I'd only go with permissions if the permissions are *weaker*. I've tightened down various config items and they show as issues which makes for a slew of false positives.
Ownership makes sense. On Tue, Jan 8, 2019 at 1:38 PM James Cassell <[email protected]> wrote: > On Tue, Jan 8, 2019, at 9:08 AM, Watson Sato wrote: > > On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan <[email protected]> > > wrote: > > > > > Personally, I think that anything marked as %config should not be > checked > > > because they are allowed to vary anyway. > > > > > > > I'm leaning towards ignoring config files in OVAL check, and making it > > explicit in rule description. > > And add a note with command that would output list of config files that > do > > not match their rpm hash, > > in case you would like to review altered config files manually. > > > > > > I think it's fine to ignore hash for config files, but permissions and > ownership should still be verified, though that may be a separate rule. > > > V/r, > James Cassell > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
