As noted in:
[
1]https://github.com/cobbler/cobbler/issues/361
[
2]https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_L...
BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of
(none|bootp|dhcp) values.
Initscripts knowns also only these three:
[
3]https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt
meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run
on the device. Any other
option is dealt with / considered to mean static configuration.
When system-config-network / system-config-network-tui / nm-connection-editor creates new
connection
with static IP configuration, it uses BOOTPROTO=none in the particular
/etc/sysconfig/network-scripts/ifcfg-conn-name
script (can be verified by creating sample connection).
Based on bug:
[
4]https://bugzilla.redhat.com/show_bug.cgi?id=528068
and resulting patch:
[
5]http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c3...
NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats
BOOTPROTO=static as an
alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO
specification).
But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of
'none', enhance
the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case
'none' is used
as BOOTPROTO specification (since that actually is what is used, when new static IP using
connection
is created e.g. via system-config-network or nm-connection-editor).
Besides that (support also for 'none' in BOOTPROTO specification), the patch
starts to recommend to use
'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig
reference) & moves originally
RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one.
The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the
change seems to be
working as expected (on both products).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-When-checking-for-static-IP-address-configura.patch
From 31ea21e1fa0cdf75f26dafc50c409cbcedb4ef16 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<jlieskov(a)redhat.com>
Date: Fri, 30 May 2014 15:31:30 +0200
Subject: [PATCH] [RHEL/6] When checking for static IP address configuration,
check also for BOOTPROTO=none in network-scripts (since that's what
system-config-network or nm-connection-editor creates when
requesting static IP configuration for connection) [RHEL/7] Update
sysconfig_networking_bootproto_ifcfg rule to recommend BOOTPROTO=none instead
of BOOTPROTO=static [shared] Move RHEL-6
sysconfig_networking_bootproto_ifcfg specific check to be shared one
Signed-off-by: Jan Lieskovsky<jlieskov(a)redhat.com>
---
.../sysconfig_networking_bootproto_ifcfg.xml | 35 +---------------------
RHEL/6/input/services/dhcp.xml | 4 +--
.../sysconfig_networking_bootproto_ifcfg.xml | 1 +
RHEL/7/input/services/dhcp.xml | 4 +--
.../oval/sysconfig_networking_bootproto_ifcfg.xml | 35 ++++++++++++++++++++++
.../disa-stig-rhel5-v1r0.6-xccdf-manual.xml | 2 +-
6 files changed, 42 insertions(+), 39 deletions(-)
mode change 100644 => 120000
RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
create mode 120000 RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml
create mode 100644 shared/oval/sysconfig_networking_bootproto_ifcfg.xml
diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
deleted file mode 100644
index 6d2237e..0000000
--- a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<def-group>
- <definition class="compliance"
id="sysconfig_networking_bootproto_ifcfg"
- version="1">
- <metadata>
- <title>Disable DHCP Client</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>DHCP configuration should be static for all
- interfaces.</description>
- <reference source="MED" ref_id="20130813"
ref_url="test_attestation" />
- </metadata>
- <criteria comment="Test for BOOTPROTO=static across all
interfaces">
- <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg"
/>
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in
the /etc/sysconfig/network-scripts/ifcfg-.* file"
- id="test_sysconfig_networking_bootproto_ifcfg" version="1">
- <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg"
/>
- <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg"
/>
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state
id="state_sysconfig_networking_bootproto_ifcfg"
- version="1">
- <ind:subexpression
operation="equals">static</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object
id="obj_sysconfig_networking_bootproto_ifcfg"
- version="1">
- <ind:path>/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern
match">ifcfg-.*</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
new file mode 120000
index 0000000..a118ae3
--- /dev/null
+++ b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml
@@ -0,0 +1 @@
+../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml
\ No newline at end of file
diff --git a/RHEL/6/input/services/dhcp.xml b/RHEL/6/input/services/dhcp.xml
index 38d9770..4f64ed0 100644
--- a/RHEL/6/input/services/dhcp.xml
+++ b/RHEL/6/input/services/dhcp.xml
@@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit
following changes:
<ul>
<li> Correct the BOOTPROTO line to read:
-<pre>BOOTPROTO=static</pre>
+<pre>BOOTPROTO=none</pre>
</li>
<li> Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
@@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre>
To verify that DHCP is not being used, examine the following file for each interface:
<pre>#
/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
Look for the following:
-<pre>BOOTPROTO=static</pre>
+<pre>BOOTPROTO=none</pre>
and the following, substituting the appropriate values based on your site's
addressing scheme:
<pre>NETMASK=255.255.255.0
IPADDR=192.168.1.2
diff --git a/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml
b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml
new file mode 120000
index 0000000..a118ae3
--- /dev/null
+++ b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml
@@ -0,0 +1 @@
+../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml
\ No newline at end of file
diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml
index 4c2bab7..997e550 100644
--- a/RHEL/7/input/services/dhcp.xml
+++ b/RHEL/7/input/services/dhcp.xml
@@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit
following changes:
<ul>
<li> Correct the BOOTPROTO line to read:
-<pre>BOOTPROTO=static</pre>
+<pre>BOOTPROTO=none</pre>
</li>
<li> Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
@@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre>
To verify that DHCP is not being used, examine the following file for each interface:
<pre>#
/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
Look for the following:
-<pre>BOOTPROTO=static</pre>
+<pre>BOOTPROTO=none</pre>
and the following, substituting the appropriate values based on your site's
addressing scheme:
<pre>NETMASK=255.255.255.0
IPADDR=192.168.1.2
diff --git a/shared/oval/sysconfig_networking_bootproto_ifcfg.xml
b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml
new file mode 100644
index 0000000..a597307
--- /dev/null
+++ b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml
@@ -0,0 +1,35 @@
+<def-group>
+ <definition class="compliance"
id="sysconfig_networking_bootproto_ifcfg"
+ version="2">
+ <metadata>
+ <title>Disable DHCP Client</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ </affected>
+ <description>DHCP configuration should be static for all
+ interfaces.</description>
+ <reference source="JL" ref_id="20140530"
ref_url="test_attestation" />
+ </metadata>
+ <criteria comment="Test for BOOTPROTO=(static|none) across all
interfaces">
+ <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg"
/>
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in
the /etc/sysconfig/network-scripts/ifcfg-.* file"
+ id="test_sysconfig_networking_bootproto_ifcfg" version="1">
+ <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg"
/>
+ <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg"
/>
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state
id="state_sysconfig_networking_bootproto_ifcfg"
+ version="2">
+ <ind:subexpression operation="pattern
match">^(static|none)$</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_object
id="obj_sysconfig_networking_bootproto_ifcfg"
+ version="1">
+ <ind:path>/etc/sysconfig/network-scripts</ind:path>
+ <ind:filename operation="pattern
match">ifcfg-.*</ind:filename>
+ <ind:pattern operation="pattern
match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
index 4a0b8a4..8de9c0c 100644
--- a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
+++ b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
@@ -17571,7 +17571,7 @@
xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1
http://nvd.nist.gov/sch
<dc:identifier>2154</dc:identifier>
</reference>
<ident
system="http://iase.disa.mil/cci">CCI-000366</ident>
- <fixtext fixref="F-24173r1_fix">Edit the
"/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the
"bootproto" setting to "static".</fixtext>
+ <fixtext fixref="F-24173r1_fix">Edit the
"/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the
"bootproto" setting to "none".</fixtext>
<fix id="F-24173r1_fix" />
<check system="C-36811r1_chk">
<check-content-ref name="M"
href="VMS_XCCDF_Benchmark_RHEL_5_STIG.xml" />
-- 1.8.3.1
Absolutely the right call for OVAL to reflect static|none regex, while
XCCDF updated for only none. Ack to those pieces.
The disa-stig-rhel5-v1r0.6-xccdf-manual.xml file should remain
unchanged (it's a referencable copy of the actual RHEL5 STIG, not
something SSG generates/manipulates directly).