NACK, though it is an improvement over what is there, so we could consider adding it as a stopgap, should there be committment with timeline to truly fixing it. The remediations can't be allowed until the OVAL works, however.
The problem is that this does not semantically agree with what the XCCDF says. David had even once proposed changing the XCCDF to agree with this approach, as shown here (and it's my bad for not responding earlier): https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-February/002685.html ... but Leland (in conversation) pointed out that it should be possible for OVAL to determine what files are actually written by rsyslog (by looking in rsyslog.conf) and then performing the actual checks on those files. That approach requires more complicated OVAL, though it is more desirable overall. I might consider asking Petr or Simon or Steve for OVAL help here. I still find much of the OVAL documentation incomprehensible. Relatedly, an automated check for ensuring that log files exist (Rule id=rsyslog_logfiles_exist) would be particularly nice, since IIRC the behavior of syslog (possibly also rsyslog) is to not automatically create new log files (if they are deleted at some point). And that'll be easy once we figure out how to turn regex results from rsyslog.conf into filesystem queries (necessary for correct implementation of these checks too). On 04/14/2013 04:04 AM, Shawn Wells wrote: > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
