Hello! Came across this issue… is this the right place to report it?
Following provisioning a system and running some hardening processes my team noticed a “bad file” at `/etc/sysconfig/network-scripts/ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`.
The only reference I’ve found is in the ssg-centos7-ds.xml file:
I'm curious what version of Content or SSG you are using.
I recognize this snippet, and it it is not maintained in upstream.
Main reason being that the script assumes a lot of things about network configuration and interfaces, and it will not configure the appropriate interface into appropriate zone.
That being said, I'd like to understand your use case on this rule and remediation.
Except for the bug you just reported, would it set the an interface as expected?
Can the script be made generic enough and still be useful?
```
if [ $nic_bound = false ];then
# Add first NIC to SSH enabled zone
if ! firewall-cmd --state -q; then
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_replace_or_append" use="legacy" />
replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
else
# If firewalld service is running, we need to do this step with firewall-cmd
# Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone
# of NetworkManager managed interfaces upon reload
firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]}
firewall-cmd --reload
fi
fi
```
It appears that `eth_interface_list` is defined via following in same file:
```
eth_interface_list=$(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)')
```
and then used as `${eth_interface_list[0]}`, which gets all active interfaces separated by newlines versus the intended… just the first active interface.
This should be accomplished by adding another set of parentheses:
```
eth_interface_list=($(ip link show up | cut-d' '-f2| cut-d':'-s-f1| grep-E'^(en|eth)’))
```
then it should work as intended.
Sincerely,
Nick
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list