Bug 1494606
Summary: | Rules requiring sysctl.conf values have misleading descriptions - sysctl values defaults are ignored, description says otherwise. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Blakley <rblakley> |
Component: | scap-security-guide | Assignee: | Matěj Týč <matyc> |
Status: | CLOSED ERRATA | QA Contact: | Gabriel Gaspar Becker <ggasparb> |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
Priority: | high | ||
Version: | 7.4 | CC: | cparadka, cww, ggasparb, jafiala, matyc, mhaicman, mikedep333, openscap-maint, wsato |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.49-2.el7 | Doc Type: | Bug Fix |
Doc Text: |
.Updated rule descriptions in the SCAP Security Guide
Because default kernel parameters cannot be reliably determined for all supported versions of RHEL, checking kernel parameter settings always requires explicit configuration. The text in the configuration guide mistakenly stated that explicit settings were not needed if the default version was compliant. With this update, the rule description in the `scap-security-guide` package correctly describes the compliance evaluation and the corresponding remediation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 19:52:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1477664 |
Description
Ryan Blakley
2017-09-22 15:28:36 UTC
I'm affected by this too. At 1st glance, it seems correlated with having libvirtd installed. (RHEL Workstation installs gnome-boxes by default, so it has libvirtd installed & running by default.) Disabling the libvirtd service, rebooting, and verifying that the virbr0 interface is gone (and that dnsmasq is not running at all) did not help though. This is a content issue, changing component. *** Bug 1502831 has been marked as a duplicate of this bug. *** Hello, to be completely honest, I do not see harm in requiring explicit setting, even though default should be safe. There are some considerations that outweighs few more lines required in /etc/sysctl.conf file. From SSG standpoint, it is safer to share rules between multiple products, so user base of particular code snipped/configuration is larger. Different products has possibly kernels compiled with different flags, thus defaults might differ. So to take defaults to consideration, RHEL would need to have it's own, unshared, version of content. Also auditing the content would be slower, as one would have to cross check with documentation if given assumption of default value is valid or not. Based on this, I am changing summary of this bug (and scope itself) to changing the misleading descriptions. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3909 |