[Open-scap] affecting the sysconfig ifcfg network scripts

Nick Jensen nick at alienonesecurity.com
Tue Sep 10 14:31:35 UTC 2019 

Hello! Came across this issue… is this the right place to report it?


Following provisioning a system and running some hardening processes my team noticed a “bad file” at `/etc/sysconfig/network-scripts/ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`.

The only reference I’ve found is in the ssg-centos7-ds.xml file:

```
if [ $nic_bound = false ];then
    # Add first NIC to SSH enabled zone

    if ! firewall-cmd --state -q; then
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy" />
        replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
    else
        # If firewalld service is running, we need to do this step with firewall-cmd
        # Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone
        # of NetworkManager managed interfaces upon reload
        firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]}
        firewall-cmd --reload
    fi
fi
```

It appears that `eth_interface_list` is defined via following in same file:

```
eth_interface_list=$(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)')
```

and then used as `${eth_interface_list[0]}`, which gets all active interfaces separated by newlines versus the intended… just the first active interface.

This should be accomplished by adding another set of parentheses:

```
eth_interface_list=($(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)’))
```

then it should work as intended.



Sincerely,

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190910/404d9fd3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190910/404d9fd3/attachment.sig>

More information about the Open-scap-list mailing list