From 2ea5cd773ced4bbfbfd6e14d0e24afb361baaacc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 30 Oct 2024 10:49:17 +0100
Subject: [PATCH] Adapt sysctl template for bootable containers

Add an SCE check to the sysctl template special for bootable containers.
We don't want to use  OVAL check in this template because the OVAL
check checks runtime status using OpenSCAP sysctl probe. The probe
doesn't return meaningful results during podman build process and also
it doesn't make sense to check runtime during the build. We need to
check only the static configuration. Moreover, we update the Bash
remediation to not set the runtime status during podman build process.
---
 docs/templates/template_reference.md      |  2 +-
 shared/templates/sysctl/bash.template     |  8 ++-
 shared/templates/sysctl/sce-bash.template | 63 +++++++++++++++++++++++
 shared/templates/sysctl/template.yml      |  1 +
 4 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 shared/templates/sysctl/sce-bash.template

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 38f2464102f..8e1e3ff6c51 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -934,7 +934,7 @@ The selected value can be changed in the profile (consult the actual variable fo
     the remediation scripts will set the variable with correct value to a drop-in file in
     `/etc/sysctl.d/var_name.conf` file.
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, OVAL, SCE
 
 #### systemd_dropin_configuration
 - checks if a Systemd-style configuration exists either in the main file or in any file within specified dropin directory.
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index b3aafbc2757..a1149e40434 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -41,7 +41,9 @@ SYSCONFIG_FILE="/etc/sysctl.conf"
 #
 # Set runtime for {{{ SYSCTLVAR }}}
 #
-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value"
+if {{{ bash_not_bootc_build() }}} ; then
+    /sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value"
+fi
 
 #
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value
@@ -57,7 +59,9 @@ sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
 #
 # Set runtime for {{{ SYSCTLVAR }}}
 #
-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}"
+if {{{ bash_not_bootc_build() }}} ; then
+    /sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}"
+fi
 
 #
 # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}"
diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template
new file mode 100644
index 00000000000..efa5a67a5dc
--- /dev/null
+++ b/shared/templates/sysctl/sce-bash.template
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# check-import = stdout
+{{% if SYSCTLVAL == "" %}}
+# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
+{{% endif %}}
+
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}}
+FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
+{{% else %}}
+FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
+{{% endif %}}
+FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf")
+
+regex="^\s*{{{ SYSCTLVAR }}}\s*=\s*(.*)\s*"
+{{% if SYSCTLVAL == "" %}}
+expected_value="$XCCDF_VALUE_sysctl_{{{ SYSCTLID }}}_value"
+{{% else %}}
+expected_value="{{{ SYSCTLVAL }}}"
+{{%- endif %}}
+
+# kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages
+found=0
+for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    found_value=$(grep -P "$regex" $files | sed -E "s/$regex/\1/")
+    if [[ -n "$found_value" ]] ; then
+        if [[ "$found_value" == "$expected_value" ]] ; then
+            found=1
+        else
+            exit $XCCDF_RESULT_FAIL
+        fi
+    fi
+done
+if [[ $found != 0 ]] ; then
+    exit $XCCDF_RESULT_PASS
+fi
+
+
+# kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages
+for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    if grep -P "$regex"  $files ; then
+        exit $XCCDF_RESULT_FAIL
+    fi
+done
+
+# kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files managed by packages
+found=0
+for files in ${FILES_MANAGED_BY_PACKAGES[@]} ; do
+    [[ -e "$files" ]] || continue
+    if [[ -n "$found_value" ]] ; then
+        if [[ "$found_value" == "$expected_value" ]] ; then
+            found=1
+        else
+            exit $XCCDF_RESULT_FAIL
+        fi
+    fi
+done
+if [[ $found != 0 ]] ; then
+    exit $XCCDF_RESULT_PASS
+fi
+
+exit $XCCDF_RESULT_FAIL
diff --git a/shared/templates/sysctl/template.yml b/shared/templates/sysctl/template.yml
index b57de6fbb63..f084d352593 100644
--- a/shared/templates/sysctl/template.yml
+++ b/shared/templates/sysctl/template.yml
@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - sce-bash