Merge pull request #14353 from vojtapolasek/rhel_sysctl_dropin_remediations

Mab879 · web-flow · commit e8e45318d022 · 2026-02-06T10:17:26.000-06:00
RHEL: use dropin files when remediating sysctl rules
diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
@@ -57,3 +57,4 @@ reference_uris:
 journald_conf_dir_path: /etc/systemd/journald.conf.d
 audit_watches_style: modern
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+sysctl_remediate_drop_in_file: true
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
@@ -107,3 +107,4 @@ reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
 
 journald_conf_dir_path: /etc/systemd/journald.conf.d
+sysctl_remediate_drop_in_file: true
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
@@ -60,3 +60,4 @@ centos_pkg_version: "8483c65d"
 centos_major_version: "9"
 
 journald_conf_dir_path: /etc/systemd/journald.conf.d
+sysctl_remediate_drop_in_file: true
diff --git a/shared/templates/sysctl/tests/correct_value_etc_sysctld.pass.sh b/shared/templates/sysctl/tests/correct_value_etc_sysctld.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+{{% if "ubuntu" in product %}}
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* /etc/ufw/sysctl.conf
+{{% else %}}
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+{{% endif %}}
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.d/duplicate.conf
+
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
@@ -104,7 +104,7 @@ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 sshd_distributed_config: 'true'
 sshd_runtime_check: 'false'
-sysctl_remediate_drop_in_file: 'false'
+sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5
 - 11
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
@@ -151,7 +151,7 @@ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
 sshd_runtime_check: 'false'
-sysctl_remediate_drop_in_file: 'false'
+sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5
 - 11
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
@@ -108,7 +108,7 @@ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
 sshd_runtime_check: 'false'
-sysctl_remediate_drop_in_file: 'false'
+sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5
 - 11

Original file line number	Diff line number	Diff line change
`@@ -107,3 +107,4 @@ reference_uris:`
`107`	`107`	`cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'`
`108`	`108`
`109`	`109`	`journald_conf_dir_path: /etc/systemd/journald.conf.d`
	`110`	`+sysctl_remediate_drop_in_file: true`
Original file line number	Diff line number	Diff line change
`@@ -60,3 +60,4 @@ centos_pkg_version: "8483c65d"`
`60`	`60`	`centos_major_version: "9"`
`61`	`61`
`62`	`62`	`journald_conf_dir_path: /etc/systemd/journald.conf.d`
	`63`	`+sysctl_remediate_drop_in_file: true`