Openscap 扫描仪错误地失败了多个 DNS 规则,我不确定为什么

Openscap 扫描仪错误地失败了多个 DNS 规则,我不确定为什么

我正在尝试使用 openscap 工具强化 UBI 8 基础镜像。扫描器有一条规则:xccdf_org.ssgproject.content_rule_network_configure_name_resolution,它检查 /etc/resolv.conf 文件中的多个 DNS 服务器。测试失败,但当我从镜像内部检查该文件的内容时,发现有 4 个名称服务器。检查这一点的测试是一个正则表达式,当将其放入正则表达式测试器中,resolv.conf 的输出返回 4 个匹配项(预期)。我已检查文件权限,文件可供所有人读取。

任何帮助都将非常感激。

编辑(nsswitch.conf 输出):

cat /etc/nsswitch.conf
# Generated by authselect on Fri Feb 23 13:25:15 2024
# Do not modify this file manually.

# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.
#
# Note that your changes may not be applied as they may be
# overwritten by selected profile. Maps set in the authselect
# profile takes always precedence and overwrites the same maps
# set in the user file. Only maps that are not set by the profile
# are applied from the user file.
#
# For example, if the profile sets:
#     passwd: sss files
# and /etc/authselect/user-nsswitch.conf contains:
#     passwd: files
#     hosts: files dns
# the resulting generated nsswitch.conf will be:
#     passwd: sss files # from profile
#     hosts: files dns  # from user file

aliases:    files
automount:  files
ethers:     files
group:      files systemd
hosts:      files dns myhostname
initgroups: files
netgroup:   files
networks:   files
passwd:     files systemd
protocols:  files
publickey:  files
rpc:        files
services:   files
shadow:     files
# Included from /etc/authselect/user-nsswitch.conf

#
# /etc/nsswitch.conf
#
# Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
#   compat          Use /etc files plus *_compat pseudo-db
#   db          Use the pre-processed /var/db files
#   dns         Use DNS (Domain Name Service)
#   files           Use the local files in /etc
#   hesiod          Use Hesiod (DNS) for user lookups
#   nis         Use NIS (NIS version 2), also called YP
#   nisplus         Use NIS+ (NIS version 3)
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
#   ldap            Use LDAP directory server
#   myhostname      Use systemd host names
#   mymachines      Use systemd machine names
#   mdns*, mdns*_minimal    Use Avahi mDNS/DNS-SD
#   resolve         Use systemd resolved resolver
#   sss         Use System Security Services Daemon (sssd)
#   systemd         Use systemd for dynamic user option
#   winbind         Use Samba winbind support
#   wins            Use Samba wins support
#   wrapper         Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
#      lead to unexpected behaviour, especially with how long
#      entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.

gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files

答案1

你提到4 nameserver条目。

这可能是问题所在,并且取决于您的系统,可能太多了。

man 5 resolv.conf

nameserver Name server IP address
          Internet  address  of  a name server that the resolver should query, either an IPv4
          address (in dot notation), or an IPv6 address in colon (and possibly dot)  notation
          as  per  RFC  2373.   Up to MAXNS (currently 3, see <resolv.h>) name servers may be
          listed, one per keyword.  If there  are  multiple  servers,  the  resolver  library
          queries  them  in  the  order  listed.  ...

相关内容