As noted in: [1] https://github.com/cobbler/cobbler/issues/361 [2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of (none|bootp|dhcp) values. Initscripts knowns also only these three: [3] https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on the device. Any other option is dealt with / considered to mean static configuration. When system-config-network / system-config-network-tui / nm-connection-editor creates new connection with static IP configuration, it uses BOOTPROTO=none in the particular /etc/sysconfig/network-scripts/ifcfg-conn-name script (can be verified by creating sample connection). Based on bug: [4] https://bugzilla.redhat.com/show_bug.cgi?id=528068 and resulting patch: [5] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b3e455414a5a7bf57d9fed1442367e9e4c917 NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats BOOTPROTO=static as an alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO specification). But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of 'none', enhance the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case 'none' is used as BOOTPROTO specification (since that actually is what is used, when new static IP using connection is created e.g. via system-config-network or nm-connection-editor). Besides that (support also for 'none' in BOOTPROTO specification), the patch starts to recommend to use 'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig reference) & moves originally RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one. The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the change seems to be working as expected (on both products). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 31ea21e1fa0cdf75f26dafc50c409cbcedb4ef16 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 30 May 2014 15:31:30 +0200 Subject: [PATCH] [RHEL/6] When checking for static IP address configuration, check also for BOOTPROTO=none in network-scripts (since that's what system-config-network or nm-connection-editor creates when requesting static IP configuration for connection) [RHEL/7] Update sysconfig_networking_bootproto_ifcfg rule to recommend BOOTPROTO=none instead of BOOTPROTO=static [shared] Move RHEL-6 sysconfig_networking_bootproto_ifcfg specific check to be shared one Signed-off-by: Jan Lieskovsky <[email protected]> --- .../sysconfig_networking_bootproto_ifcfg.xml | 35 +--------------------- RHEL/6/input/services/dhcp.xml | 4 +-- .../sysconfig_networking_bootproto_ifcfg.xml | 1 + RHEL/7/input/services/dhcp.xml | 4 +-- .../oval/sysconfig_networking_bootproto_ifcfg.xml | 35 ++++++++++++++++++++++ .../disa-stig-rhel5-v1r0.6-xccdf-manual.xml | 2 +- 6 files changed, 42 insertions(+), 39 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 120000 RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 100644 shared/oval/sysconfig_networking_bootproto_ifcfg.xml diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml deleted file mode 100644 index 6d2237e..0000000 --- a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml +++ /dev/null @@ -1,34 +0,0 @@ -<def-group> - <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" - version="1"> - <metadata> - <title>Disable DHCP Client</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>DHCP configuration should be static for all - interfaces.</description> - <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> - </metadata> - <criteria comment="Test for BOOTPROTO=static across all interfaces"> - <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" - id="test_sysconfig_networking_bootproto_ifcfg" version="1"> - <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> - <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg" - version="1"> - <ind:subexpression operation="equals">static</ind:subexpression> - </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg" - version="1"> - <ind:path>/etc/sysconfig/network-scripts</ind:path> - <ind:filename operation="pattern match">ifcfg-.*</ind:filename> - <ind:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/6/input/services/dhcp.xml b/RHEL/6/input/services/dhcp.xml index 38d9770..4f64ed0 100644 --- a/RHEL/6/input/services/dhcp.xml +++ b/RHEL/6/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes: <ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml index 4c2bab7..997e550 100644 --- a/RHEL/7/input/services/dhcp.xml +++ b/RHEL/7/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes: <ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/shared/oval/sysconfig_networking_bootproto_ifcfg.xml b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml new file mode 100644 index 0000000..a597307 --- /dev/null +++ b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1,35 @@ +<def-group> + <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" + version="2"> + <metadata> + <title>Disable DHCP Client</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>DHCP configuration should be static for all + interfaces.</description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="Test for BOOTPROTO=(static|none) across all interfaces"> + <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" + id="test_sysconfig_networking_bootproto_ifcfg" version="1"> + <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> + <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg" + version="2"> + <ind:subexpression operation="pattern match">^(static|none)$</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg" + version="1"> + <ind:path>/etc/sysconfig/network-scripts</ind:path> + <ind:filename operation="pattern match">ifcfg-.*</ind:filename> + <ind:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml index 4a0b8a4..8de9c0c 100644 --- a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml @@ -17571,7 +17571,7 @@ xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/sch <dc:identifier>2154</dc:identifier> </reference> <ident system="http://iase.disa.mil/cci";>CCI-000366</ident> - <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "static".</fixtext> + <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "none".</fixtext> <fix id="F-24173r1_fix" /> <check system="C-36811r1_chk"> <check-content-ref name="M" href="VMS_XCCDF_Benchmark_RHEL_5_STIG.xml" /> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
