Re: Change of cronie and crontabs CIS compliance

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, 6 Dec 2023 at 06:49, Ondrej Pohorelsky <opohorel@xxxxxxxxxx> wrote:


On Wed, Dec 6, 2023 at 12:39 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
On Wed, Dec 6, 2023 at 11:17 AM Ondrej Pohorelsky <opohorel@xxxxxxxxxx> wrote:
>
> Hi everyone,
>
> For F40 I would like to change file permissions of few files that are provided by cronie and crontabs and swap deny list for allow list. I'm not really sure if I should make a change proposal. I figured I'll send an email first and see the feedback.
>
> The driving force of this change is feedback from RHEL customers, that they would like to have cronie and crontabs CIS compliant out of the box. Which means changing some of the file permissions and swapping `cron.deny` for `cron.allow`. As it stands now, they have to run their own scripts or dnf plugin (post-transaction-actions) to ensure that each update doesn't overwrite the file permissions they manually set.

Just out of curiosity - what does CIS even stand for?
The linked Red Hat docs don't expand the acronym, and googling for it
obviously yields results for something entirely different

Basically, it is a Center for Internet Security (CIS) benchmark that some companies use as a reference to limit configuration-based security vulnerabilities.
I'm not really sure, but I think some governments require that their systems are compliant.



This standard is used in various Universities, local governments, hospitals, financial organizations, and can be required in some cases for PCI compliance (if your acreditor likes that kind of thing). Basically it is one of the major standards like the US DOD STIG https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide  / https://ncp.nist.gov/repository

Like any standard, there are things which are good and some which are 'that is a choice you could make, but...' 

 

--

Ondřej Pohořelský

Software Engineer

Red Hat

opohorel@xxxxxxxxxx   

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux