Bug 1494606 - Rules requiring sysctl.conf values have misleading descriptions - sysctl values defaults are ignored, description says otherwise.
Summary: Rules requiring sysctl.conf values have misleading descriptions - sysctl valu...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: Gabriel Gaspar Becker
Jan Fiala
: 1502831 (view as bug list)
Depends On:
Blocks: 1477664
TreeView+ depends on / blocked
Reported: 2017-09-22 15:28 UTC by Ryan Blakley
Modified: 2022-03-13 14:27 UTC (History)
9 users (show)

Fixed In Version: scap-security-guide-0.1.49-2.el7
Doc Type: Bug Fix
Doc Text:
.Updated rule descriptions in the SCAP Security Guide Because default kernel parameters cannot be reliably determined for all supported versions of RHEL, checking kernel parameter settings always requires explicit configuration. The text in the configuration guide mistakenly stated that explicit settings were not needed if the default version was compliant. With this update, the rule description in the `scap-security-guide` package correctly describes the compliance evaluation and the corresponding remediation.
Clone Of:
Last Closed: 2020-09-29 19:52:12 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3909 0 None None None 2020-09-29 19:52:34 UTC

Description Ryan Blakley 2017-09-22 15:28:36 UTC
Description of problem: When scanning a server with the C2S for Red Hat Enterprise Linux 7 (168) profile.

Version-Release number of selected component (if applicable): scap-workbench-1.1.4-5.el7.x86_64

Steps to Reproduce:
1. Run $ sysctl -a|grep "ip_forward " and it will return 0
2. Perform the scan in scap-workbench
3. It will show failed for the test "Disable Kernel Parameter for IP Forwarding", if you repeat the above but add in "net.ipv4.ip_forward = 0" to /etc/sysctl.conf and rescan it will pass.

Actual results: Fail

Expected results: Pass since it's set correctly as the default.

Additional info:
For the case I'm working it's only for the "Disable Kernel Parameter for IP Forwarding" test, but the customer has a few other cases for other sysctl tests that exhibit the same failures but shouldn't.

Comment 2 Michael DePaulo 2017-11-16 22:32:33 UTC
I'm affected by this too. At 1st glance, it seems correlated with having libvirtd installed.

(RHEL Workstation installs gnome-boxes by default, so it has libvirtd installed & running by default.)

Disabling the libvirtd service, rebooting, and verifying that the virbr0 interface is gone (and that dnsmasq is not running at all) did not help though.

Comment 3 Martin Preisler 2018-01-03 21:59:37 UTC
This is a content issue, changing component.

Comment 4 Watson Yuuma Sato 2018-03-26 18:25:27 UTC
*** Bug 1502831 has been marked as a duplicate of this bug. ***

Comment 5 Marek Haicman 2018-03-26 21:08:37 UTC
to be completely honest, I do not see harm in requiring explicit setting, even though default should be safe. There are some considerations that outweighs few more lines required in /etc/sysctl.conf file.

From SSG standpoint, it is safer to share rules between multiple products, so user base of particular code snipped/configuration is larger. Different products has possibly kernels compiled with different flags, thus defaults might differ. So to take defaults to consideration, RHEL would need to have it's own, unshared, version of content.

Also auditing the content would be slower, as one would have to cross check with documentation if given assumption of default value is valid or not.

Based on this, I am changing summary of this bug (and scope itself) to changing the misleading descriptions.

Comment 22 errata-xmlrpc 2020-09-29 19:52:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.