search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.2k stars 696 forks source link

RHEL6 xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians false failure #3522

Closed desius closed 5 years ago

desius commented 6 years ago

Description of problem:

xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians net_ipv4_conf_all_log_martians is supposed to be 1, but test fails if set to 1.

Even the remediation script shows remediation setting to 0 to pass

SCAP Security Guide Version:

0.1.41

Operating System Version:

RHEL 6.9

Steps to Reproduce:

  1. set 'net.ipv4.conf.all.log_martians = 1' in /etc/sysctl.conf
  2. verify no files in /etc/sysctl.d contain net.ipv4.conf.all.log_martians
  3. 'sysctl -a | grep net.ipv4.conf.all.log_martians' should show a value of 1
  4. report shows Failed

Actual Results:

Report shows failed with net.ipv4.conf.all.log_martians = 1

Expected Results:

Report should show pass with net.ipv4.conf.all.log_martians =1 Description, test, and rationale should match DISA FSO RHEL-06-000088

Addition Information/Debugging Steps:

dahaic commented 5 years ago

I have checked our code, and it should be in line. Please note, that OVAL checks not only for contents of /etc/sysctl.conf, but also for the runtime, thus part of the reproducer should be 

sudo sysctl -w net.ipv4.conf.all.log_martians=1

to fully cover necessary steps.