Personally, I think that anything marked as %config should not be checked because they are allowed to vary anyway.
On Tue, Jan 8, 2019 at 8:52 AM Watson Sato <[email protected]> wrote: > Hello, > > Regarding rule "Verify file hashes with RPM", which files resides here: > > https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes > > From description in rule.yml I understand that altered files should be > reported and, altered configuration files should be reported analyzed > individually. > 1. Is this the intended action? To evaluate altered configuration files? > > Looking at the OVAL check, it mostly cares about altered files under /bin, > /sbin ,/lib ,/lib64 or /usr (mainly executables and libraries according to > comment). > 2. Is this restriction only to optimize for search of libraries and > binaries? > I see a slight misalignment between check and description. This way we > won't be catching much changes in config files. > > -- > Watson Sato > Security Technologies | Red Hat, Inc > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
