-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.4
-
None
-
No
-
Moderate
-
rhel-sst-security-compliance
-
ssg_security
-
4
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
STIG enforces xccdf_org.ssgproject.content_rule_networkmanager_dns_mode rule to pass. It appears the rule implementation is have 2 issues:
- The regex is not correct
The regex generated by the configuration snippet is \s*[main].(?:\n\s[[\s].)\ndns=([^#]).$.
This regex doesn't expect comments before getting the [main] section, which is wrong (there are comments in /etc/NetworkManager/NetworkManager.conf on RHEL9).
Additionally the regex fails to match in case comments are existing after token dns=xxx, e.g.:[root@vm-scap9 ~]# cat OK.conf [main] dns=none [root@vm-scap9 ~]# cat KO_1.conf [main] dns=none # FOO [root@vm-scap9 ~]# cat KO_2.conf [main] dns=none [logging] # FOO
- The file being checked is not correct
The rule expects that the dns=xxx token be defined in /etc/NetworkManager/NetworkManager.conf file, which is false assumption, since NetworkManager supports drop-ins (and drop-ins are the recommended way to configure it).
Instead of checking the file, the rule should check the output of NetworkManager --print-config instead.
Note that the remediation scripts will require fixing as well.
What is the impact of this issue to you?
Breaks STIG compliance
Please provide the package NVR for which the bug is seen:
All releases, including Upstream
