Rule sysctl_kernel_core_pattern is misaligned with DISA

[jan-cerny]

Description of problem:

Daily productization run on 2025-08-15 has discovered that rule sysctl_kernel_core_pattern is misaligned with DISA STIG on RHEL 8. The reason is that the SSG rule sysctl_kernel_core_pattern checks only /etc/sysctl.conf and /etc/sysctl.d but DISA's rule xccdf_mil.disa.stig_rule_SV-230311r1017121_rule checks also /usr/lib/sysctl.d and /lib/sysctl.d in addition. We need to extend our rule in a similar manner, because these additional directories contain offending configuration.

SCAP Security Guide Version:

Current upstream master branch as of 2025-08-15 as of HEAD 6f426dfc9274ec5bdc0d624b54d8d6992bea41dc

Operating System Version:

RHEL 8 - RHEL-8.10.0-updates-20250814.1

Steps to Reproduce:

1. /scanning/disa-alignment/anaconda
2. /scanning/disa-alignment/ansible
3. /scanning/disa-alignment/oscap

Actual Results:

SSG result: pass, DISA result(s): SV-230311r1017121_rule:fail

Expected Results:

SSG rule sysctl_kernel_core_pattern is aligned with DISA

Additional Information/Debugging Steps:

no

[vojtapolasek]

I am adding more information. The important is that our content also checks for values in /usr/lib/sysctl.d directory (which are provided by packages). But my understanding is that it prioritizes values in /etc/sysctl.d. so if values in /etc/sysctl.d are correct, it ignores the fact that values in /usr/lib/sysctl.d are wrong. And I think it makes sense. Attaching report from scanning with our content (content.html) and disa SCAP (disa.html). The scan is done on a system where the rule sysctl_kernel_core_pattern has been remediated.

content.html disa.html

[ggbecker]

This is now manifesting in RHEL9 as well.