On Wed, Jan 9, 2019 at 3:28 AM Shawn Wells <[email protected]> wrote: > > On 1/8/19 1:39 PM, Gabe Alford wrote: > > On Tue, Jan 8, 2019 at 7:08 AM Watson Sato <[email protected]> wrote: > >> >> >> On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan <[email protected]> >> wrote: >> >>> Personally, I think that anything marked as %config should not be >>> checked because they are allowed to vary anyway. >>> >> >> I'm leaning towards ignoring config files in OVAL check, and making it >> explicit in rule description. >> And add a note with command that would output list of config files that >> do not match their rpm hash, >> in case you would like to review altered config files manually. >> > > This isn't a great fix and is more of a bandaid. It would be better for us > to open BZs and fix this in the troublesome RPMs spec files. > > > The XCCDF currently has language stating that config files are expected to > change and should not be a finding. > >From following snippet I understand that a configuration file that changed is a finding and should reviewed and fixed/waived.
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. If the OVAL is flagging config files, wouldn't that would be a bug in the > existing OVAL code? > Yes, my suggestion is to stop checking hash of config files in rule "Verify file hashes with RPM". _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Watson Sato Security Technologies | Red Hat, Inc
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
