Merge pull request #14329 from teacup-on-rockingchair/sle16_fix_sysctl_related_ansible_remediations

teacup-on-rockingchair · web-flow · commit d05b4cf2371e · 2026-01-28T11:34:31.000+02:00
SLE16 fix sysctl related ansible remediations
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml
@@ -32,7 +32,7 @@
     reload: yes
   when: kexec_arch == "b32"
 
-{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15'] %}}
+{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'sle16'] %}}
 - name: Check noexec argument exists
   ansible.builtin.command: grep '^GRUB_CMDLINE_LINUX=.*noexec=.*"' /etc/default/grub
   failed_when: False
@@ -51,7 +51,7 @@
 
 {{% endif -%}}
 
-{{% if product in ['sle12', 'sle15'] %}}
+{{% if product in ['sle12', 'sle15', 'sle16'] %}}
 - name: Update grub defaults and the bootloader menu
   ansible.builtin.command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
   when: kexec_arch == "b64"
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml
@@ -6,7 +6,7 @@
 - name: Grep for {{{ pkg_manager }}} repo section names
   ansible.builtin.shell: |
     set -o pipefail
-{{%- if product in ["sle12", "sle15", "slmicro5"] %}}
+{{%- if 'sle' in product or 'slmicro' in product %}}
     grep -HEr '^\[.+\]' -r /etc/zypp/repos.d/
 {{%- else %}}
     grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -10,7 +10,7 @@
 
 - name: {{{ rule_title }}} - Set fact for sysctl paths
   ansible.builtin.set_fact:
-{{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
     sysctl_paths:
       - "/run/sysctl.d/"
       - "/etc/sysctl.d/"
@@ -22,7 +22,7 @@
       - "/run/sysctl.d/"
       - "/usr/local/lib/sysctl.d/"
 {{% endif %}}
-{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
+{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "sle16", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
       - "/usr/lib/sysctl.d/"
 {{% endif %}}
 
@@ -65,9 +65,11 @@
 {{% if sysctl_remediate_drop_in_file == "true" %}}
 - name: {{{ rule_title }}} - Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf
   ansible.builtin.replace:
-    path: "/etc/sysctl.conf"
+    path: "{{ item }}"
     regexp: '^[\s]*{{{ SYSCTLVAR }}}'
     replace: '#{{{ SYSCTLVAR }}}'
+  with_fileglob:
+    - "/etc/sysctl.conf"
 {{% endif %}}
 
 {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string  %}}
@@ -88,4 +90,3 @@
 {{% endif %}}
     state: present
     reload: yes
-
