[Open-scap] affecting the sysconfig ifcfg network scripts
Nick Jensen
nick at alienonesecurity.com
Tue Sep 10 14:31:35 UTC 2019
Hello! Came across this issue… is this the right place to report it?
Following provisioning a system and running some hardening processes my team noticed a “bad file” at `/etc/sysconfig/network-scripts/ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`.
The only reference I’ve found is in the ssg-centos7-ds.xml file:
```
if [ $nic_bound = false ];then
# Add first NIC to SSH enabled zone
if ! firewall-cmd --state -q; then
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy" />
replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
else
# If firewalld service is running, we need to do this step with firewall-cmd
# Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone
# of NetworkManager managed interfaces upon reload
firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]}
firewall-cmd --reload
fi
fi
```
It appears that `eth_interface_list` is defined via following in same file:
```
eth_interface_list=$(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)')
```
and then used as `${eth_interface_list[0]}`, which gets all active interfaces separated by newlines versus the intended… just the first active interface.
This should be accomplished by adding another set of parentheses:
```
eth_interface_list=($(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)’))
```
then it should work as intended.
Sincerely,
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190910/404d9fd3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190910/404d9fd3/attachment.sig>
More information about the Open-scap-list
mailing list