On Wed, Jan 9, 2019 at 9:09 AM Watson Sato <[email protected]> wrote: > > > On Wed, Jan 9, 2019 at 3:28 AM Shawn Wells <[email protected]> wrote: > >> >> On 1/8/19 1:39 PM, Gabe Alford wrote: >> >> On Tue, Jan 8, 2019 at 7:08 AM Watson Sato <[email protected]> wrote: >> >>> >>> >>> On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan <[email protected]> >>> wrote: >>> >>>> Personally, I think that anything marked as %config should not be >>>> checked because they are allowed to vary anyway. >>>> >>> >>> I'm leaning towards ignoring config files in OVAL check, and making it >>> explicit in rule description. >>> And add a note with command that would output list of config files that >>> do not match their rpm hash, >>> in case you would like to review altered config files manually. >>> >> >> This isn't a great fix and is more of a bandaid. It would be better for >> us to open BZs and fix this in the troublesome RPMs spec files. >> >> >> The XCCDF currently has language stating that config files are expected >> to change and should not be a finding. >> > From following snippet I understand that a configuration file that changed > is a finding and should reviewed and fixed/waived. > > A "c" in the second column indicates that a file is a configuration file, > which > may appropriately be expected to change. If the file was not expected to > change, investigate the cause of the change using audit logs or other means. > > Which if that is the case, changing the OVAL code so that it ignores the config files and passes doesn't make sense. Because how will you know if you need to investigate a config file that has changed when it wasn't supposed to change?
> If the OVAL is flagging config files, wouldn't that would be a bug in the >> existing OVAL code? >> > Yes, my suggestion is to stop checking hash of config files in rule > "Verify file hashes with RPM". > > _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Watson Sato > Security Technologies | Red Hat, Inc > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
