As noted in: [1] https://github.com/cobbler/cobbler/issues/361 [2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of (none|bootp|dhcp) values.
Initscripts knowns also only these three: [3] https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt
meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on the device. Any other option is dealt with / considered to mean static configuration.
When system-config-network / system-config-network-tui / nm-connection-editor creates new connection with static IP configuration, it uses BOOTPROTO=none in the particular /etc/sysconfig/network-scripts/ifcfg-conn-name script (can be verified by creating sample connection).
Based on bug: [4] https://bugzilla.redhat.com/show_bug.cgi?id=528068
and resulting patch: [5] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b3e4...
NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats BOOTPROTO=static as an alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO specification).
But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of 'none', enhance the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case 'none' is used as BOOTPROTO specification (since that actually is what is used, when new static IP using connection is created e.g. via system-config-network or nm-connection-editor).
Besides that (support also for 'none' in BOOTPROTO specification), the patch starts to recommend to use 'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig reference) & moves originally RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one.
The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the change seems to be working as expected (on both products).
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 5/30/14, 9:51 AM, Jan Lieskovsky wrote:
As noted in: [1]https://github.com/cobbler/cobbler/issues/361 [2]https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of (none|bootp|dhcp) values.
Initscripts knowns also only these three: [3]https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt
meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on the device. Any other option is dealt with / considered to mean static configuration.
When system-config-network / system-config-network-tui / nm-connection-editor creates new connection with static IP configuration, it uses BOOTPROTO=none in the particular /etc/sysconfig/network-scripts/ifcfg-conn-name script (can be verified by creating sample connection).
Based on bug: [4]https://bugzilla.redhat.com/show_bug.cgi?id=528068
and resulting patch: [5]http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b3e4...
NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats BOOTPROTO=static as an alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO specification).
But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of 'none', enhance the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case 'none' is used as BOOTPROTO specification (since that actually is what is used, when new static IP using connection is created e.g. via system-config-network or nm-connection-editor).
Besides that (support also for 'none' in BOOTPROTO specification), the patch starts to recommend to use 'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig reference) & moves originally RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one.
The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the change seems to be working as expected (on both products).
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-When-checking-for-static-IP-address-configura.patch
From 31ea21e1fa0cdf75f26dafc50c409cbcedb4ef16 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Fri, 30 May 2014 15:31:30 +0200 Subject: [PATCH] [RHEL/6] When checking for static IP address configuration, check also for BOOTPROTO=none in network-scripts (since that's what system-config-network or nm-connection-editor creates when requesting static IP configuration for connection) [RHEL/7] Update sysconfig_networking_bootproto_ifcfg rule to recommend BOOTPROTO=none instead of BOOTPROTO=static [shared] Move RHEL-6 sysconfig_networking_bootproto_ifcfg specific check to be shared one
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
.../sysconfig_networking_bootproto_ifcfg.xml | 35 +--------------------- RHEL/6/input/services/dhcp.xml | 4 +-- .../sysconfig_networking_bootproto_ifcfg.xml | 1 + RHEL/7/input/services/dhcp.xml | 4 +-- .../oval/sysconfig_networking_bootproto_ifcfg.xml | 35 ++++++++++++++++++++++ .../disa-stig-rhel5-v1r0.6-xccdf-manual.xml | 2 +- 6 files changed, 42 insertions(+), 39 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 120000 RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 100644 shared/oval/sysconfig_networking_bootproto_ifcfg.xml
diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml deleted file mode 100644 index 6d2237e..0000000 --- a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml +++ /dev/null @@ -1,34 +0,0 @@ -<def-group>
- <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg"
- version="1">
<metadata>
<title>Disable DHCP Client</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>DHCP configuration should be static for all
interfaces.</description>
<reference source="MED" ref_id="20130813" ref_url="test_attestation" />
</metadata>
<criteria comment="Test for BOOTPROTO=static across all interfaces">
<criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file"
- id="test_sysconfig_networking_bootproto_ifcfg" version="1">
- <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" />
- <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg"
- version="1">
- <ind:subexpression operation="equals">static</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg"
- version="1">
- ind:path/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/6/input/services/dhcp.xml b/RHEL/6/input/services/dhcp.xml index 38d9770..4f64ed0 100644 --- a/RHEL/6/input/services/dhcp.xml +++ b/RHEL/6/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes:
<ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml index 4c2bab7..997e550 100644 --- a/RHEL/7/input/services/dhcp.xml +++ b/RHEL/7/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes: <ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/shared/oval/sysconfig_networking_bootproto_ifcfg.xml b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml new file mode 100644 index 0000000..a597307 --- /dev/null +++ b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1,35 @@ +<def-group> + <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" + version="2"> + <metadata> + <title>Disable DHCP Client</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>DHCP configuration should be static for all + interfaces.</description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="Test for BOOTPROTO=(static|none) across all interfaces"> + <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" + id="test_sysconfig_networking_bootproto_ifcfg" version="1"> + <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> + <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg" + version="2"> + <ind:subexpression operation="pattern match">^(static|none)$</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg" + version="1"> + <ind:path>/etc/sysconfig/network-scripts</ind:path> + <ind:filename operation="pattern match">ifcfg-.*</ind:filename> + <ind:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml index 4a0b8a4..8de9c0c 100644 --- a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml @@ -17571,7 +17571,7 @@ xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/sch <dc:identifier>2154</dc:identifier> </reference> <ident system="http://iase.disa.mil/cci">CCI-000366</ident> - <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "static".</fixtext> + <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "none".</fixtext> <fix id="F-24173r1_fix" /> <check system="C-36811r1_chk"> <check-content-ref name="M" href="VMS_XCCDF_Benchmark_RHEL_5_STIG.xml" /> -- 1.8.3.1
Absolutely the right call for OVAL to reflect static|none regex, while XCCDF updated for only none. Ack to those pieces.
The disa-stig-rhel5-v1r0.6-xccdf-manual.xml file should remain unchanged (it's a referencable copy of the actual RHEL5 STIG, not something SSG generates/manipulates directly).
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Friday, May 30, 2014 5:55:52 PM Subject: Re: [PATCH] [RHEL/6] [RHEL/7] [shared] When checking for static IP address configuration in network scripts allow BOOTPROTO to match also "none" (since that's what system-config-network / nm-connection-editor do when creating static IP connection)
On 5/30/14, 9:51 AM, Jan Lieskovsky wrote:
As noted in: [1] https://github.com/cobbler/cobbler/issues/361 [2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/... BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of (none|bootp|dhcp) values.
Initscripts knowns also only these three: [3] https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on the device. Any other option is dealt with / considered to mean static configuration.
When system-config-network / system-config-network-tui / nm-connection-editor creates new connection with static IP configuration, it uses BOOTPROTO=none in the particular /etc/sysconfig/network-scripts/ifcfg-conn-name script (can be verified by creating sample connection).
Based on bug: [4] https://bugzilla.redhat.com/show_bug.cgi?id=528068 and resulting patch: [5] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b3e4... NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats BOOTPROTO=static as an alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO specification).
But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of 'none', enhance the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case 'none' is used as BOOTPROTO specification (since that actually is what is used, when new static IP using connection is created e.g. via system-config-network or nm-connection-editor).
Besides that (support also for 'none' in BOOTPROTO specification), the patch starts to recommend to use 'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig reference) & moves originally RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one.
The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the change seems to be working as expected (on both products).
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-When-checking-for-static-IP-address-configura.patch From 31ea21e1fa0cdf75f26dafc50c409cbcedb4ef16 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Fri, 30 May 2014 15:31:30 +0200 Subject: [PATCH] [RHEL/6] When checking for static IP address configuration, check also for BOOTPROTO=none in network-scripts (since that's what system-config-network or nm-connection-editor creates when requesting static IP configuration for connection) [RHEL/7] Update sysconfig_networking_bootproto_ifcfg rule to recommend BOOTPROTO=none instead of BOOTPROTO=static [shared] Move RHEL-6 sysconfig_networking_bootproto_ifcfg specific check to be shared one
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- .../sysconfig_networking_bootproto_ifcfg.xml | 35 +--------------------- RHEL/6/input/services/dhcp.xml | 4 +-- .../sysconfig_networking_bootproto_ifcfg.xml | 1 + RHEL/7/input/services/dhcp.xml | 4 +-- .../oval/sysconfig_networking_bootproto_ifcfg.xml | 35 ++++++++++++++++++++++ .../disa-stig-rhel5-v1r0.6-xccdf-manual.xml | 2 +- 6 files changed, 42 insertions(+), 39 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 120000 RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml create mode 100644 shared/oval/sysconfig_networking_bootproto_ifcfg.xml
diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml deleted file mode 100644 index 6d2237e..0000000 --- a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml +++ /dev/null @@ -1,34 +0,0 @@ -<def-group>
- <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg"
- version="1">
<metadata>
<title>Disable DHCP Client</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>DHCP configuration should be static for all
interfaces.</description>
<reference source="MED" ref_id="20130813" ref_url="test_attestation"
/>
</metadata>
<criteria comment="Test for BOOTPROTO=static across all interfaces">
<criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*)
expression in the /etc/sysconfig/network-scripts/ifcfg-.* file"
- id="test_sysconfig_networking_bootproto_ifcfg" version="1">
- <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" />
- <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state
id="state_sysconfig_networking_bootproto_ifcfg"
- version="1">
- <ind:subexpression operation="equals">static</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object
id="obj_sysconfig_networking_bootproto_ifcfg"
- version="1">
- ind:path/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/6/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/6/input/services/dhcp.xml b/RHEL/6/input/services/dhcp.xml index 38d9770..4f64ed0 100644 --- a/RHEL/6/input/services/dhcp.xml +++ b/RHEL/6/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes:
<ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml new file mode 120000 index 0000000..a118ae3 --- /dev/null +++ b/RHEL/7/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1 @@ +../../../../shared/oval/sysconfig_networking_bootproto_ifcfg.xml \ No newline at end of file diff --git a/RHEL/7/input/services/dhcp.xml b/RHEL/7/input/services/dhcp.xml index 4c2bab7..997e550 100644 --- a/RHEL/7/input/services/dhcp.xml +++ b/RHEL/7/input/services/dhcp.xml @@ -192,7 +192,7 @@ For each interface on the system (e.g. eth0), edit following changes: <ul> <li> Correct the BOOTPROTO line to read: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> </li> <li> Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: @@ -206,7 +206,7 @@ GATEWAY=192.168.1.1</pre> To verify that DHCP is not being used, examine the following file for each interface: <pre># /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> Look for the following: -<pre>BOOTPROTO=static</pre> +<pre>BOOTPROTO=none</pre> and the following, substituting the appropriate values based on your site's addressing scheme: <pre>NETMASK=255.255.255.0 IPADDR=192.168.1.2 diff --git a/shared/oval/sysconfig_networking_bootproto_ifcfg.xml b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml new file mode 100644 index 0000000..a597307 --- /dev/null +++ b/shared/oval/sysconfig_networking_bootproto_ifcfg.xml @@ -0,0 +1,35 @@ +<def-group> + <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" + version="2"> + <metadata> + <title>Disable DHCP Client</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>DHCP configuration should be static for all + interfaces.</description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="Test for BOOTPROTO=(static|none) across all interfaces"> + <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" + id="test_sysconfig_networking_bootproto_ifcfg" version="1"> + <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> + <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg" + version="2"> + <ind:subexpression operation="pattern match">^(static|none)$</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg" + version="1"> + <ind:path>/etc/sysconfig/network-scripts</ind:path> + <ind:filename operation="pattern match">ifcfg-.*</ind:filename> + <ind:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml index 4a0b8a4..8de9c0c 100644 --- a/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml @@ -17571,7 +17571,7 @@ xsi:schemaLocation=" http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/sch <dc:identifier>2154</dc:identifier> </reference> <ident system= "http://iase.disa.mil/cci" >CCI-000366</ident> - <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "static".</fixtext> + <fixtext fixref="F-24173r1_fix">Edit the "/etc/sysconfig/network-scripts/ifcfg-*" file(s) and change the "bootproto" setting to "none".</fixtext> <fix id="F-24173r1_fix" /> <check system="C-36811r1_chk"> <check-content-ref name="M" href="VMS_XCCDF_Benchmark_RHEL_5_STIG.xml" /> -- 1.8.3.1
Absolutely the right call for OVAL to reflect static|none regex, while XCCDF updated for only none. Ack to those pieces.
The disa-stig-rhel5-v1r0.6-xccdf-manual.xml file should remain unchanged (it's a referencable copy of the actual RHEL5 STIG, not something SSG generates/manipulates directly).
Interesting, good to know. Thanks for the review. Excluded disa-stig-rhel5-v1r0.6-xccdf-manual.xml file from the list of changes & pushed to master.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org