From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 May 2022 19:21:04 +0200

Subject: [PATCH 1/3] Add tests to ensure valid symlinks are checked

These sysctl tests help check cases when:

- A symlink points to a file out of the default default dirs

- Multile symlinks point to the same file in the default dirs

Symlinks are a valid use case how to configure sysctls.

---

 .../tests/symlink_root_duplicate.fail.sh          | 15 +++++++++++++++

 .../tests/symlink_root_incompliant.fail.sh        | 15 +++++++++++++++

 .../tests/symlinks_to_same_file.pass.sh           | 14 ++++++++++++++

 3 files changed, 44 insertions(+)

 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh

 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh

 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh

new file mode 100644

index 00000000000..c4f756a110f

--- /dev/null

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf

+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

+

+# Put a config file out of the default dirs

+echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf

+

+# Add a symlink

+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf

+

+sysctl -w net.ipv4.conf.default.accept_source_route=0

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh

new file mode 100644

index 00000000000..3b67676ac69

--- /dev/null

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf

+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

+

+# Put a config file out of the default dirs

+echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf

+

+# Add a symlink

+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf

+

+sysctl -w net.ipv4.conf.default.accept_source_route=0

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh

new file mode 100644

index 00000000000..6164d0b1ca9

--- /dev/null

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf

+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

+

+# Multiple symliks to the same file should be ignored

+ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf

+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf

+

+sysctl -w net.ipv4.conf.default.accept_source_route=0

+

From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 4 May 2022 19:23:41 +0200

Subject: [PATCH 2/3] Filter out symlinks referencing default dirs

Apply a filter on the collected symlinks and exclude the ones that

don't point to the default dirs.

In other words, only remove ignore options in symlinks if the files they

reference will be scanned anyway, because they are in the one of the

default dirs.

---

 shared/templates/sysctl/oval.template | 12 +++++++++++-

 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template

index 0b5cde45045..ac395d545c3 100644

--- a/shared/templates/sysctl/oval.template

+++ b/shared/templates/sysctl/oval.template

@@ -217,10 +217,20 @@

        Workaround by querying for all conf files found -->

-  <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">

+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">

     <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />

+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>

   </unix:symlink_object>

+  

+       ^/etc/sysctl.conf$

+       ^/etc/sysctl.d/.*$

+       ^/run/sysctl.d/.*$

+       ^/usr/lib/sysctl.d/.*$ -->

+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">

+    <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>

+  </unix:symlink_state>

+

   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">

     <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

   </local_variable>

From 156291af3ae48fc0dff668b05e9e0bbdd42868b2 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Fri, 6 May 2022 11:49:00 +0200

Subject: [PATCH 3/3] Consider file/link/dir while applying ansible remediation

 on sysctl template.

---

 shared/templates/sysctl/ansible.template | 1 +

 1 file changed, 1 insertion(+)

diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template

index f525cf873f7..5a178fa7f49 100644

--- a/shared/templates/sysctl/ansible.template

+++ b/shared/templates/sysctl/ansible.template

@@ -9,6 +9,7 @@

     paths: "/etc/sysctl.d/"

     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'

     patterns: "*.conf"

+    file_type: any

   register: find_sysctl_d

 - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files