net.ipv4.conf.default.rp_filter has 2 different values in default RHEL9 install
Issue
-
In a default installation of RHEL9,
net.ipv4.conf.default.rp_filteris defined twice, (/usr/lib/sysctl.d/50-redhat.confand50-default.conf), with50-default.confsetting it to 2 and50-redhat.confsetting it to 1.# grep net.ipv4.conf.default.rp_filter /usr/lib/sysctl.d/* /usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2 /usr/lib/sysctl.d/50-redhat.conf:net.ipv4.conf.default.rp_filter = 1 -
And even with the value set to 1, the oscap scan oof CIS profile fails:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter --results `uname -n`_scan_results.xml --report `uname -n`_scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml --- Starting Evaluation --- Title Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Rule xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter Ident CCE-84009-0 Result failand
sysctl -a |grep net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1
Environment
- RHEL 9
- openscap
- sysctl
- CIS
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
