On Wed, 6 Dec 2023 at 06:49, Ondrej Pohorelsky <opohorel@xxxxxxxxxx> wrote:
On Wed, Dec 6, 2023 at 12:39 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:On Wed, Dec 6, 2023 at 11:17 AM Ondrej Pohorelsky <opohorel@xxxxxxxxxx> wrote:
>
> Hi everyone,
>
> For F40 I would like to change file permissions of few files that are provided by cronie and crontabs and swap deny list for allow list. I'm not really sure if I should make a change proposal. I figured I'll send an email first and see the feedback.
>
> The driving force of this change is feedback from RHEL customers, that they would like to have cronie and crontabs CIS compliant out of the box. Which means changing some of the file permissions and swapping `cron.deny` for `cron.allow`. As it stands now, they have to run their own scripts or dnf plugin (post-transaction-actions) to ensure that each update doesn't overwrite the file permissions they manually set.
Just out of curiosity - what does CIS even stand for?
The linked Red Hat docs don't expand the acronym, and googling for it
obviously yields results for something entirely differentBasically, it is a Center for Internet Security (CIS) benchmark that some companies use as a reference to limit configuration-based security vulnerabilities.I'm not really sure, but I think some governments require that their systems are compliant.
This standard is used in various Universities, local governments, hospitals, financial organizations, and can be required in some cases for PCI compliance (if your acreditor likes that kind of thing). Basically it is one of the major standards like the US DOD STIG https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide / https://ncp.nist.gov/repository
Like any standard, there are things which are good and some which are 'that is a choice you could make, but...'
--You can look at CIS wikipedia page for more info:
https://en.wikipedia.org/wiki/Center_for_Internet_Security#CIS_Controls_and_CIS_Benchmarks
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
