I think that it's valuable since it's a more correct check.
Also, if FIPS checking is the next killer feature, well.....
On Mon, Oct 29, 2018, 10:57 PM Shawn Wells shawn@redhat.com wrote:
On 10/29/18 4:11 PM, Mark Thacker wrote:
AHHH. Well, checking the signatures of the RPMs verses what we posted in the certification would be a start. (sorry, manual there unless you automate using Ansible or OpenSCAP perhaps) You can check that the kernel is running in FIPS mode, of course, but I'm not sure that's all you want to check.
Current content evaluates FIPS enablement (e.g grub fips=1).
We can *easily* enhance these checks to ensure the appropriate RPMs are installed to. If this would be valuable, it's very very quick/trivial to do.
BTW : That process of checking that the system is configured in FIPS does get easier in the future.....
hayyyyy I thought the first rule of $thingThatShallNotBeNamed was to not talk about $thingThatShallNotBeNamed in public? Don't worry, I won't tell ;) _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...