New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
persistent vs runtime in OVAL+OCIL for mount checks #320
Comments
- Match Rule and OVAL IDs and update profile checks - Make sure mount OVALs check persistent and runtime configurations - Add OCIL for mount XCCDFs - Fixes ComplianceAsCode#320
So e.g. for mount_option_dev_shm_nodev rule there should be two rules:
each of them checking particular settings (either permanent or temporary ones). And this should be performed for each of the mount OVAL checks. Or is rules separation as outlined / proposed in Gabe's PR sufficient? (IOW it's sufficient to update OVAL items comments to clarify which tests are for permanent vs for temporary settings testing) Thanks, Jan. |
If we want two separated (*_persistent vs *_runtime) rules, another question is what to do with XCCDF - should also rules be duplicated (having two of them for each), each of them stating what settings it's checking - e.g.
Thanks, Jan. |
Based on Steve's reply my interpretation is the problem (not completely being) mixing of configuration vs runtime checks / fixes. But mainly the discrepancies among OVAL content vs XCCDF description. Taking e.g. "Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces" rule as an example:
while should describe in both XCCDF & OCIL rather like: To check the current value of the net.ipv4.conf.default.send_redirects variable run the following command: IOW for the latter instead of suggesting: "sysctl net.ipv4.conf.default.send_redirects" command, we should use / suggest cat. |
4-5 year old ticket - closing due to lack of activity. |
* Add Rule for SLES-15-020210 * remove spaces from nist@sle15 record Co-authored-by: Earl Sampson <ESampson@suse.com>
Many of the filesystem guidance uses mount vs /etc/fstab interchangable. Need to verify XCCDF matches OVAL, and create two rules for unique identification of persistent vs runtime checks.
The text was updated successfully, but these errors were encountered: