Hello Nick, On Tue, Sep 10, 2019 at 4:32 PM Nick Jensen <n...@alienonesecurity.com> wrote:
> Hello! Came across this issue… is this the right place to report it? > This is probably more fit to the Content list < scap-security-gu...@lists.fedorahosted.org>. I have added it to CC. > > Following provisioning a system and running some hardening processes my > team noticed a “bad file” at `/etc/sysconfig/network-scripts/ > ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`. > > The only reference I’ve found is in the ssg-centos7-ds.xml file: > I'm curious what version of Content or SSG you are using. I recognize this snippet, and it it is not maintained in upstream. See https://github.com/ComplianceAsCode/content/pull/2328 Main reason being that the script assumes a lot of things about network configuration and interfaces, and it will not configure the appropriate interface into appropriate zone. That being said, I'd like to understand your use case on this rule and remediation. Except for the bug you just reported, would it set the an interface as expected? Can the script be made generic enough and still be useful? > ``` > > if [ $nic_bound = false ];then # Add first NIC to SSH enabled zone if ! > firewall-cmd --state -q; then<ns10:sub > idref="xccdf_org.ssgproject.content_value_function_replace_or_append" > use="legacy" /> replace_or_append > "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' > "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s' else # If firewalld > service is running, we need to do this step with firewall-cmd # > Otherwise firewalld will comunicate with NetworkManage and will revert > assigned zone # of NetworkManager managed interfaces upon reload > firewall-cmd --zone=$firewalld_sshd_zone > --add-interface=${eth_interface_list[0]} firewall-cmd --reload fifi > > ``` > > It appears that `eth_interface_list` is defined via following in same > file: > > ``` > eth_interface_list=$(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E > '^(en|eth)') > ``` > > and then used as `${eth_interface_list[0]}`, which gets all active > interfaces separated by newlines versus the intended… just the first active > interface. > > This should be accomplished by adding another set of parentheses: > > ``` > eth_interface_list=($(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E > '^(en|eth)’)) > ``` > > then it should work as intended. > > > > Sincerely, > > Nick > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Watson Sato Security Technologies | Red Hat, Inc
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
