Hello! Came across this issue… is this the right place to report it?
Following provisioning a system and running some hardening processes my team
noticed a “bad file” at
`/etc/sysconfig/network-scripts/ifcfg-eno49?eno1?eno2?eno50?eno3?eno4`.
The only reference I’ve found is in the ssg-centos7-ds.xml file:
```
if [ $nic_bound = false ];then
# Add first NIC to SSH enabled zone
if ! firewall-cmd --state -q; then
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_replace_or_append"
use="legacy" />
replace_or_append
"/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE='
"$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
else
# If firewalld service is running, we need to do this step with
firewall-cmd
# Otherwise firewalld will comunicate with NetworkManage and will
revert assigned zone
# of NetworkManager managed interfaces upon reload
firewall-cmd --zone=$firewalld_sshd_zone
--add-interface=${eth_interface_list[0]}
firewall-cmd --reload
fi
fi
```
It appears that `eth_interface_list` is defined via following in same file:
```
eth_interface_list=$(ip link show up | cut-d' '-f2| cut-d':'-s-f1|
grep-E'^(en|eth)')
```
and then used as `${eth_interface_list[0]}`, which gets all active interfaces
separated by newlines versus the intended… just the first active interface.
This should be accomplished by adding another set of parentheses:
```
eth_interface_list=($(ip link show up | cut-d' '-f2| cut-d':'-s-f1|
grep-E'^(en|eth)’))
```
then it should work as intended.
Sincerely,
Nick
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
