Update OCIL check along with the rule

The OCIL should should mention both compliant values.

linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

@@ -47,11 +47,36 @@ references:
     stigid@rhel7: RHEL-07-040611
     stigid@rhel8: RHEL-08-040285
 
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
+ocil: |-
+    The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
+    by running the following command:
+    <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
+    The output of the command should indicate either:
+    <code>net.ipv4.conf.all.rp_filter = 1</code>
+    or:
+    <code>net.ipv4.conf.all.rp_filter = 2</code>
+    The output of the command should not indicate:
+    <code>net.ipv4.conf.all.rp_filter = 0</code>
+
+    The preferable way how to assure the runtime compliance is to have
+    correct persistent configuration, and rebooting the system.
+
+    The persistent sysctl parameter configuration is performed by specifying the appropriate
+    assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+    Verify that there is not any existing incorrect configuration by executing the following command:
+    <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+    The command should not find any assignments other than:
+    net.ipv4.conf.all.rp_filter = 1
+    or:
+    net.ipv4.conf.all.rp_filter = 2
+
+    Conflicting assignments are not allowed.
+
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
 
 fixtext: |-
     Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
-    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
+    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
 
 srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
 

linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

@@ -34,6 +34,33 @@ references:
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
 
+ocil: |-
+    The runtime status of the <code>kernel.ktpr_restrict</code> kernel parameter can be queried
+    by running the following command:
+    <pre>$ sysctl kernel.ktpr_restrict</pre>
+    The output of the command should indicate either:
+    <code>kernel.ktpr_restrict = 1</code>
+    or:
+    <code>kernel.ktpr_restrict = 2</code>
+    The output of the command should not indicate:
+    <code>kernel.ktpr_restrict = 0</code>
+
+    The preferable way how to assure the runtime compliance is to have
+    correct persistent configuration, and rebooting the system.
+
+    The persistent kernel parameter configuration is performed by specifying the appropriate
+    assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+    Verify that there is not any existing incorrect configuration by executing the following command:
+    <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+    The command should not find any assignments other than:
+    kernel.kptr_restrict = 1
+    or:
+    kernel.kptr_restrict = 2
+
+    Conflicting assignments are not allowed.
+
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
+
 srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
 
 platform: machine
@@ -52,4 +79,4 @@ template:
 
 fixtext: |-
     Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
-    {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
+    {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}