{{%- if SYSCTLVAL == "" %}}
{{%- set COMMENT_VALUE="the appropriate value" %}}
{{%- elif SYSCTLVAL is string %}}
{{%- set COMMENT_VALUE=SYSCTLVAL %}}
{{%- else %}}
{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}
{{%- endif %}}

{{% macro state_static_sysctld(prefix) -%}}
    <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>
{{% if SYSCTLVAL is string %}}
    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>
{{% elif SYSCTLVAL is sequence %}}
{{% for x in SYSCTLVAL %}}
    <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />
{{% endfor %}}
{{% endif %}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*\S)[\s]*$</ind:pattern>
    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
{{%- endmacro -%}}
{{%- if IPV6 == "false" -%}}

<def-group>
  <definition class="compliance" id="{{{ rule_id }}}" version="3">
    {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else "."), rule_title=rule_title) }}}
    <criteria operator="AND">
      <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
                         definition_ref="{{{ rule_id }}}_static"/>
{{% if CHECK_RUNTIME == "true" %}}
      <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
                         definition_ref="{{{ rule_id }}}_runtime"/>
{{%- endif %}}
    </criteria>
  </definition>
</def-group>

{{%- else -%}}

<def-group>
  <definition class="compliance" id="{{{ rule_id }}}" version="4">
    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else "."), rule_title=rule_title) }}}
    <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
      <extend_definition comment="is IPv6 enabled?"
                         definition_ref="sysctl_kernel_ipv6_disable"/>
      <criteria operator="AND">
        <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
                           definition_ref="{{{ rule_id }}}_static"/>
{{% if CHECK_RUNTIME == "true" %}}
        <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
                           definition_ref="{{{ rule_id }}}_runtime"/>
{{%- endif %}}
      </criteria>
    </criteria>
  </definition>
</def-group>

{{%- endif %}}

{{% if CHECK_RUNTIME == "true" %}}
<def-group>
  <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">
    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.", rule_title=rule_title) }}}
    <criteria operator="AND">
      <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
                 test_ref="test_{{{ rule_id }}}_runtime"/>
    </criteria>
  </definition>

  <unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1"
                    comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
                    check="all" check_existence="all_exist" state_operator="OR">
    <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>
{{% if SYSCTLVAL is string %}}
    <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>
{{% elif SYSCTLVAL is sequence %}}
{{% for x in SYSCTLVAL %}}
    <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />
{{% endfor %}}
{{% endif %}}
  </unix:sysctl_test>

  <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">
    <unix:name>{{{ SYSCTLVAR }}}</unix:name>
  </unix:sysctl_object>
{{% if SYSCTLVAL is string %}}
{{% if SYSCTLVAL == "" %}}
  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
    <unix:value datatype="{{{ DATATYPE }}}" operation="equals"
                var_ref="{{{ rule_id }}}_value"/>
  </unix:sysctl_state>

  <external_variable id="{{{ rule_id }}}_value" version="1"
                     comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
{{%- else %}}
  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
{{% if OPERATION == "pattern match" %}}
    <unix:value datatype="{{{ DATATYPE }}}"
                operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>
{{% else %}}
    <unix:value datatype="{{{ DATATYPE }}}"
                operation="{{{ OPERATION }}}">{{{ SYSCTLVAL }}}</unix:value>
{{% endif %}}
  </unix:sysctl_state>
{{%- endif %}}
{{% elif SYSCTLVAL is sequence %}}
{{% for x in SYSCTLVAL %}}
  <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">
    <unix:value datatype="{{{ DATATYPE }}}"
                operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>
  </unix:sysctl_state>
{{% endfor %}}
{{% endif %}}
</def-group>
{{% endif %}}


<def-group>
  <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.", rule_title=rule_title) }}}

    <criteria operator="OR">
      <!--  Processing differently files in /usr/lib/sysctl.d/ as they are managed by packages and
            won't be fixed by remediations, see sysctl.d(5) -->
      <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages"
                    test_ref="test_{{{ rule_id }}}_static_user" />
      <criteria operator="AND">
        <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages"
                    test_ref="test_{{{ rule_id }}}_static_user_missing" />
        {{% if MISSING_PARAMETER_PASS == "true" %}}
          <criterion comment="{{{ "kernel static parameter"  + SYSCTLVAR + " set to " +
                      COMMENT_VALUE + " or missing in sysctl files managed by packages" }}}"
                    test_ref="test_{{{ rule_id }}}_static_pkg_not_wrong" />
        {{% else %}}
          <criterion comment="{{{ "kernel static parameter " + SYSCTLVAR + " set to " +
                      COMMENT_VALUE + " in sysctl files managed by packages" }}}"
                    test_ref="test_{{{ rule_id }}}_static_pkg_correct" />
        {{% endif %}}
      </criteria>
    </criteria>
  </definition>

  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user_missing" version="1"
                              check="all" check_existence="none_exist"
                              comment="{{{ SYSCTLVAR }}} static configuration">
    <ind:object object_ref="object_static_user_{{{ rule_id }}}" />
  </ind:textfilecontent54_test>

  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user" version="1"
                              check="all" check_existence="all_exist"
                              comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
    {{{ state_static_sysctld("user") }}}
  </ind:textfilecontent54_test>

  {{% if MISSING_PARAMETER_PASS == "true" %}}
  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_not_wrong" version="2" check="all"
                          check_existence="any_exist"
                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
    {{{ state_static_sysctld("usr_lib_sysctld") }}}
  </ind:textfilecontent54_test>
  {{% else %}}
  <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_correct" version="2" check="all"
                          check_existence="all_exist"
                          comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf"
                          state_operator="OR">
    {{{ state_static_sysctld("usr_lib_sysctld") }}}
  </ind:textfilecontent54_test>
  {{% endif %}}

  <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
       variable to have no value even when there are valid objects. -->
  <ind:textfilecontent54_object id="object_static_user_{{{ rule_id }}}" version="1">
    <set>
      <object_reference>object_static_etc_lib_sysctls_{{{ rule_id }}}</object_reference>
      <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
    </set>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_etc_lib_sysctls_{{{ rule_id }}}" version="1">
    <set>
      <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2204", "ubuntu2404"] %}}
      <object_reference>object_static_lib_sysctld_{{{ rule_id }}}</object_reference>
{{% endif %}}
    </set>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">
    <set>
      <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>
      <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>
    </set>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
    <set>
      <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
      <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
    </set>
  </ind:textfilecontent54_object>
  <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
{{% if "ubuntu" in product %}}
    <ind:filepath operation="pattern match">/etc(/ufw){0,1}/sysctl.conf$</ind:filepath>
{{% else %}}
    <ind:filepath>/etc/sysctl.conf</ind:filepath>
{{% endif %}}
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">
    <ind:path>/etc/sysctl.d</ind:path>
    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">
    <ind:path>/run/sysctl.d</ind:path>
    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
    <ind:path>/usr/local/lib/sysctl.d</ind:path>
    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
    <ind:path>/usr/lib/sysctl.d</ind:path>
    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "ubuntu2204", "ubuntu2404"] or 'rhel' in product %}}
  <ind:textfilecontent54_object id="object_static_lib_sysctld_{{{ rule_id }}}" version="1">
    <ind:path>/lib/sysctl.d</ind:path>
    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
    {{{ sysctl_match() }}}
  </ind:textfilecontent54_object>
{{% endif %}}
{{% if SYSCTLVAL is string %}}
{{% if SYSCTLVAL == "" %}}

  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
    <ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value"
                       datatype="{{{ DATATYPE }}}" />
  </ind:textfilecontent54_state>

  <external_variable id="{{{ rule_id }}}_value" version="1"
                     comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
{{% else %}}
  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
{{% if OPERATION == "pattern match" %}}
    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
{{% else %}}
    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL }}}</ind:subexpression>
{{% endif %}}
  </ind:textfilecontent54_state>
{{% endif %}}
{{% elif SYSCTLVAL is sequence %}}
{{% for x in SYSCTLVAL %}}
  <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1">
    <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression>
  </ind:textfilecontent54_state>
{{% endfor %}}
{{% endif %}}
</def-group>