Hello Nick,

On Tue, Sep 10, 2019 at 4:32 PM Nick Jensen <nick@alienonesecurity.com> wrote:
Hello! Came across this issue… is this the right place to report it?

This is probably more fit to the Content list <scap-security-guide@lists.fedorahosted.org>. I have added it to CC.



Following provisioning a system and running some hardening processes my team noticed a “bad file” at `/etc/sysconfig/network-scripts/ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`.

The only reference I’ve found is in the ssg-centos7-ds.xml file:

I'm curious what version of Content or SSG you are using.
I recognize this snippet, and it it is not maintained in upstream.
See https://github.com/ComplianceAsCode/content/pull/2328
Main reason being that the script assumes a lot of things about network configuration and interfaces, and it will not configure the appropriate interface into appropriate zone.

That being said, I'd like to understand your use case on this rule and remediation.
Except for the bug you just reported, would it set the an interface as expected?
Can the script be made generic enough and still be useful?


```
if [ $nic_bound = false ];then
    # Add first NIC to SSH enabled zone

    if ! firewall-cmd --state -q; then
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy" />
        replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
    else
        # If firewalld service is running, we need to do this step with firewall-cmd
        # Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone
        # of NetworkManager managed interfaces upon reload
        firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]}
        firewall-cmd --reload
    fi
fi
```

It appears that `eth_interface_list` is defined via following in same file:

```
eth_interface_list=$(ip link show up | cut-d' '-f2cut-d':'-s-f1grep-E'^(en|eth)')
```

and then used as `${eth_interface_list[0]}`, which gets all active interfaces separated by newlines versus the intended… just the first active interface.

This should be accomplished by adding another set of parentheses:

```
eth_interface_list=($(ip link show up | cut-d' '-f2cut-d':'-s-f1grep-E'^(en|eth)’))
```

then it should work as intended.



Sincerely,

Nick
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list


--
Watson Sato
Security Technologies | Red Hat, Inc