Hello,
I think there is a problem in the SSG content. I think that the current
content is intended to check the system configuration. This would be done by
examining the files on disk to warn about changes or thing that are
misconfigured. There is also another category of testing that is forensics
which checks the ephemeral / current values being enforced. Both are necessary
and useful, but they should not be mixed.
Some examples to illustrate the point:
Forensic Configuration
-----------------------------------------------------------------
auditctl -l vs cat /etc/audit/audit.rules
mount vs cat /etc/fstab
sysctl -a vs cat/etc/sysctl.conf
service ip6tables status vs chkconfig ip6tables --list
All these need to be changed in the prose to better express what the SCAP tool
is actually checking. IOW, you can get different results by hand than the tool
itself would report.
This really needs to be addressed before anyone else uses SSG as the basis of
their own recommendations. Again, forensic checking is useful and I would say
content should be specifically designed with that in mind. But it is not what
should be in a baseline.
Thanks,
-Steve