl.d.
Regardless, I added /run/sysctl.d/ to the paths remediation will modify. In RHEL they are empty, so there should not be any negative effect on the rules.

[0] https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html
[1] https://www.freedesktop.org/software/systemd/man/sysctl.d.html#

@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.disable_ipv6.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.disable_ipv6.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_ra.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.accept_source_route.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.autoconf.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.forwarding.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.max_addresses.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.all.router_solicitations.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_ra.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.accept_source_route.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.autoconf.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.max_addresses.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv6.conf.default.router_solicitations.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_local.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.accept_local.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.arp_filter.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.arp_ignore.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.log_martians.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.route_localnet.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.shared_media.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.accept_source_route.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.log_martians.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.shared_media.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.ip_local_port_range.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.tcp_invalid_ratelimit.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.tcp_rfc1337.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.tcp_syncookies.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.ipv4.ip_forward.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*fs.protected_hardlinks.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*fs.protected_symlinks.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.core_pattern.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.dmesg_restrict.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.kexec_load_disabled.*$
 patterns: '*.conf'
 register: find_sysctl_d

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.modules_disabled.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.panic_on_oops.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.perf_cpu_time_max_percent.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.perf_event_max_sample_rate.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.perf_event_paranoid.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.pid_max.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.sysrq.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.unprivileged_bpf_disabled.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*kernel.yama.ptrace_scope.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files
 find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
 contains: ^[\s]*net.core.bpf_jit_harden.*$
 patterns: '*.conf'
 register: find_sysctl_d

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 # Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
 matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq )
 if ! test -z "$matching_list"; then
 while IFS= read -r entry; do

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
 - name: List /etc/sysctl.d/*.conf files

... The diff is trimmed here ...

@Xeicker
Copy link
Contributor

Xeicker commented May 10, 2022

Do you know how of exapmles of sysctl config files in /run/sysctl.d/? Who and how they use it?

Not really, I just saw that sysctl uses that directory for configuration, and DISA requires to check it. So I thought that there could be that scenario which ansible or bash wouldn't fix.

@yuumasato yuumasato changed the title Don't scan dir with preconfigured sysctls in RHEL Don't scan dir with preconfigured sysctls May 16, 2022
@yuumasato yuumasato added this to the 0.1.62 milestone May 16, 2022
@yuumasato yuumasato added the bugfix Fixes to reported bugs. label May 16, 2022
@vojtapolasek vojtapolasek self-assigned this May 16, 2022
vojtapolasek
vojtapolasek requested changes May 16, 2022
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I tested it in VM because sysctl seems to be problematic in containers. Tests pass and changes look sane.
Just small changes to documentation are needed.

docs/templates/template_reference.md Outdated Show resolved Hide resolved
docs/templates/template_reference.md Outdated Show resolved Hide resolved
docs/templates/template_reference.md Outdated Show resolved Hide resolved
docs/templates/template_reference.md Outdated Show resolved Hide resolved
@yuumasato @vojtapolasek
Fix typo and update docs
9cdc4fe 
Typo sysct.d -> sysctl.d
And both OL and RHEL skip checking sysctl options in /usr/lib/sysctl.d

Co-authored-by: vojtapolasek <krecoun@gmail.com>
@codeclimate
Copy link

codeclimate bot commented May 16, 2022

Analysis results are not available for those commits

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented May 16, 2022

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-e8 9cdc4fe link true /test e2e-aws-rhcos4-e8
ci/prow/e2e-aws-rhcos4-high 9cdc4fe link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate 9cdc4fe link true /test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-ocp4-pci-dss-node 9cdc4fe link true /test e2e-aws-ocp4-pci-dss-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

vojtapolasek
vojtapolasek approved these changes May 16, 2022
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now, thank you.

@vojtapolasek vojtapolasek merged commit a10c859 into ComplianceAsCode:master May 16, 2022
@yuumasato yuumasato deleted the dont_check_preconfigured_sysctls_just_override_them branch May 16, 2022 17:14
@Xeicker Xeicker mentioned this pull request May 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xeicker Xeicker Xeicker left review comments

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@ggbecker ggbecker Awaiting requested review from ggbecker

@Mab879 Mab879 Awaiting requested review from Mab879

Assignees

@vojtapolasek vojtapolasek

Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.62
Development

Successfully merging this pull request may close these issues.
3 participants
@yuumasato @Xeicker @vojtapolasek