So, I tied doing this via github but it seems the issue and PR were just abruptly closed within 20m without any meaningful conversation so I'm hoping that there can be a more fruitful discussion on list here.
https://github.com/ComplianceAsCode/content/issues/4917 https://github.com/ComplianceAsCode/content/pull/4920 The issue in question is that any FIPS related check includes a test for whether or not the OS is FIPS certified. That seems to make sense as a stand alone rule but shouldn't that be orthogonal to whether or not SSH is configured to use FIPS approved crypto algorithms or if AIDE is configured to exclusively use FIPS approved hashes? The rule isn't whether or not ssh is FIPS approved but just whether or not it's configuration is such that only approved ciphers are used. ---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc. (518) 881-1183
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
