ComplianceAsCode · vojtapolasek · May 16, 2022 · May 5, 2022 · May 6, 2022 · May 10, 2022
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -788,10 +788,20 @@ The selected value can be changed in the profile (consult the actual variable fo
 ```
 
 #### sysctl
-- Checks sysctl parameters. The OVAL definition checks both
+- Checks sysctl parameters. The OVAL definition checks both static
  configuration and runtime settings and require both of them to be
  set to the desired value to return true.
 
+ The following file and directories are checked for static
+ sysctl configurations:
+ - /etc/sysct.conf
+ - /etc/sysct.d/\*.conf
+ - /run/sysct.d/\*.conf
+ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+
+ A sysctl option defined in more than one file within the scanned directories
+ will result in `fail`.
+
 - Parameters:
 
  - **sysctlvar** - name of the sysctl value, eg.

diff --git a/...s/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh b/...s/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /run/sysctl.d/run.conf
+# Setting correct runtime value
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -6,7 +6,9 @@
 
 - name: List /etc/sysctl.d/*.conf files
  find:
- paths: "/etc/sysctl.d/"
+ paths:
+ - "/etc/sysctl.d/"
+ - "/run/sysctl.d/"
  contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
  patterns: "*.conf"
  register: find_sysctl_d

diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -5,7 +5,7 @@
 # disruption = medium
 
 # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
  matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
  if ! test -z "$matching_list"; then
  while IFS= read -r entry; do

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
@@ -111,8 +111,10 @@
  test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
  <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
  test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
  <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
  test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+{{% endif %}}
  </criteria>
  <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
  </criteria>
@@ -134,11 +136,13 @@
  {{{ state_static_sysctld("run_sysctld") }}}
  </ind:textfilecontent54_test>
 
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
  <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
  check="all"
  comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
  {{{ state_static_sysctld("usr_lib_sysctld") }}}
  </ind:textfilecontent54_test>
+{{% endif %}}
 
  <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
@@ -238,7 +242,9 @@
  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
  <set>
  <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
  <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% endif %}}
  </set>
  </ind:textfilecontent54_object>
 
@@ -259,11 +265,13 @@
  {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>
 
+{{% if product not in [ "ol7", "ol8", "rhel7", "rhel8", "rhel9"] %}}
  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
  <ind:path>/usr/lib/sysctl.d</ind:path>
  <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
  {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>
+{{% endif %}}
 {{% if SYSCTLVAL == "" %}}
 
  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">