I'd like to see language about virbr there myself, even if only to indicate that the virbr* interfaces indicate virtualization packages are present and should be removed. At least in the prose there was no guidance on what to do/how to resolve the situation if virbr* interfaces were found. As a side note - how far down the specialization road are we going to be going with discrete profiles? At one point I recall some talk on being able to construct a profile starting with a base profile and combining it with other profiles which could add/remove/alter items.
-Rob ________________________________________ From: [email protected] [[email protected]] on behalf of Shawn Wells [[email protected]] Sent: Friday, August 23, 2013 2:49 PM To: [email protected] Subject: Re: RHEL-06-000292 - The DHCP client must be disabled if not needed On 8/22/13 2:11 PM, Robert Sanders wrote: > Quick question on this one. If I follow the prose directory then any > interface on the system that doesn't have a file in > /etc/sysconfig/network-scripts is a finding. On my box I've got the > virbr0 and virbr0-nic interfaces due to the virtualization stuff > installed. Should there be some language in here related to these > virtual nics? I've been flip flopping on this since yesterday.... Since existing STIG is for RHEL6 Servers, not RHEL6-based hypervisors, I'm inclined to say existing check should remain as is, with a net-new added for RHEL6 as a hypervisor (KVM, OpenStack, RHEV, etc). What do you think? _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
