diff --git a/components/kernel.yml b/components/kernel.yml
index ef50ac95e91e..f9d5678364b7 100644
--- a/components/kernel.yml
+++ b/components/kernel.yml
@@ -127,6 +127,7 @@ rules:
- package_iptables-nft_installed
- package_nfs-kernel-server_removed
- sebool_domain_kernel_load_modules
+- sysctl_conf_symlink_etc_sysctl_d
- sysctl_fs_protected_fifos
- sysctl_fs_protected_hardlinks
- sysctl_fs_protected_regular
@@ -201,6 +202,7 @@ rules:
- sysctl_net_ipv6_conf_default_forwarding
- sysctl_net_ipv6_conf_default_max_addresses
- sysctl_net_ipv6_conf_default_router_solicitations
+- sysctl_reapply_after_network
- sysctl_user_max_user_namespaces
- sysctl_user_max_user_namespaces_no_remediation
- sysctl_vm_mmap_min_addr
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh
new file mode 100644
index 000000000000..6964b1a5d77e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+[ -f /etc/sysctl.conf ] || install -m 0644 /dev/null /etc/sysctl.conf
+ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+systemctl restart systemd-sysctl.service
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml
new file mode 100644
index 000000000000..b1df8e91f76b
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml
@@ -0,0 +1,24 @@
+
+
+ {{{ oval_metadata("/etc/sysctl.d/99-sysctl.conf must be a symlink to /etc/sysctl.conf so that systemd-sysctl loads it at boot.", rule_title=rule_title) }}}
+
+
+
+
+
+
+
+
+
+
+
+ /etc/sysctl.d/99-sysctl.conf
+
+
+
+ /etc/sysctl.conf
+
+
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml
new file mode 100644
index 000000000000..bfebe5fd8056
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Ensure /etc/sysctl.d/99-sysctl.conf Is a Symlink to /etc/sysctl.conf'
+
+description: |-
+ The file /etc/sysctl.d/99-sysctl.conf must be a symbolic link
+ pointing to /etc/sysctl.conf. This symlink is normally created by
+ the procps package and ensures that systemd-sysctl
+ processes /etc/sysctl.conf with the correct priority during boot.
+ Without it, kernel parameter settings written to /etc/sysctl.conf
+ are silently ignored by systemd-sysctl and do not persist across
+ reboots.
+
+rationale: |-
+ When /etc/sysctl.d/99-sysctl.conf is absent or is not a symlink to
+ /etc/sysctl.conf, systemd-sysctl does not load
+ /etc/sysctl.conf during boot. As a result, any kernel parameters
+ configured in that file — including security hardening settings — are not
+ applied at startup, undermining system hardening.
+
+severity: medium
+
+platform: machine
+
+references:
+ nist: CM-6(a)
+
+ocil_clause: '/etc/sysctl.d/99-sysctl.conf does not exist or is not a symlink to /etc/sysctl.conf'
+
+ocil: |-
+ Verify that /etc/sysctl.d/99-sysctl.conf is a symbolic link
+ pointing to /etc/sysctl.conf:
+ $ ls -l /etc/sysctl.d/99-sysctl.conf
+ The output should show a symlink pointing to /etc/sysctl.conf.
+
+fixtext: |-
+ Create the symbolic link:
+ # ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+ Apply the settings immediately:
+ # systemctl restart systemd-sysctl.service
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/correct_symlink.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/correct_symlink.pass.sh
new file mode 100644
index 000000000000..4ad69f29e455
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/correct_symlink.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+touch /etc/sysctl.conf
+ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/missing_symlink.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/missing_symlink.fail.sh
new file mode 100644
index 000000000000..ab977e397b8b
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/missing_symlink.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+rm -f /etc/sysctl.d/99-sysctl.conf
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/regular_file.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/regular_file.fail.sh
new file mode 100644
index 000000000000..4ae1d9edb3b5
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/regular_file.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+rm -f /etc/sysctl.d/99-sysctl.conf
+touch /etc/sysctl.d/99-sysctl.conf
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/wrong_target.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/wrong_target.fail.sh
new file mode 100644
index 000000000000..6597d2b07a0f
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/tests/wrong_target.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+ln -sf /etc/sysctl.d/10-something.conf /etc/sysctl.d/99-sysctl.conf
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh
new file mode 100644
index 000000000000..c5853b07e720
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh
@@ -0,0 +1,32 @@
+# platform = multi_platform_debian
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+SERVICE_FILE="/etc/systemd/system/sysctl-reapply-network.service"
+
+cat > "${SERVICE_FILE}" << 'EOF'
+[Unit]
+Description=Re-apply sysctl hardening after network interfaces come up
+After=networking.service systemd-networkd.service
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/sysctl --system
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+chown root:root "${SERVICE_FILE}"
+chmod 0644 "${SERVICE_FILE}"
+
+systemctl daemon-reload
+systemctl enable sysctl-reapply-network.service
+
+if [[ $(systemctl is-system-running) != "offline" ]]; then
+ systemctl start sysctl-reapply-network.service
+fi
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml
new file mode 100644
index 000000000000..7853ffdb8796
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml
@@ -0,0 +1,37 @@
+
+
+ {{{ oval_metadata("Ensure sysctl-reapply-network.service exists and is enabled.", rule_title=rule_title) }}}
+
+
+
+
+
+
+
+
+
+
+
+ /etc/systemd/system/sysctl-reapply-network.service
+
+
+
+
+
+
+
+
+ sysctl-reapply-network.service
+ UnitFileState
+
+
+
+ enabled
+
+
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml
new file mode 100644
index 000000000000..466bf7fcea48
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+title: 'Ensure sysctl network settings are re-applied after network interfaces come up'
+
+description: |-
+ On Debian systems, the kernel resets certain network sysctl values when a
+ network interface is brought up, overriding hardened settings applied at
+ early boot by systemd-sysctl.service.
+
+ Create a systemd oneshot service
+ /etc/systemd/system/sysctl-reapply-network.service:
+ [Unit]
+ Description=Re-apply sysctl hardening after network interfaces come up
+ After=networking.service systemd-networkd.service
+ DefaultDependencies=no
+
+ [Service]
+ Type=oneshot
+ ExecStart=/sbin/sysctl --system
+ RemainAfterExit=yes
+
+ [Install]
+ WantedBy=multi-user.target
+ Then reload the systemd daemon and enable the service:
+ $ sudo systemctl daemon-reload
+ $ sudo systemctl enable sysctl-reapply-network.service
+
+rationale: |-
+ When a network interface is initialized, the Linux kernel may reset interface-level
+ and global sysctl values to their defaults. Running sysctl --system after
+ network interfaces are up ensures the hardened values from /etc/sysctl.conf
+ and /etc/sysctl.d/ are the final values in effect at runtime.
+
+ Using DefaultDependencies=no prevents the ordering cycle that would arise
+ from modifying systemd-sysctl.service itself to depend on
+ network-online.target.
+
+severity: medium
+
+platform: machine
+
+ocil_clause: 'the sysctl-reapply-network service does not exist or is not enabled'
+
+ocil: |-
+ Verify that the sysctl-reapply-network.service unit is enabled:
+ $ systemctl is-enabled sysctl-reapply-network.service
+ The output should be enabled.
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_disabled.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_disabled.fail.sh
new file mode 100644
index 000000000000..be36c4d88382
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_disabled.fail.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+SERVICE_FILE="/etc/systemd/system/sysctl-reapply-network.service"
+
+cat > "${SERVICE_FILE}" << 'EOF'
+[Unit]
+Description=Re-apply sysctl hardening after network interfaces come up
+After=networking.service systemd-networkd.service
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/sysctl --system
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl disable sysctl-reapply-network.service
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_enabled.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_enabled.pass.sh
new file mode 100644
index 000000000000..2f497ec3c2a1
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_enabled.pass.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+SERVICE_FILE="/etc/systemd/system/sysctl-reapply-network.service"
+
+cat > "${SERVICE_FILE}" << 'EOF'
+[Unit]
+Description=Re-apply sysctl hardening after network interfaces come up
+After=networking.service systemd-networkd.service
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/sysctl --system
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable sysctl-reapply-network.service
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_missing.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_missing.fail.sh
new file mode 100644
index 000000000000..1e3445ae4db1
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/tests/service_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+systemctl disable sysctl-reapply-network.service 2>/dev/null || true
+rm -f /etc/systemd/system/sysctl-reapply-network.service
+systemctl daemon-reload