content
content copied to clipboard
ComplianceAsCode
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter false negative
Description of problem:
Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter reports a false negative due to Test 'oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:tst:1' evaluated as false.
SCAP Security Guide Version:
ssg-ubuntu2004-ds.xml
Operating System Version:
Ubuntu 20.04/22.04
Steps to Reproduce:
xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --report ./lib/system/complianceAsCode/reports/pentest-sftp-prod.html --results ./lib/system/complianceAsCode/reports/pentest-sftp-prod.xml --rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter --verbose INFO ./lib/system/complianceAsCode/ubuntu2204/ssg-ubuntu2004-ds.xml > log.txt 2>&1
Actual Results:
test fails
Expected Results:
test should not fail
Additional Information/Debugging Steps:
The test fails due to the presence of net.ipv4.conf.default.rp_filter = 1 in 2 files:
I: oscap: Variable 'oval:ssg-local_var_conf_files_net_ipv4_conf_default_rp_filter:var:1' has values "/usr/lib/sysctl.d/50-default.conf", "/etc/sysctl.d/90-override.conf".
however the 1st file is the package provided one and the 2nd file is an override of the first.
# To override settings in this file, create a local file in /etc
# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
# there.
I've encountered the same issue, and worked around it by removing net.ipv4.conf.default.rp_filter from any defaults files, and only having in my custom file in sysctl.d. Not ideal, I know
Hi, @len-ro
Do I understand correctly that net.ipv4.conf.default.rp_filter had the same value in both files?
If so, https://github.com/ComplianceAsCode/content/pull/9458 has changed the behavior to pass in this case.
The rule now only fails when the values are conflicting.
I'm closing this issue, but please, re-open it if I misunderstood you, or the problem still persists.
