----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Friday, May 30, 2014 5:55:52 PM > Subject: Re: [PATCH] [RHEL/6] [RHEL/7] [shared] When checking for static IP > address configuration in network scripts > allow BOOTPROTO to match also "none" (since that's what > system-config-network / nm-connection-editor do when > creating static IP connection) > > > On 5/30/14, 9:51 AM, Jan Lieskovsky wrote: > > > > As noted in: > [1] https://github.com/cobbler/cobbler/issues/361 [2] > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html > BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of > (none|bootp|dhcp) values. > > Initscripts knowns also only these three: > [3] https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt > meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on > the device. Any other > option is dealt with / considered to mean static configuration. > > When system-config-network / system-config-network-tui / nm-connection-editor > creates new connection > with static IP configuration, it uses BOOTPROTO=none in the particular > /etc/sysconfig/network-scripts/ifcfg-conn-name > script (can be verified by creating sample connection). > > Based on bug: > [4] https://bugzilla.redhat.com/show_bug.cgi?id=528068 and resulting patch: > [5] > > http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b3e455414a5a7bf57d9fed1442367e9e4c917 > NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) > treats BOOTPROTO=static as an > alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO > specification). > > But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest > use of 'none', enhance > the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success > also in case 'none' is used > as BOOTPROTO specification (since that actually is what is used, when new > static IP using connection > is created e.g. via system-config-network or nm-connection-editor). > > Besides that (support also for 'none' in BOOTPROTO specification), the patch > starts to recommend to use > 'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig > reference) & moves originally > RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared > one. > > The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build > correctly, the change seems to be > working as expected (on both products). > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-When-checking-for-static-IP-address-configura.patch > From 31ea21e1fa0cdf75f26dafc50c409cbcedb4ef16 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Fri, 30 May 2014 15:31:30 > +0200 > Subject: [PATCH] [RHEL/6] When checking for static IP address configuration, > check also for BOOTPROTO=none in network-scripts (since that's what > system-config-network or nm-connection-editor creates when > requesting static IP configuration for connection) [RHEL/7] Update > sysconfig_networking_bootproto_ifcfg rule to recommend BOOTPROTO=none > instead > of BOOTPROTO=static [shared] Move RHEL-6 > sysconfig_networking_bootproto_ifcfg specific check to be shared one > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../sysconfig_networking_bootproto_ifcfg.xml | 35 > +--------------------- > RHEL/6/input/services/dhcp.xml | 4 +-- > .../sysconfig_networking_bootproto_ifcfg.xml | 1 + > RHEL/7/input/services/dhcp.xml | 4 +-- > .../oval/sysconfig_networking_bootproto_ifcfg.xml | 35 > ++++++++++++++++++++++ > .../disa-stig-rhel5-v1r0.6-xccdf-manual.xml | 2 +- > 6 files changed, 42 insertions(+), 39 deletions(-) > mode change 100644 => 120000 > RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > create mode 120000 > RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml > create mode 100644 shared/oval/sysconfig_networking_bootproto_ifcfg.xml > > diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > deleted file mode 100644 > index 6d2237e..0000000 > --- a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > +++ /dev/null > @@ -1,34 +0,0 @@ > -<def-group> > - <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" > - version="1"> > - <metadata> > - <title>Disable DHCP Client</title> > - <affected family="unix"> > - <platform>Red Hat Enterprise Linux 6</platform> > - </affected> > - <description>DHCP configuration should be static for all > - interfaces.</description> > - <reference source="MED" ref_id="20130813" ref_url="test_attestation" > /> > - </metadata> > - <criteria comment="Test for BOOTPROTO=static across all interfaces"> > - <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> > - </criteria> > - </definition> > - <ind:textfilecontent54_test check="all" check_existence="all_exist" > - comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) > expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" > - id="test_sysconfig_networking_bootproto_ifcfg" version="1"> > - <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> > - <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> > - </ind:textfilecontent54_test> > - <ind:textfilecontent54_state > id="state_sysconfig_networking_bootproto_ifcfg" > - version="1"> > - <ind:subexpression operation="equals">static</ind:subexpression> > - </ind:textfilecontent54_state> > - <ind:textfilecontent54_object > id="obj_sysconfig_networking_bootproto_ifcfg" > - version="1"> > - <ind:path>/etc/sysconfig/network-scripts</ind:path> > - <ind:filename operation="pattern match">ifcfg-.*</ind:filename> > - <ind:pattern operation="pattern > match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> > - <ind:instance datatype="int">1</ind:instance> > - </ind:textfilecontent54_object> > -</def-group> > diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > new file mode 120000 > index 0000000..a118ae3 > --- /dev/null > +++ b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml > \ No newline at end of file > diff --git a/RHEL/6/input/services/dhcp.xml b/RHEL/6/input/services/dhcp.xml > index 38d9770..4f64ed0 100644 > --- a/RHEL/6/input/services/dhcp.xml > +++ b/RHEL/6/input/services/dhcp.xml > @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit > following changes: > <ul> > <li> Correct the BOOTPROTO line to read: > -<pre>BOOTPROTO=static</pre> > +<pre>BOOTPROTO=none</pre> > </li> > <li> Add or correct the following lines, substituting the appropriate > values based on your site's addressing scheme: > @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> > To verify that DHCP is not being used, examine the following file for each > interface: > <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> > Look for the following: > -<pre>BOOTPROTO=static</pre> > +<pre>BOOTPROTO=none</pre> > and the following, substituting the appropriate values based on your site's > addressing scheme: > <pre>NETMASK=255.255.255.0 > IPADDR=192.168.1.2 > diff --git a/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml > b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml > new file mode 120000 > index 0000000..a118ae3 > --- /dev/null > +++ b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml > \ No newline at end of file > diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml > index 4c2bab7..997e550 100644 > --- a/RHEL/7/input/services/dhcp.xml > +++ b/RHEL/7/input/services/dhcp.xml > @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit > following changes: > <ul> > <li> Correct the BOOTPROTO line to read: > -<pre>BOOTPROTO=static</pre> > +<pre>BOOTPROTO=none</pre> > </li> > <li> Add or correct the following lines, substituting the appropriate > values based on your site's addressing scheme: > @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> > To verify that DHCP is not being used, examine the following file for each > interface: > <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> > Look for the following: > -<pre>BOOTPROTO=static</pre> > +<pre>BOOTPROTO=none</pre> > and the following, substituting the appropriate values based on your site's > addressing scheme: > <pre>NETMASK=255.255.255.0 > IPADDR=192.168.1.2 > diff --git a/shared/oval/sysconfig_networking_bootproto_ifcfg.xml > b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml > new file mode 100644 > index 0000000..a597307 > --- /dev/null > +++ b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml > @@ -0,0 +1,35 @@ > +<def-group> > + <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" > + version="2"> > + <metadata> > + <title>Disable DHCP Client</title> > + <affected family="unix"> > + <platform>Red Hat Enterprise Linux 6</platform> > + <platform>Red Hat Enterprise Linux 7</platform> > + </affected> > + <description>DHCP configuration should be static for all > + interfaces.</description> > + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> > + </metadata> > + <criteria comment="Test for BOOTPROTO=(static|none) across all > interfaces"> > + <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> > + </criteria> > + </definition> > + <ind:textfilecontent54_test check="all" check_existence="all_exist" > + comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) > expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" > + id="test_sysconfig_networking_bootproto_ifcfg" version="1"> > + <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> > + <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> > + </ind:textfilecontent54_test> > + <ind:textfilecontent54_state > id="state_sysconfig_networking_bootproto_ifcfg" > + version="2"> > + <ind:subexpression operation="pattern > match">^(static|none)$</ind:subexpression> > + </ind:textfilecontent54_state> > + <ind:textfilecontent54_object > id="obj_sysconfig_networking_bootproto_ifcfg" > + version="1"> > + <ind:path>/etc/sysconfig/network-scripts</ind:path> > + <ind:filename operation="pattern match">ifcfg-.*</ind:filename> > + <ind:pattern operation="pattern > match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> > + <ind:instance datatype="int">1</ind:instance> > + </ind:textfilecontent54_object> > +</def-group> > diff --git a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml > b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml > index 4a0b8a4..8de9c0c 100644 > --- a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml > +++ b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml > @@ -17571,7 +17571,7 @@ xsi:schemaLocation=" > http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/sch > <dc:identifier>2154</dc:identifier> > </reference> > <ident system= "http://iase.disa.mil/cci"; >CCI-000366</ident> > - <fixtext fixref="F-24173r1_fix">Edit the > "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" > setting to "static".</fixtext> > + <fixtext fixref="F-24173r1_fix">Edit the > "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" > setting to "none".</fixtext> > <fix id="F-24173r1_fix" /> > <check system="C-36811r1_chk"> > <check-content-ref name="M" > href="VMS_XCCDF_Benchmark_RHEL_5_STIG.xml" /> > -- > 1.8.3.1 > > Absolutely the right call for OVAL to reflect static|none regex, while XCCDF > updated for only none. Ack to those pieces. > > The disa-stig-rhel5-v1r0.6-xccdf-manual.xml file should remain unchanged > (it's a referencable copy of the actual RHEL5 STIG, not something SSG > generates/manipulates directly).
Interesting, good to know. Thanks for the review. Excluded disa-stig-rhel5-v1r0.6-xccdf-manual.xml file from the list of changes & pushed to master. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
