diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template index e86afc4f770..ba8e4f683a9 100644 --- a/shared/templates/sysctl/sce-bash.template +++ b/shared/templates/sysctl/sce-bash.template @@ -4,68 +4,73 @@ # check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value {{% endif %}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}} -FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf") -{{% else %}} +{{% if product in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}} FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf") +{{% else %}} +FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf") {{% endif %}} FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf") -function check_sysctl_configuration() +function pass_if_set_correctly() { - local sysctlvar="$1" - local expected_value="$2" - - regex="^\s*$sysctlvar\s*=\s*(.*)\s*" - - # kernel static parameter $sysctlvar set to $sysctlvar in sysctl files not managed by packages - found=0 - for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do + local filelist="$1" + local regex="$2" + local expected_value="$3" + local found=0 + for files in $filelist ; do [[ -e "$files" ]] || continue found_value=$(grep -P "$regex" $files | sed -E "s/$regex/\1/") if [[ -n "$found_value" ]] ; then if [[ "$found_value" == "$expected_value" ]] ; then - found=1 - else - return $XCCDF_RESULT_FAIL + return 0 fi fi done - if [[ $found != 0 ]] ; then - return $XCCDF_RESULT_PASS - fi + return 1 +} - # kernel static parameter $sysctlvar missing in sysctl files not managed by packages - for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do +function pass_if_missing() +{ + local filelist="$1" + local regex="$2" + for files in $filelist ; do [[ -e "$files" ]] || continue if grep -P "$regex" $files ; then - return $XCCDF_RESULT_FAIL + return 1 fi done + return 0 +} + +function check_sysctl_configuration() +{ + local sysctlvar="$1" + local expected_value="$2" + + regex="^\s*$sysctlvar\s*=\s*(.*)\s*" + + # kernel static parameter $sysctlvar set to $sysctlvar in sysctl files not managed by packages + pass_if_set_correctly "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value" + set_correctly_in_not_managed="$?" + + # kernel static parameter $sysctlvar missing in sysctl files not managed by packages + pass_if_missing "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex" + missing_in_not_managed="$?" # kernel static parameter $sysctlvar set to $sysctlval in sysctl files managed by packages - found=0 - for files in ${FILES_MANAGED_BY_PACKAGES[@]} ; do - [[ -e "$files" ]] || continue - if [[ -n "$found_value" ]] ; then - if [[ "$found_value" == "$expected_value" ]] ; then - found=1 - else - return $XCCDF_RESULT_FAIL - fi - fi - done - if [[ $found != 0 ]] ; then - return $XCCDF_RESULT_PASS - fi + pass_if_set_correctly "${FILES_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value" + set_correctly_in_managed="$?" - return $XCCDF_RESULT_FAIL + if [[ "$set_correctly_in_not_managed" == 0 || ( "$missing_in_not_managed" == 0 && "$set_correctly_in_managed" == 0 ) ]] ; then + return 0 + fi + return 1 } {{% if IPV6 == "true" -%}} # pass if IPv6 is disabled check_sysctl_configuration "net.ipv6.conf.all.disable_ipv6" "1" -if [[ $? == $XCCDF_RESULT_PASS ]] ; then +if [[ $? == 0 ]] ; then exit $XCCDF_RESULT_PASS fi {{% endif %}} @@ -76,4 +81,7 @@ expected_value="$XCCDF_VALUE_sysctl_{{{ SYSCTLID }}}_value" expected_value="{{{ SYSCTLVAL }}}" {{%- endif %}} check_sysctl_configuration "{{{ SYSCTLVAR }}}" "$expected_value" -exit $? +if [[ $? == 0 ]] ; then + exit $XCCDF_RESULT_PASS +fi +exit $XCCDF_RESULT_FAIL