On 9/30/12 12:33 AM, Michael J. McConachie wrote:
0001-Test-Tags-for-input-system-software-updating.xml.patch
From ebc068bd50d3761e36ad66649e53c3dc48b29d8e Mon Sep 17 00:00:00 2001 From: Michael McConachiemichael@redhat.com Date: Fri, 28 Sep 2012 22:50:52 -0400 Subject: [PATCH 1/6] Test Tags for input/system/software/updating.xml
RHEL6/input/system/software/updating.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index ac9e590..1cbaae2 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -56,8 +56,8 @@ the <tt>[main]</tt> section:
</description> <ocil clause="GPG checking isn't enabled"> To determine whether <tt>yum</tt> is configured to use <tt>gpgcheck</tt>, -inspect <tt>/etc/yum.conf</tt> and ensure that the following appears in the -<tt>[main]</tt> section: +inspect <tt>/etc/yum.conf</tt> and <tt>/etc/yum.repos.d/(reponame).repo</tt> +to ensure that the following appears in the <tt>[main]</tt> section: <pre>gpgcheck=1</pre> A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of a <tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is -- 1.7.11.4
Ack to the validity of checking both /etc/yum.conf and /etc/yum.repos.d/*
In review, is there a reason why we should have both of the following rules? " Ensure gpgcheck Enabled In Main Yum Configuration" and " Ensure gpgcheck Enabled For All Yum Package Repositories"
Seems to make sense to combine the two into a single rule, likely using the <description>, <ocil> and <rationale> from " Ensure gpgcheck Enabled In Main Yum Configuration" but the <title> from " Ensure gpgcheck Enabled For All Yum Package Repositories"
Mike, could you knock that out? (unless you or someone else see validity in having a "check all repos" and then another rule checking a specific one. Seems redundant.
Will be glad to do whatever is deemed desired; (that was there before I took the reins on it and I wondered the same thing myself)
As you noted, I added the /etc/yum.repos.d info for obvious reasons. We might wanna let the original author comment, so we can get a feel for what/why/how. Otherwise, I'll make the change if we don't meet resistance.
Keep in mind, I don't own most of this; my efforts have been in the tagging, and generation of **some** of the ocil check text. Nothing more.
Thanks,
MM
On 09/30/2012 01:24 PM, Shawn Wells wrote:
On 9/30/12 12:33 AM, Michael J. McConachie wrote:
0001-Test-Tags-for-input-system-software-updating.xml.patch
From ebc068bd50d3761e36ad66649e53c3dc48b29d8e Mon Sep 17 00:00:00 2001 From: Michael McConachie michael@redhat.com Date: Fri, 28 Sep 2012 22:50:52 -0400 Subject: [PATCH 1/6] Test Tags for input/system/software/updating.xml
RHEL6/input/system/software/updating.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index ac9e590..1cbaae2 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -56,8 +56,8 @@ the <tt>[main]</tt> section:
</description> <ocil clause="GPG checking isn't enabled"> To determine whether <tt>yum</tt> is configured to use <tt>gpgcheck</tt>, -inspect <tt>/etc/yum.conf</tt> and ensure that the following appears in the -<tt>[main]</tt> section: +inspect <tt>/etc/yum.conf</tt> and <tt>/etc/yum.repos.d/(reponame).repo</tt> +to ensure that the following appears in the <tt>[main]</tt> section: <pre>gpgcheck=1</pre> A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of a <tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is -- 1.7.11.4
Ack to the validity of checking both /etc/yum.conf and /etc/yum.repos.d/*
In review, is there a reason why we should have both of the following rules? " Ensure gpgcheck Enabled In Main Yum Configuration" and " Ensure gpgcheck Enabled For All Yum Package Repositories"
Seems to make sense to combine the two into a single rule, likely using the <description>, <ocil> and <rationale> from " Ensure gpgcheck Enabled In Main Yum Configuration" but the <title> from " Ensure gpgcheck Enabled For All Yum Package Repositories"
Mike, could you knock that out? (unless you or someone else see validity in having a "check all repos" and then another rule checking a specific one. Seems redundant.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org