Are the config-file-validation-engine’s config files under RPM control? ;-)
Heh....sort of, but mostly git with mandatory 2 person review and CI.
On Wed, Jan 9, 2019 at 2:43 PM Brent Kimberley <Brent.Kimberley(a)durham.ca>
wrote:
> One-size-fits-all vs tailored
Are the config-file-validation-engine’s config files under RPM control? ;-)
>
>
> *From:* Watson Sato [mailto:wsato@redhat.com]
> *Sent:* Wednesday, January 9, 2019 11:59 AM
> *To:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> *Subject:* Re: Rule rpm_verify_file_hashes and config files
>
>
>
>
>
>
>
> On Wed, Jan 9, 2019 at 5:39 PM Gabe Alford <redhatrises(a)gmail.com> wrote:
>
> On Wed, Jan 9, 2019 at 9:09 AM Watson Sato <wsato(a)redhat.com> wrote:
>
>
>
>
>
> On Wed, Jan 9, 2019 at 3:28 AM Shawn Wells <shawn(a)redhat.com> wrote:
>
>
>
> The XCCDF currently has language stating that config files are expected to
> change and should not be a finding.
>
> From following snippet I understand that a configuration file that changed
> is a finding and should reviewed and fixed/waived.
>
> A "c" in the second column indicates that a file is a configuration file,
which
>
> may appropriately be expected to change. If the file was not expected to
>
> change, investigate the cause of the change using audit logs or other means.
>
> Which if that is the case, changing the OVAL code so that it ignores the
> config files and passes doesn't make sense.
>
> Because how will you know if you need to investigate a config file that
> has changed when it wasn't supposed to change?
>
>
>
> Well, that is one of my questions.
>
> In practice, are people expecting that configuration files which differ
> from default shipped in package to be reported?
>
> Won't it just end up creating large amount of findings people don't care?
>
>
>
> And if config files should really be checked, why skip /etc in OVAL
> definition?
>
>
>
>
>
> If the OVAL is flagging config files, wouldn't that would be a bug in the
> existing OVAL code?
>
> Yes, my suggestion is to stop checking hash of config files in rule
> "Verify file hashes with RPM".
>
>
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
>
> --
>
> Watson Sato
> Security Technologies | Red Hat, Inc
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
>
> --
>
> Watson Sato
> Security Technologies | Red Hat, Inc
> THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY
> CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR
> EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to
> any privilege have been waived. If you are not the intended recipient, you
> are hereby notified that any review, re-transmission, dissemination,
> distribution, copying, conversion to hard copy, taking of action in
> reliance on or other use of this communication is strictly prohibited. If
> you are not the intended recipient and have received this message in error,
> please notify me by return e-mail and delete or destroy all copies of this
> message.
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --