import scap-security-guide-0.1.60-8.el8_6

2022-05-17 22:11:22 +00:00 · 2022-05-17 22:11:22 +00:00 · 06250daca2
commit 06250daca2
parent 09daa8f7a7
8 changed files with 7232 additions and 1 deletions
--- a/SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
@ -0,0 +1,42 @@
+From 484ceb5641f53a8f3b505099a3bebb8d5e481f1a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 6 May 2022 11:31:31 +0200
+Subject: [PATCH] Restrict the symlink test to OVAL 5.11
+
+The symlink_test was added in OVAL 5.11 and is not availble in 5.10.
+The 5.10 version of the sysctl template will not check for sysctl
+options defined in more than on file.
+---
+ shared/templates/sysctl/oval.template | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index ba4e65cbaef..53456a90a01 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -114,7 +114,9 @@
+         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
+                    test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+       </criteria>
+{{% if target_oval_version >= [5, 11] %}}
+       <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+{{% endif %}}
+     </criteria>
+   </definition>
+ 
+@@ -140,6 +142,7 @@
+     {{{ state_static_sysctld("usr_lib_sysctld") }}}
+   </ind:textfilecontent54_test>
+ 
+{{% if target_oval_version >= [5, 11] %}}
+   <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
+   id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+     <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+@@ -214,6 +217,7 @@
+   <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+     <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+   </unix:symlink_object>
+{{% endif %}}
+ 
+   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
+     <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
--- a/SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch
@ -0,0 +1,122 @@
+From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 4 May 2022 19:21:04 +0200
+Subject: [PATCH 1/2] Add tests to ensure valid symlinks are checked
+
+These sysctl tests help check cases when:
+- A symlink points to a file out of the default default dirs
+- Multile symlinks point to the same file in the default dirs
+
+Symlinks are a valid use case how to configure sysctls.
+---
+ .../tests/symlink_root_duplicate.fail.sh          | 15 +++++++++++++++
+ .../tests/symlink_root_incompliant.fail.sh        | 15 +++++++++++++++
+ .../tests/symlinks_to_same_file.pass.sh           | 14 ++++++++++++++
+ 3 files changed, 44 insertions(+)
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
+new file mode 100644
+index 00000000000..c4f756a110f
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
+@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
+new file mode 100644
+index 00000000000..3b67676ac69
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
+@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
+new file mode 100644
+index 00000000000..6164d0b1ca9
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
+@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Multiple symliks to the same file should be ignored
+ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+
+
+From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 4 May 2022 19:23:41 +0200
+Subject: [PATCH 2/2] Filter out symlinks referencing default dirs
+
+Apply a filter on the collected symlinks and exclude the ones that
+don't point to the default dirs.
+In other words, only remove ignore options in symlinks if the files they
+reference will be scanned anyway, because they are in the one of the
+default dirs.
+---
+ shared/templates/sysctl/oval.template | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 0b5cde45045..ac395d545c3 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -217,10 +217,20 @@
+ 
+   <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+        Workaround by querying for all conf files found -->
+-  <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+  <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+     <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+    <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
+   </unix:symlink_object>
+ 
+  <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+       ^/etc/sysctl.conf$
+       ^/etc/sysctl.d/.*$
+       ^/run/sysctl.d/.*$
+       ^/usr/lib/sysctl.d/.*$ -->
+  <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
+    <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+  </unix:symlink_state>
+
+   <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
+     <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+   </local_variable>
--- a/SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
@ -0,0 +1,115 @@
+From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 6 May 2022 13:32:34 +0200
+Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL
+
+With the introduction of checks for options defined in multiple
+files
+the pre-configured sysctls became prominent and started to cause
+rules
+to fail.
+
+In /usr/lib/sysctl.d there are sysctl options defined by systemd and
+other packages. The files in witch these options are defined are not
+meant to be edited, these options should be overriden by options in
+dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
+Remediating these files will cause problems with rule
+rpm_verify_hashes,
+as these files are not RPM config files.
+
+As the sysctl remediations don't edit the pre-configured files the
+rule will always result in error.
+This commit removes the checks for the pre-configured directory,
+i.e. /usr/lib/sysctl.d/.
+
+The end result is that any sysctl option that is pre-configured in
+/usr/lib/sysctl.d will be defined in two files, the pre-configured
+one
+ane /etc/sysctl.conf.
+The sysctl option in effect should be the one configured in
+/etc/sysctl.conf as this file has the highest priority for sysctl.
+---
+ docs/templates/template_reference.md  | 12 +++++++++++-
+ shared/templates/sysctl/oval.template |  8 ++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
+index fef4679..d49511a 100644
+--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
+@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo
+ ```
+ 
+ #### sysctl
+--   Checks sysctl parameters. The OVAL definition checks both
+-   Checks sysctl parameters. The OVAL definition checks both static
+     configuration and runtime settings and require both of them to be
+     set to the desired value to return true.
+ 
+    The following file and directories are checked for static
+    sysctl configurations:
+    - /etc/sysct.conf
+    - /etc/sysct.d/\*.conf
+    - /run/sysct.d/\*.conf
+    - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+
+    A sysctl option defined in more then one file within the scanned directories
+    will result in `fail`.
+
+ -   Parameters:
+ 
+     -   **sysctlvar** - name of the sysctl value, eg.
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 2794638..b692ee3 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -98,8 +98,10 @@
+                    test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
+         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
+                    test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+{{% if "rhel" not in product %}}
+         <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
+                    test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+{{% endif %}}
+       </criteria>
+       <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+     </criteria>
+@@ -117,9 +119,11 @@
+     {{{ state_static_sysctld("run_sysctld") }}}
+   </ind:textfilecontent54_test>
+ 
+{{% if "rhel" not in product %}}
+   <ind:textfilecontent54_test check="all" comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
+     {{{ state_static_sysctld("usr_lib_sysctld") }}}
+   </ind:textfilecontent54_test>
+{{% endif %}}
+ 
+   <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
+   id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+@@ -229,7 +233,9 @@
+   <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
+     <set>
+       <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% if "rhel" not in product %}}
+       <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% endif %}}
+     </set>
+   </ind:textfilecontent54_object>
+ 
+@@ -250,11 +256,13 @@
+     {{{ sysctl_match() }}}
+   </ind:textfilecontent54_object>
+ 
+{{% if "rhel" not in product %}}
+   <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
+     <ind:path>/usr/lib/sysctl.d</ind:path>
+     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+     {{{ sysctl_match() }}}
+   </ind:textfilecontent54_object>
+{{% endif %}}
+ {{% if SYSCTLVAL == "" %}}
+ 
+   <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
+-- 
+2.34.1
+
--- a/SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch
@ -0,0 +1,190 @@
+From b08b310a02e022d280b76e89282c8b8dcf3b9b55 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 4 May 2022 10:02:05 +0200
+Subject: [PATCH 1/3] Filter out symlinks
+
+Create a list of paths to symlinks to filter out from the count of
+unique filpaths.
+---
+ shared/templates/sysctl/oval.template | 29 ++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 97487d6114e..1f30ad86ceb 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -168,9 +168,36 @@
+     </count>
+   </local_variable>
+ 
+  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+    <set>
+      <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
+      <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+  </ind:textfilecontent54_state>
+
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+    <unique>
+      <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+    </unique>
+  </local_variable>
+
+  <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+       Workaround by querying for all conf files found -->
+  <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+    <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+  </unix:symlink_object>
+
+  <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
+    <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+  </local_variable>
+
+   <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+        variable to have no value even when there are valid objects. -->
+-  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+  <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
+     <set>
+       <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
+       <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
+
+From 29bf2a53d29624aa21fe91d5ad0ee34260514b6f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 4 May 2022 11:18:46 +0200
+Subject: [PATCH 2/3] Avoid using empty variable when no symlinks exist
+
+This avoids directly referencing a variable that may have no values.
+If no symlinks are found, 'local_var_symlinks_{{{ SYSCTLID }}}' will
+have "no values".
+Using this variable in the state comparison will automatically cause the
+definition to evaluate to "unknown".
+
+What we do here is inject a blank string with the use of <set>, this
+way, when no symlinks are found, the variable has a single blank string.
+---
+ shared/templates/sysctl/oval.template | 32 ++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 1f30ad86ceb..0b5cde45045 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -176,9 +176,39 @@
+   </ind:textfilecontent54_object>
+ 
+   <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
+-    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+    <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+   </ind:textfilecontent54_state>
+ 
+  <!-- <no simlink handling> -->
+  <!-- We craft a variable with blank string to combine with the symlink paths found.
+       This ultimately avoids referencing a variable with "no values",
+       we reference a variable with a blank string -->
+  <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
+    <unique>
+      <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
+    </unique>
+  </local_variable>
+
+  <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
+    <set>
+      <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
+    </set>
+  </ind:variable_object>
+
+  <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
+    <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
+  </ind:variable_object>
+
+  <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
+    <literal_component datatype="string"></literal_component>
+  </local_variable>
+
+  <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
+    <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
+  </ind:variable_object>
+  <!-- </no simlink handling> -->
+
+   <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+     <unique>
+       <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+
+From 7e9e091517131d30c60a649795d477435017c97b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 4 May 2022 11:41:13 +0200
+Subject: [PATCH 3/3] Add test scenarios for sysctl symlink
+
+---
+ .../tests/symlink_different_option.pass.sh        | 15 +++++++++++++++
+ .../tests/symlink_repeated_sysctl_conf.pass.sh    | 11 +++++++++++
+ .../tests/symlink_same_option.fail.sh             | 15 +++++++++++++++
+ 3 files changed, 41 insertions(+)
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
+new file mode 100644
+index 00000000000..714a8815134
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
+@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure a different sysctl option
+echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# Add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
+new file mode 100644
+index 00000000000..1fbbf1b0675
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
+new file mode 100644
+index 00000000000..51530f6e80c
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
+@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure the same sysctl option
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# and add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
--- a/SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch
@ -0,0 +1,241 @@
+From 21177e5d44dfd6f4fa6de79737c1e55c4b22660a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 3 May 2022 10:49:44 +0200
+Subject: [PATCH] Edited PR_8656 to apply on 0.1.60
+
+---
+ .../one_sysctl_conf_one_sysctl_d.fail.sh      | 11 +++
+ .../tests/two_sysctls_on_d.fail.sh            | 11 +++
+ .../tests/two_sysctls_on_same_file.pass.sh    | 11 +++
+ .../two_sysctls_on_same_file_name.fail.sh     | 11 +++
+ shared/templates/sysctl/bash.template         |  2 +-
+ shared/templates/sysctl/oval.template         | 99 +++++++++++++------
+ 6 files changed, 114 insertions(+), 31 deletions(-)
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
+ create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
+
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
+new file mode 100644
+index 0000000..b2bc2f8
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
+new file mode 100644
+index 0000000..49a8f2e
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/first.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
+new file mode 100644
+index 0000000..548e616
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
+new file mode 100644
+index 0000000..487691d
+--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
+index 6c82e6e..d68956f 100644
+--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
+@@ -6,7 +6,7 @@
+ 
+ # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+ for f in /etc/sysctl.d/*.conf ; do
+-  matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
+   if ! test -z "$matching_list"; then
+     while IFS= read -r entry; do
+       # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 646f5f3..fd19f8b 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -1,3 +1,9 @@
+{{%- if SYSCTLVAL == "" %}}
+{{%- set COMMENT_VALUE="the appropriate value" %}}
+{{%- else %}}
+{{%- set COMMENT_VALUE=SYSCTLVAL %}}
+{{%- endif %}}
+
+ {{% macro state_static_sysctld(prefix) -%}}
+     <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}" />
+ {{%- if SYSCTLVAL == "" %}}
+@@ -6,7 +12,7 @@
+ {{%- endmacro -%}}
+ {{%- macro sysctl_match() -%}}
+ {{%- if SYSCTLVAL == "" -%}}
+-    <ind:pattern operation="pattern match">(?:^|.*\n)[^#]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*\n</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ {{%- else -%}}
+ {{% if OPERATION == "pattern match" %}}
+@@ -53,20 +59,12 @@
+ 
+ <def-group>
+   <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
+-    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system runtime.") }}}
+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
+     <criteria operator="AND">
+-{{%- if SYSCTLVAL == "" %}}
+-      <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
+-{{%- else %}}
+-      <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
+-{{%- endif %}}
+      <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
+     </criteria>
+   </definition>
+-{{% if SYSCTLVAL == "" %}}
+-  <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+-{{%- else %}}
+-  <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+-{{%- endif %}}
+  <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" check="all" check_existence="all_exist">
+     <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}" />
+     <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}" />
+   </unix:sysctl_test>
+@@ -96,25 +94,21 @@
+ 
+ <def-group>
+   <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
+-    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system configuration.") }}}
+-{{%- if SYSCTLVAL == "" %}}
+-    <criteria operator="OR">
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
+-      <!-- see sysctl.d(5) -->
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
+-    </criteria>
+-{{%- else %}}
+-
+-    <criteria operator="OR">
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
+-      <!-- see sysctl.d(5) -->
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
+-      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
+    <criteria operator="AND">
+      <criteria operator="OR">
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
+                   test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
+        <!-- see sysctl.d(5) -->
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
+                   test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
+                   test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
+                   test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+      </criteria>
+      <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+     </criteria>
+-{{%- endif %}}
+   </definition>
+ 
+   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="{{{ SYSCTLVAR }}} static configuration" id="test_static_sysctl_{{{ SYSCTLID }}}" version="1">
+@@ -133,6 +127,51 @@
+     {{{ state_static_sysctld("usr_lib_sysctld") }}}
+   </ind:textfilecontent54_test>
+ 
+  <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
+  id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+    <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+    <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+  </ind:variable_test>
+
+  <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+    <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+    <ind:value operation="equals" datatype="int">1</ind:value>
+  </ind:variable_state>
+
+  <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
+    <count>
+      <unique>
+        <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+      </unique>
+    </count>
+  </local_variable>
+
+  <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+       variable to have no value even when there are valid objects. -->
+  <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+    <set>
+      <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
+    <set>
+      <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
+    <set>
+      <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+      <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
+   <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
+     <ind:filepath>/etc/sysctl.conf</ind:filepath>
+     {{{ sysctl_match() }}}
+-- 
+2.34.1
+
--- a/SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch
+++ b/SOURCES/scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch
@ -0,0 +1,88 @@
+From 1c403af00f39fcfa3c7cf898b1e832d4580cfb59 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 5 May 2022 10:28:34 +0200
+Subject: [PATCH] PR #8704 edited manually
+
+- Restrict test to sysctl.conf and /usr/sysctl.d
+- Separate the state from the object and check it
+---
+ .../tests/wrong_value_d_directory.fail.sh      | 12 ++++++------
+ shared/templates/sysctl/oval.template          | 18 ++++++++++--------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
+index 48a2665..5fb8ddc 100644
+--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
+@@ -5,19 +5,19 @@
+ setting_name="kernel.randomize_va_space"
+ setting_value="2"
+ # sysctl -w "$setting_name=$setting_value"
+-if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then
+-    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf
+if grep -q "^$setting_name" /etc/sysctl.conf; then
+    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
+ else
+-    echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf
+    echo "$setting_name = $setting_value" >> /etc/sysctl.conf
+ fi
+ 
+ setting_name="kernel.randomize_va_space"
+ setting_value="0"
+ # sysctl -w "$setting_name=$setting_value"
+-if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then
+-    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf
+if grep -q "^$setting_name" /etc/sysctl.d/98-sysctl.conf; then
+    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/98-sysctl.conf
+ else
+-    echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf
+    echo "$setting_name = $setting_value" >> /etc/sysctl.d/98-sysctl.conf
+ fi
+ 
+ sysctl --system
+diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
+index 564cc33..97f1e05 100644
+--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
+@@ -6,21 +6,15 @@
+ 
+ {{% macro state_static_sysctld(prefix) -%}}
+     <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}" />
+-{{%- if SYSCTLVAL == "" %}}
+     <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}" />
+-{{%- endif -%}}
+ {{%- endmacro -%}}
+ {{%- macro sysctl_match() -%}}
+ {{%- if SYSCTLVAL == "" -%}}
+     <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ {{%- else -%}}
+-{{% if OPERATION == "pattern match" %}}
+-    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL_REGEX }}}[\s]*$</ind:pattern>
+-{{% else %}}
+-    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL }}}[\s]*$</ind:pattern>
+-{{% endif %}}
+-    <ind:instance datatype="int">1</ind:instance>
+    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ {{%- endif -%}}
+ {{%- endmacro -%}}
+ {{%- if "P" in FLAGS -%}}
+@@ -258,6 +252,14 @@
+   </ind:textfilecontent54_state>
+ 
+   <external_variable comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}" id="sysctl_{{{ SYSCTLID }}}_value" version="1" />
+{{% else %}}
+  <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
+{{% if OPERATION == "pattern match" %}}
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
+{{% else %}}
+    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL }}}</ind:subexpression>
+{{% endif %}}
+  </ind:textfilecontent54_state>
+ {{% endif %}}
+ </def-group>
+ {{%- endif -%}}
+-- 
+2.34.1
+
--- a/SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch
+++ b/SOURCES/scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -6,7 +6,7 @@

 Name:		scap-security-guide
 Version:	0.1.60
-Release:	7%{?dist}
+Release:	8%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@ -65,6 +65,13 @@ Patch43:		scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.p
 Patch44:		scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
 Patch45:		scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch
 Patch46:		scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch
+Patch47:		scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch
+Patch48:		scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch
+Patch49:		scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch
+Patch50:		scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch
+Patch51:		scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
+Patch52:		scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
+Patch53:		scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -169,6 +176,10 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif

 %changelog
+* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
+- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
+- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
+
 * Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
 - Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)