Adapt sysctl template for bootable containers

Add an SCE check to the sysctl template special for bootable containers. We don't want to use OVAL check in this template because the OVAL check checks runtime status using OpenSCAP sysctl probe. The probe doesn't return meaningful results during podman build process and also it doesn't make sense to check runtime during the build. We need to check only the static configuration. Moreover, we update the Bash remediation to not set the runtime status during podman build process.
ComplianceAsCode · Oct 30, 2024 · 2ea5cd7 · 2ea5cd7
1 parent 292f26a
commit 2ea5cd7
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 3 deletions.
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -934,7 +934,7 @@ The selected value can be changed in the profile (consult the actual variable fo
     the remediation scripts will set the variable with correct value to a drop-in file in
     `/etc/sysctl.d/var_name.conf` file.
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, OVAL, SCE
 
 #### systemd_dropin_configuration
 - checks if a Systemd-style configuration exists either in the main file or in any file within specified dropin directory.

diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -41,7 +41,9 @@ SYSCONFIG_FILE="/etc/sysctl.conf"
 #
 # Set runtime for {{{ SYSCTLVAR }}}
 #
-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value"
+if {{{ bash_not_bootc_build() }}} ; then
+    /sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value"
+fi
 
 #
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value
@@ -57,7 +59,9 @@ sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
 #
 # Set runtime for {{{ SYSCTLVAR }}}
 #
-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}"
+if {{{ bash_not_bootc_build() }}} ; then
+    /sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}"
+fi
 
 #
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}"

diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# check-import = stdout
+{{% if SYSCTLVAL == "" %}}
+# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
+{{% endif %}}
+
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}}
+FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
+{{% else %}}
+FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
+{{% endif %}}
+FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf")
+
+regex="^\s*{{{ SYSCTLVAR }}}\s*=\s*(.*)\s*"
+{{% if SYSCTLVAL == "" %}}
+expected_value="$XCCDF_VALUE_sysctl_{{{ SYSCTLID }}}_value"
+{{% else %}}
+expected_value="{{{ SYSCTLVAL }}}"
+{{%- endif %}}
+
+# kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages
+found=0
+for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    found_value=$(grep -P "$regex" $files | sed -E "s/$regex/\1/")
+    if [[ -n "$found_value" ]] ; then
+        if [[ "$found_value" == "$expected_value" ]] ; then
+            found=1
+        else
+            exit $XCCDF_RESULT_FAIL
+        fi
+    fi
+done
+if [[ $found != 0 ]] ; then
+    exit $XCCDF_RESULT_PASS
+fi
+
+
+# kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages
+for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    if grep -P "$regex"  $files ; then
+        exit $XCCDF_RESULT_FAIL
+    fi
+done
+
+# kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files managed by packages
+found=0
+for files in ${FILES_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    if [[ -n "$found_value" ]] ; then
+        if [[ "$found_value" == "$expected_value" ]] ; then
+            found=1
+        else
+            exit $XCCDF_RESULT_FAIL
+        fi
+    fi
+done
+if [[ $found != 0 ]] ; then
+    exit $XCCDF_RESULT_PASS
+fi
+
+exit $XCCDF_RESULT_FAIL
diff --git a/shared/templates/sysctl/template.yml b/shared/templates/sysctl/template.yml
@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - sce-bash