Open zcrt opened 1 year ago
noamblitz
commented
1 year ago DNSSEC findings are created by a boefje and not by a bit. Therefore this is not a bug. Since the DNSSEC boefje will not rerun when clearance is set to L0, the findings will not disappear.
zcrt
commented
1 year ago Sounds to me that the bug is then either:
L0) for the boefje(s) that created the findingnoamblitz
commented
1 year ago Well thats not really a bug imo.
Prohibiting boefjes from creating findings, in this case, can be a choice indeed. But thats really more a choice than a bug. Also, removing clearence - from now on - means that that ooi cannot be scanned anymore, removing all data gathered by boefjes about that ooi should not happen imo.
zcrt
commented
1 year ago Agreed that gathered data should not be removed. However, in my opinion it should end up as historical data. E.g. if you search for the findings at a date where the hostname still had L1 the finding should be visible. If you search in the most recent view while the hostname has L0, they should not exist however.
noamblitz
commented
1 year ago Hmm that could be a nice feature indeed. Quite difficult to follow the trail and set all concurrent oois as historical as well, but i like the idea!
underdarknl
commented
1 year ago We could maybe offer an option to the user? When decreasing a scan level, what should we do with data created from scans using the higher now off limit levels? This would then also possibly be required for objects that are dependent on this object for their clearance level. Showing which objects are affected would be complex though.
noamblitz
commented
1 year ago For sure a good idea, but indeed, showing affected objects is hard
Describe the bug Changing a hostname indemnification to L0 keeps DNSSEC findings while removing DKIM, DMARC and SPF findings.
To Reproduce Steps to reproduce the behavior:
Expected behavior Removal of DNSSEC finding
OpenKAT version 1.8.0.1