Fix dirs in sysctl template for Ubuntu 20.04/22.04

On Ubuntu /lib is symlinked to /usr/lib, thus /lib/sysctl.d contains package-managed configs, which should not be modified and can be incorrect if overriden elsewhere (see #10637).
ComplianceAsCode · Apr 20, 2024 · 86213d8 · 86213d8
1 parent 44b81ca
commit 86213d8
Show file tree

Hide file tree

Showing 4 changed files with 276 additions and 4 deletions.
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -19,7 +19,7 @@
       - "/run/sysctl.d/"
       - "/usr/local/lib/sysctl.d/"
 {{% endif %}}
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15"] %}}
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
       - "/usr/lib/sysctl.d/"
 {{% endif %}}
     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'

diff --git a/shared/templates/sysctl/asd.xml b/shared/templates/sysctl/asd.xml
@@ -0,0 +1,272 @@
+{{%- if SYSCTLVAL == "" %}}
+{{%- set COMMENT_VALUE="the appropriate value" %}}
+{{%- elif SYSCTLVAL is string %}}
+{{%- set COMMENT_VALUE=SYSCTLVAL %}}
+{{%- else %}}
+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}
+{{%- endif %}}
+
+{{% macro state_static_sysctld(prefix) -%}}
+    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>
+{{% if SYSCTLVAL is string %}}
+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
+{{%- endmacro -%}}
+{{%- macro sysctl_match() -%}}
+    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+{{%- endmacro -%}}
+{{%- if "P" in FLAGS -%}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="3">
+    {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else ".")) }}}
+    <criteria operator="AND">
+      <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
+                         definition_ref="{{{ rule_id }}}_static"/>
+{{% if CHECK_RUNTIME == "true" %}}
+      <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
+                         definition_ref="{{{ rule_id }}}_runtime"/>
+{{%- endif %}}
+    </criteria>
+  </definition>
+</def-group>
+
+{{%- elif "I" in FLAGS -%}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="4">
+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else ".")) }}}
+    <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
+{{% if product in ["ubuntu1604", "ubuntu1804"] %}}
+      <extend_definition comment="is IPv6 enabled?"
+                         definition_ref="kernel_module_ipv6_option_disabled"/>
+{{% else %}}
+      <extend_definition comment="is IPv6 enabled?"
+                         definition_ref="sysctl_kernel_ipv6_disable"/>
+{{% endif %}}
+      <criteria operator="AND">
+        <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
+                           definition_ref="{{{ rule_id }}}_static"/>
+{{% if CHECK_RUNTIME == "true" %}}
+        <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
+                           definition_ref="{{{ rule_id }}}_runtime"/>
+{{%- endif %}}
+      </criteria>
+    </criteria>
+  </definition>
+</def-group>
+
+{{%- endif %}}
+{{%- if "R" in FLAGS -%}}
+
+{{% if CHECK_RUNTIME == "true" %}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">
+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
+    <criteria operator="AND">
+      <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
+                 test_ref="test_{{{ rule_id }}}_runtime"/>
+    </criteria>
+  </definition>
+
+  <unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1"
+                    comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
+                    check="all" check_existence="all_exist" state_operator="OR">
+    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>
+{{% if SYSCTLVAL is string %}}
+    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
+  </unix:sysctl_test>
+
+  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">
+    <unix:name>{{{ SYSCTLVAR }}}</unix:name>
+  </unix:sysctl_object>
+{{% if SYSCTLVAL is string %}}
+{{% if SYSCTLVAL == "" %}}
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
+    <unix:value datatype="{{{ DATATYPE }}}" operation="equals"
+                var_ref="{{{ rule_id }}}_value"/>
+  </unix:sysctl_state>
+
+  <external_variable id="{{{ rule_id }}}_value" version="1"
+                     comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
+{{%- else %}}
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
+{{% if OPERATION == "pattern match" %}}
+    <unix:value datatype="{{{ DATATYPE }}}"
+                operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>
+{{% else %}}
+    <unix:value datatype="{{{ DATATYPE }}}"
+                operation="{{{ OPERATION }}}">{{{ SYSCTLVAL }}}</unix:value>
+{{% endif %}}
+  </unix:sysctl_state>
+{{%- endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">
+    <unix:value datatype="{{{ DATATYPE }}}"
+                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>
+  </unix:sysctl_state>
+{{% endfor %}}
+{{% endif %}}
+</def-group>
+{{% endif %}}
+
+{{%- endif -%}}
+{{%- if "S" in FLAGS -%}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
+
+    <criteria operator="OR">
+      <!--  Processing differently files in /usr/lib/sysctl.d/ as they are managed by packages and
+            won't be fixed by remediations, see sysctl.d(5) -->
+      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages"
+                    test_ref="test_{{{ rule_id }}}_static_user" />
+      <criteria operator="AND">
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages"
+                    test_ref="test_{{{ rule_id }}}_static_user_missing" />
+        {{% if MISSING_PARAMETER_PASS == "true" %}}
+          <criterion comment="{{{ "kernel static parameter"  + SYSCTLVAR + " set to " +
+                      COMMENT_VALUE + " or missing in sysctl files managed by packages" }}}"
+                    test_ref="test_{{{ rule_id }}}_static_pkg_not_wrong" />
+        {{% else %}}
+          <criterion comment="{{{ "kernel static parameter " + SYSCTLVAR + " set to " +
+                      COMMENT_VALUE + " in sysctl files managed by packages" }}}"
+                    test_ref="test_{{{ rule_id }}}_static_pkg_correct" />
+        {{% endif %}}
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user_missing" version="1"
+                              check="all" check_existence="none_exist"
+                              comment="{{{ SYSCTLVAR }}} static configuration">
+    <ind:object object_ref="object_static_user_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user" version="1"
+                              check="all" check_existence="all_exist"
+                              comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
+    {{{ state_static_sysctld("user") }}}
+  </ind:textfilecontent54_test>
+
+  {{% if MISSING_PARAMETER_PASS == "true" %}}
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_not_wrong" version="2" check="all"
+                          check_existence="any_exist"
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
+    {{{ state_static_sysctld("usr_lib_sysctld") }}}
+  </ind:textfilecontent54_test>
+  {{% else %}}
+  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_correct" version="2" check="all"
+                          check_existence="all_exist"
+                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf"
+                          state_operator="OR">
+    {{{ state_static_sysctld("usr_lib_sysctld") }}}
+  </ind:textfilecontent54_test>
+  {{% endif %}}
+
+  <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+       variable to have no value even when there are valid objects. -->
+  <ind:textfilecontent54_object id="object_static_user_{{{ rule_id }}}" version="1">
+    <set>
+      <object_reference>object_static_etc_lib_sysctls_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_lib_sysctls_{{{ rule_id }}}" version="1">
+    <set>
+      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+      <object_reference>object_static_lib_sysctld_{{{ rule_id }}}</object_reference>
+{{% endif %}}
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">
+    <set>
+      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
+    <set>
+      <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
+      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
+    <ind:filepath>/etc/sysctl.conf</ind:filepath>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/etc/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/run/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/usr/local/lib/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/usr/lib/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+  <ind:textfilecontent54_object id="object_static_lib_sysctld_{{{ rule_id }}}" version="1">
+    <ind:path>/lib/sysctl.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    {{{ sysctl_match() }}}
+  </ind:textfilecontent54_object>
+{{% endif %}}
+{{% if SYSCTLVAL is string %}}
+{{% if SYSCTLVAL == "" %}}
+
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value"
+                       datatype="{{{ DATATYPE }}}" />
+  </ind:textfilecontent54_state>
+
+  <external_variable id="{{{ rule_id }}}_value" version="1"
+                     comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
+{{% else %}}
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
+{{% if OPERATION == "pattern match" %}}
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
+{{% else %}}
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL }}}</ind:subexpression>
+{{% endif %}}
+  </ind:textfilecontent54_state>
+{{% endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1">
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+{{% endfor %}}
+{{% endif %}}
+</def-group>
+{{%- endif -%}}
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -7,7 +7,7 @@
 # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
 {{% if product in [ "sle12", "sle15"] %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
-{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
 {{% else %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
@@ -188,7 +188,7 @@
   <ind:textfilecontent54_object id="object_static_etc_lib_sysctls_{{{ rule_id }}}" version="1">
     <set>
       <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}}
       <object_reference>object_static_lib_sysctld_{{{ rule_id }}}</object_reference>
 {{% endif %}}
     </set>
@@ -235,7 +235,7 @@
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "ubuntu2004", "ubuntu2204"] %}}
   <ind:textfilecontent54_object id="object_static_lib_sysctld_{{{ rule_id }}}" version="1">
     <ind:path>/lib/sysctl.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>