Check & remediate /etc/ufw/sysctl.conf

ComplianceAsCode · Feb 4, 2025 · a9e5487 · a9e5487
1 parent f54cc7c
commit a9e5487
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 1 deletion.
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -34,6 +34,14 @@
     replace: '#{{{ SYSCTLVAR }}}'
   loop: "{{ find_sysctl_d.files }}"
 
+{{% if product in [ "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/ufw/sysctl.conf
+  replace:
+    path: "/etc/ufw/sysctl.conf"
+    regexp: '(^[\s]*{{{ SYSCTLVAR }}}.*$)'
+    replace: '# \1'
+{{% endif %}}
+
 {{% if sysctl_remediate_drop_in_file == "true" %}}
 - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf
   replace:

diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -7,7 +7,9 @@
 # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
 {{% if product in [ "sle12", "sle15", "slmicro5"] %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
-{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
+{{% elif product in [ "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do
+{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10"] %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
 {{% else %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
@@ -205,7 +205,11 @@
     </set>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
+{{% if product in [ "ubuntu2004", "ubuntu2204", "ubuntu2404" ] %}}
+    <ind:filepath operation="pattern match">/etc(/ufw){0,1}/sysctl.conf$</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/sysctl.conf</ind:filepath>
+{{% endif %}}
     {{{ sysctl_match() }}}
   </ind:textfilecontent54_object>
 

diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template
@@ -11,6 +11,9 @@ FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/l
 FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
 {{% endif %}}
 FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf")
+{{% if product in [ "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
+FILES_NOT_MANAGED_BY_PACKAGES+=("/etc/ufw/sysctl.conf")
+{{% endif %}}
 
 function pass_if_set_correctly()
 {