Description of problem:
The sysctl OVAL template incorrectly includes /lib/sysctl.d in the user-managed object scan for AlmaLinux, causing false positive failures on sysctl rules where a package-owned file in /lib/sysctl.d/ contains a conflicting value that is correctly overridden by a user drop-in in /etc/sysctl.d/.
SCAP Security Guide Version:
scap-security-guide-0.1.80-1.el9_7.alma.1.noarch
Operating System Version:
AlmaLinux 8, AlmaLinux 9
Steps to Reproduce:
- Install AlmaLinux 9
- Set
net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.d/20-cis-network.conf
- Verify runtime value:
sysctl net.ipv4.conf.default.rp_filter returns 1
- Run OpenSCAP against the CIS Level 1 Server profile
- Rule
sysctl_net_ipv4_conf_default_rp_filter fails despite correct runtime and user config values.
Actual Results:
The sysctl OVAL template's object_static_etc_lib_sysctls object includes /lib/sysctl.d for AlmaLinux because it is missing from the product exclusion list.
With check="all", the conflicting value in the package-owned /lib/sysctl.d/50-default.conf (set to 2 by systemd) causes test_static_user to fail. RHEL 8/9 and OL8/9 are already excluded from this inclusion - AlmaLinux, as a 1:1 RHEL clone, inherits the same systemd defaults and should be treated identically.
Expected Results:
The rule should pass when the runtime value is correct and compliant user-managed drop-ins exist in /etc/sysctl.d/, consistent with the behaviour on RHEL 8/9 and OL8/9.
Additional Information/Debugging Steps:
Proposed Fix
Add almalinux8 and almalinux9 to the product exclusion list in shared/templates/sysctl/oval.template:
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2204", "ubuntu2404"] %}}
+{{% if product not in [ "almalinux8", "almalinux9", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2204", "ubuntu2404"] %}}
<object_reference>object_static_lib_sysctld_{{{ rule_id }}}</object_reference>
{{% endif %}}Related issues:
Description of problem:
The sysctl OVAL template incorrectly includes
/lib/sysctl.din the user-managed object scan for AlmaLinux, causing false positive failures on sysctl rules where a package-owned file in/lib/sysctl.d/contains a conflicting value that is correctly overridden by a user drop-in in/etc/sysctl.d/.SCAP Security Guide Version:
scap-security-guide-0.1.80-1.el9_7.alma.1.noarch
Operating System Version:
AlmaLinux 8, AlmaLinux 9
Steps to Reproduce:
net.ipv4.conf.default.rp_filter = 1in/etc/sysctl.d/20-cis-network.confsysctl net.ipv4.conf.default.rp_filterreturns1sysctl_net_ipv4_conf_default_rp_filterfails despite correct runtime and user config values.Actual Results:
The sysctl OVAL template's object_static_etc_lib_sysctls object includes /lib/sysctl.d for AlmaLinux because it is missing from the product exclusion list.
With check="all", the conflicting value in the package-owned /lib/sysctl.d/50-default.conf (set to 2 by systemd) causes test_static_user to fail. RHEL 8/9 and OL8/9 are already excluded from this inclusion - AlmaLinux, as a 1:1 RHEL clone, inherits the same systemd defaults and should be treated identically.
Expected Results:
The rule should pass when the runtime value is correct and compliant user-managed drop-ins exist in
/etc/sysctl.d/, consistent with the behaviour on RHEL 8/9 and OL8/9.Additional Information/Debugging Steps:
Proposed Fix
Add
almalinux8andalmalinux9to the product exclusion list inshared/templates/sysctl/oval.template:Related issues: