On Thu, Nov 14, 2019 at 12:12 PM Ilya Okomin <[email protected]> wrote:
> Hello experts! > > I've noticed SSSD configuration rules implemented without verification > if SSSD package/service installed/enabled. To be added, remediation part > doesn't install sssd in case it is missing on the system, thus fix > doesn't work for systems with no sssd on board. > Rules: > - sssd_enable_pam_services > - sssd_ldap_configure_tls_ca_dir > - sssd_ldap_start_tls > > So I have couple questions for clarification on the above: > Shouldn't SSSD presence test criteria be added for mentioned rules and > just mark them as passed if no SSSD observed? > I believe the CPE check for sssd handles this. If SSSD is not installed, it is `not applicable`. Otherwise, it is pass/fail > With regard to STIG profile, should service_sssd_enabled rule be added > as a requirement? > A rule could be added for sure if desired. However, it `service_sssd_enabled` or `package_sssd_installed` shouldn't really be a requirement. > > Regards, > Ilya. > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
