On Tue, Jan 8, 2019 at 7:08 AM Watson Sato <[email protected]> wrote: > > > On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan <[email protected]> > wrote: > >> Personally, I think that anything marked as %config should not be checked >> because they are allowed to vary anyway. >> > > I'm leaning towards ignoring config files in OVAL check, and making it > explicit in rule description. > And add a note with command that would output list of config files that do > not match their rpm hash, > in case you would like to review altered config files manually. >
This isn't a great fix and is more of a bandaid. It would be better for us to open BZs and fix this in the troublesome RPMs spec files. > >> On Tue, Jan 8, 2019 at 8:52 AM Watson Sato <[email protected]> wrote: >> >>> Hello, >>> >>> Regarding rule "Verify file hashes with RPM", which files resides here: >>> >>> https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes >>> >>> From description in rule.yml I understand that altered files should be >>> reported and, altered configuration files should be reported analyzed >>> individually. >>> 1. Is this the intended action? To evaluate altered configuration files? >>> >>> Looking at the OVAL check, it mostly cares about altered files under >>> /bin, /sbin ,/lib ,/lib64 or /usr (mainly executables and libraries >>> according to comment). >>> 2. Is this restriction only to optimize for search of libraries and >>> binaries? >>> I see a slight misalignment between check and description. This way we >>> won't be catching much changes in config files. >>> >>> -- >>> Watson Sato >>> Security Technologies | Red Hat, Inc >>> _______________________________________________ >>> scap-security-guide mailing list -- >>> [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 x788 >> >> -- This account not approved for unencrypted proprietary information -- >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Watson Sato > Security Technologies | Red Hat, Inc > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
