On Wed, Jan 7, 2015 at 11:03 AM, Shawn Wells <[email protected]> wrote:
>>> > TL;DR - OVAL is limited in its capabilities. The prose must match what >>> > OVAL >>> > can do. > To meet the US Gov's requirements, profiles like the STIG should > check for *both* on-disk and runtime settings, though through different > XCCDF/OVAL rules. I'm not convinced that XCCDF/OVAL is the right choice for general work. So far the skills to use it don't seem to be common in the people who need to get work done. However, I do agree that on-disk and run time settings should be checked. It is too easy to modify something outside an expected init file. Since we can't expect the STIG writers to know everything I'm happy with looking for the intent and following through on that. Leam -- Mind on a Mission -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
