Will be glad to do whatever is deemed desired; (that was there before I took the reins on it and I wondered the same thing myself)
As you noted, I added the /etc/yum.repos.d info for obvious reasons. We might wanna let the original author comment, so we can get a feel for what/why/how. Otherwise, I'll make the change if we don't meet resistance. Keep in mind, I don't own most of this; my efforts have been in the tagging, and generation of **some** of the ocil check text. Nothing more. Thanks, MM On 09/30/2012 01:24 PM, Shawn Wells wrote: > On 9/30/12 12:33 AM, Michael J. McConachie wrote: >> >> 0001-Test-Tags-for-input-system-software-updating.xml.patch >> >> >> From ebc068bd50d3761e36ad66649e53c3dc48b29d8e Mon Sep 17 00:00:00 2001 >> From: Michael McConachie <[email protected]> >> Date: Fri, 28 Sep 2012 22:50:52 -0400 >> Subject: [PATCH 1/6] Test Tags for input/system/software/updating.xml >> >> --- >> RHEL6/input/system/software/updating.xml | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/RHEL6/input/system/software/updating.xml >> b/RHEL6/input/system/software/updating.xml >> index ac9e590..1cbaae2 100644 >> --- a/RHEL6/input/system/software/updating.xml >> +++ b/RHEL6/input/system/software/updating.xml >> @@ -56,8 +56,8 @@ the <tt>[main]</tt> section: >> </description> >> <ocil clause="GPG checking isn't enabled"> >> To determine whether <tt>yum</tt> is configured to use <tt>gpgcheck</tt>, >> -inspect <tt>/etc/yum.conf</tt> and ensure that the following appears in the >> -<tt>[main]</tt> section: >> +inspect <tt>/etc/yum.conf</tt> and <tt>/etc/yum.repos.d/(reponame).repo</tt> >> +to ensure that the following appears in the <tt>[main]</tt> section: >> <pre>gpgcheck=1</pre> >> A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence >> of a >> <tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is >> -- 1.7.11.4 > Ack to the validity of checking both /etc/yum.conf and /etc/yum.repos.d/* > > In review, is there a reason why we should have both of the following > rules? > " Ensure gpgcheck Enabled In Main Yum Configuration" and > " Ensure gpgcheck Enabled For All Yum Package Repositories" > > Seems to make sense to combine the two into a single rule, likely > using the <description>, <ocil> and <rationale> from " Ensure gpgcheck > Enabled In Main Yum Configuration" but the <title> from " Ensure > gpgcheck Enabled For All Yum Package Repositories" > > Mike, could you knock that out? (unless you or someone else see > validity in having a "check all repos" and then another rule checking > a specific one. Seems redundant. > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
