我正在尝试使用 openscap 工具强化 UBI 8 基础镜像。扫描器有一条规则:xccdf_org.ssgproject.content_rule_network_configure_name_resolution,它检查 /etc/resolv.conf 文件中的多个 DNS 服务器。测试失败,但当我从镜像内部检查该文件的内容时,发现有 4 个名称服务器。检查这一点的测试是一个正则表达式,当将其放入正则表达式测试器中,resolv.conf 的输出返回 4 个匹配项(预期)。我已检查文件权限,文件可供所有人读取。
任何帮助都将非常感激。
编辑(nsswitch.conf 输出):
cat /etc/nsswitch.conf
# Generated by authselect on Fri Feb 23 13:25:15 2024
# Do not modify this file manually.
# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.
#
# Note that your changes may not be applied as they may be
# overwritten by selected profile. Maps set in the authselect
# profile takes always precedence and overwrites the same maps
# set in the user file. Only maps that are not set by the profile
# are applied from the user file.
#
# For example, if the profile sets:
# passwd: sss files
# and /etc/authselect/user-nsswitch.conf contains:
# passwd: files
# hosts: files dns
# the resulting generated nsswitch.conf will be:
# passwd: sss files # from profile
# hosts: files dns # from user file
aliases: files
automount: files
ethers: files
group: files systemd
hosts: files dns myhostname
initgroups: files
netgroup: files
networks: files
passwd: files systemd
protocols: files
publickey: files
rpc: files
services: files
shadow: files
# Included from /etc/authselect/user-nsswitch.conf
#
# /etc/nsswitch.conf
#
# Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
# compat Use /etc files plus *_compat pseudo-db
# db Use the pre-processed /var/db files
# dns Use DNS (Domain Name Service)
# files Use the local files in /etc
# hesiod Use Hesiod (DNS) for user lookups
# nis Use NIS (NIS version 2), also called YP
# nisplus Use NIS+ (NIS version 3)
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
# ldap Use LDAP directory server
# myhostname Use systemd host names
# mymachines Use systemd machine names
# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD
# resolve Use systemd resolved resolver
# sss Use System Security Services Daemon (sssd)
# systemd Use systemd for dynamic user option
# winbind Use Samba winbind support
# wins Use Samba wins support
# wrapper Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# lead to unexpected behaviour, especially with how long
# entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd: db files
# shadow: db files
# group: db files
# In order of likelihood of use to accelerate lookup.
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
答案1
你提到4 nameserver条目。
这可能是问题所在,并且取决于您的系统,可能太多了。
man 5 resolv.conf
nameserver Name server IP address
Internet address of a name server that the resolver should query, either an IPv4
address (in dot notation), or an IPv6 address in colon (and possibly dot) notation
as per RFC 2373. Up to MAXNS (currently 3, see <resolv.h>) name servers may be
listed, one per keyword. If there are multiple servers, the resolver library
queries them in the order listed. ...