Add sysctl persistence rules for Debian

[israel-villar]

Two new rules that address Debian-specific sysctl persistence issues:

• sysctl_conf_symlink_etc_sysctl_d: ensure /etc/sysctl.d/99-sysctl.conf is a symlink pointing to /etc/sysctl.conf. Debian's systemd-sysctl processes /etc/sysctl.d/ at boot but does not read /etc/sysctl.conf directly unless this symlink exists.

• sysctl_reapply_after_network: install a systemd oneshot service that re-applies sysctl settings after network interfaces come up. The Linux kernel resets certain network sysctl values (e.g. net.ipv4.conf.*.accept_redirects) when a NIC is brought up, which causes compliant values written at boot to be overwritten.

The OVAL for sysctl_conf_symlink_etc_sysctl_d uses unix:file_test with type="symbolic link" rather than unix:symlink_test, which errors when the symlink is absent or dangling.

Description:

• sysctl_conf_symlink_etc_sysctl_d: ensure
  /etc/sysctl.d/99-sysctl.conf is a symlink pointing to
  /etc/sysctl.conf. The bash remediation creates the symlink if absent.
  The OVAL check uses unix:file_test with type="symbolic link".
• sysctl_reapply_after_network: install a systemd oneshot service that
  re-applies sysctl --system after network interfaces come up (via
  network-online.target). The bash remediation writes the unit file and
  enables it. The OVAL check verifies the unit file exists and is enabled.

Rationale:

• Debian's systemd-sysctl processes /etc/sysctl.d/ at boot but does
  not read /etc/sysctl.conf directly unless the symlink
  /etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf exists.
• The Linux kernel resets certain network sysctl values (e.g.
  net.ipv4.conf.*.accept_redirects) when a NIC is brought up, which
  causes compliant values written at boot to be overwritten on Debian.

Review Hints:

• The OVAL for sysctl_conf_symlink_etc_sysctl_d uses unix:file_test
  with type="symbolic link" rather than unix:symlink_test.
  unix:symlink_test errors when the symlink is absent or dangling;
  unix:file_test handles non-existence gracefully.
• Build to verify: ./build_product debian13 --datastream-only

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

This OVAL only verifies that the file exists and is a symlink; but, it doesn't verify the target of the symlink. This isn't aligned with the rule description. We need to extend the OVAL so that it will also check if the target of the symlink is /etc/sysctl.conf.

[jan-cerny]

FTBFS because the new added rules aren't part of any component. Each rule needs to be listed in at least 1 file in components directory.

[jan-cerny]

Please add test scenarios for the rules.