I'd only go with permissions if the permissions are *weaker*.

I've tightened down various config items and they show as issues which makes for a slew of false positives.

Ownership makes sense.

On Tue, Jan 8, 2019 at 1:38 PM James Cassell <fedoraproject@cyberpear.com> wrote:
On Tue, Jan 8, 2019, at 9:08 AM, Watson Sato wrote:
> On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan <tvaughan@onyxpoint.com>
> wrote:
>
> > Personally, I think that anything marked as %config should not be checked
> > because they are allowed to vary anyway.
> >
>
> I'm leaning towards ignoring config files in OVAL check, and making it
> explicit in rule description.
> And add a note with command that would output list of config files that do
> not match their rpm hash,
> in case you would like to review altered config files manually.
>
>

I think it's fine to ignore hash for config files, but permissions and ownership should still be verified, though that may be a separate rule.


V/r,
James Cassell
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org


--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --