Hello Gabe! Thanks for your information, this entirely addresses my concern. Note: I was looking at one of the OL7 errata versions and missed that starting from v0.1.45 we have SSSD CPE supported.
Regards, Ilya. On 11/14/2019 12:30 PM, Gabe Alford wrote: > On Thu, Nov 14, 2019 at 12:12 PM Ilya Okomin <ilya.oko...@oracle.com > <mailto:ilya.oko...@oracle.com>> wrote: > > Hello experts! > > I've noticed SSSD configuration rules implemented without verification > if SSSD package/service installed/enabled. To be added, > remediation part > doesn't install sssd in case it is missing on the system, thus fix > doesn't work for systems with no sssd on board. > Rules: > - sssd_enable_pam_services > - sssd_ldap_configure_tls_ca_dir > - sssd_ldap_start_tls > > So I have couple questions for clarification on the above: > Shouldn't SSSD presence test criteria be added for mentioned rules and > just mark them as passed if no SSSD observed? > > > I believe the CPE check for sssd handles this. If SSSD is not > installed, it is `not applicable`. Otherwise, it is pass/fail > > > With regard to STIG profile, should service_sssd_enabled rule be added > as a requirement? > > > A rule could be added for sure if desired. However, it > `service_sssd_enabled` or `package_sssd_installed` shouldn't really be > a requirement. > > > > Regards, > Ilya. > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > <mailto:scap-security-guide@lists.fedorahosted.org> > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > <mailto:scap-security-guide-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
