From 0fc94c38c19cf167faeae5c7ff79702cdbf34ad4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 May 2022 18:27:20 +0200
Subject: [PATCH 1/5] Don't scan dir with preconfigured sysctls in RHEL

With the introduction of checks for options defined in multiple files
the pre-configured sysctls became prominent and started to cause rules
to fail.

In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule rpm_verify_hashes,
as these files are not RPM config files.

As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.

The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.
---
 shared/templates/sysctl/oval.template | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index ba4e65cbaef..5de2b76125a 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -111,8 +111,10 @@
                    test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
                    test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+{{% if "rhel" not in product %}}
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
                    test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+{{% endif %}}
       </criteria>
       <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
     </criteria>
@@ -134,11 +136,13 @@
     {{{ state_static_sysctld("run_sysctld") }}}
   </ind:textfilecontent54_test>
 
+{{% if "rhel" not in product %}}
   <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
                           check="all"
                           comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
     {{{ state_static_sysctld("usr_lib_sysctld") }}}
   </ind:textfilecontent54_test>
+{{% endif %}}
 
   <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
   id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
@@ -238,7 +242,9 @@
   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
     <set>
       <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% if "rhel" not in product %}}
       <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% endif %}}
     </set>
   </ind:textfilecontent54_object>
 
@@ -259,11 +265,13 @@
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
+{{% if "rhel" not in product %}}
   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
     <ind:path>/usr/lib/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
+{{% endif %}}
 {{% if SYSCTLVAL == "" %}}
 
   <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">

From 149fd27e4b146e093108e36de405cb441e88e5e0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 May 2022 10:34:51 +0200
Subject: [PATCH 2/5] Document recent changes to sysctl template

---
 docs/templates/template_reference.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 0ffd838659a..0810e906dc6 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -788,10 +788,20 @@ The selected value can be changed in the profile (consult the actual variable fo
 ```
 
 #### sysctl
--   Checks sysctl parameters. The OVAL definition checks both
+-   Checks sysctl parameters. The OVAL definition checks both static
     configuration and runtime settings and require both of them to be
     set to the desired value to return true.
 
+    The following file and directories are checked for static
+    sysctl configurations:
+    - /etc/sysct.conf
+    - /etc/sysct.d/\*.conf
+    - /run/sysct.d/\*.conf
+    - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+
+    A sysctl option defined in more than one file within the scanned directories
+    will result in `fail`.
+
 -   Parameters:
 
     -   **sysctlvar** - name of the sysctl value, eg.

From 219d97be8a16b51ff2ad26859c47dbe23f6e47be Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 10 May 2022 14:44:06 +0200
Subject: [PATCH 3/5] Don't scan /usr/lib/sysctl.d/ for conf files

The config files in this directory should not be edited,
they should be overwritten by settings in /etc/sysctl.d and
/etc/sysctl.conf
---
 shared/templates/sysctl/oval.template | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 5de2b76125a..92119460186 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -111,7 +111,7 @@
                    test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
                    test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
-{{% if "rhel" not in product %}}
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
                    test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
 {{% endif %}}
@@ -136,7 +136,7 @@
     {{{ state_static_sysctld("run_sysctld") }}}
   </ind:textfilecontent54_test>
 
-{{% if "rhel" not in product %}}
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
   <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
                           check="all"
                           comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
@@ -242,7 +242,7 @@
   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
     <set>
       <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
-{{% if "rhel" not in product %}}
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
       <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
 {{% endif %}}
     </set>
@@ -265,7 +265,7 @@
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 
-{{% if "rhel" not in product %}}
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
     <ind:path>/usr/lib/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>

From 66020fc753dabff790976d6ace3982f141cc5cb2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 10 May 2022 15:40:28 +0200
Subject: [PATCH 4/5] Sysctl: template Remediate files in /run/sysctl.d

Also comment sysctl config file in /run/sysctl.d.
---
 .../tests/wrong_value_run_sysctl_d.fail.sh               | 9 +++++++++
 shared/templates/sysctl/ansible.template                 | 4 +++-
 shared/templates/sysctl/bash.template                    | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh
new file mode 100644
index 00000000000..d02cf11f072
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /run/sysctl.d/run.conf
+# Setting correct runtime value
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index f525cf873f7..854245ef2a8 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -6,7 +6,9 @@
 
 - name: List /etc/sysctl.d/*.conf files
   find:
-    paths: "/etc/sysctl.d/"
+    paths:
+      - "/etc/sysctl.d/"
+      - "/run/sysctl.d/"
     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
     patterns: "*.conf"
   register: find_sysctl_d
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index d68956f4826..e8a16b78285 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -5,7 +5,7 @@
 # disruption = medium
 
 # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
   matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do

From 9cdc4fe21bfedcd0899d41c10b7e21653966e97c Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Mon, 16 May 2022 15:43:10 +0200
Subject: [PATCH 5/5] Fix typo and update docs

Typo sysct.d -> sysctl.d
And both OL and RHEL skip checking sysctl options in /usr/lib/sysctl.d

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 docs/templates/template_reference.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 0810e906dc6..bbd71b34dfa 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -794,10 +794,10 @@ The selected value can be changed in the profile (consult the actual variable fo
 
     The following file and directories are checked for static
     sysctl configurations:
-    - /etc/sysct.conf
-    - /etc/sysct.d/\*.conf
-    - /run/sysct.d/\*.conf
-    - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+    - /etc/sysctl.conf
+    - /etc/sysctl.d/\*.conf
+    - /run/sysctl.d/\*.conf
+    - /usr/lib/sysctl.d/\*.conf (does not apply to RHEL and OL)
 
     A sysctl option defined in more than one file within the scanned directories
     will result in `fail`.