Rule networkmanager_dns_mode is misaligned with DISA

[jan-cerny]

Description of problem:

The content is misaligned with an external (third party) content that targets the same policy - typically, this means that a system hardened by our content doesn't pass the scan by the external content.

During upstream daily productization today we found that rule networkmanager_dns_mode is misaligned with DISA. The misalignement manifested only when using Ansible remediation.

SSG result: pass, DISA result(s): SV-257949r1014841_rule:fail

The reason is that our rule networkmanager_dns_mode allows drop in configuration files and our Ansible remediation inserted the required string into /etc/NetworkManager/conf.d/complianceascode_hardening.conf. But, DISA's xccdf_mil.disa.stig_rule_SV-257949r1014841_rule doesn't support the drop in files and looks only in /etc/NetworkManager/NetworkManager.conf.

Details:

This content is not aligned with content from DISA

The misalignment affects these profiles: RHEL 9 STIG

The misalignment affects these rules: networkmanager_dns_mode

Outcome:

• [ ] This project's content can be improved:
  • [ ] Check needs to be improved.
  • [ ] Remediation needs to be improved.
• [ ] The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version:

current upstream master branch as of 2025-03-26 as of HEAD cd5eee2d00782b200f922bb1969f48a14c967109

External Content's Version:

v2r3

[Mab879]

Most likely caused by #13208