Change of cronie and crontabs CIS compliance

[Ondrej Pohorelsky <opohorel@xxxxxxxxxx>]

Hi everyone,

For F40 I would like to change file permissions of few files that are provided by cronie and crontabs and swap deny list for allow list. I'm not really sure if I should make a change proposal. I figured I'll send an email first and see the feedback.

The driving force of this change is feedback from RHEL customers, that they would like to have cronie and crontabs CIS compliant out of the box. Which means changing some of the file permissions and swapping `cron.deny` for `cron.allow`. As it stands now, they have to run their own scripts or dnf plugin (post-transaction-actions) to ensure that each update doesn't overwrite the file permissions they manually set.

I would like these changes for F40, as this is going to be a branching point for next RHEL and I would like to go with upstream first approach.

cronie changes:
`cron.allow` replaces `cron.deny`  (file permission 600)

`cron.d` permission change (755 → 700)

`cron.hourly` permission change (755 → 700)

crontabs changes:

`crontab` permission change (644 → 600)

`cron.{hourly,daily,weekly,monthly}` permission change (755 → 700)

Reference for these changes:
static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis.html

PR:
https://src.fedoraproject.org/rpms/cronie/pull-request/12
https://src.fedoraproject.org/rpms/crontabs/pull-request/6

Let me know what you think.

Cheers,

--

Ondřej Pohořelský

Software Engineer

Red Hat

opohorel@xxxxxxxxxx   

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue