On Wed, Dec 6, 2023 at 1:19 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > > On Wed, Dec 06, 2023 at 11:16:44AM +0100, Ondrej Pohorelsky wrote: > > Hi everyone, > > > > For F40 I would like to change file permissions of few files that are > > provided by cronie and crontabs and swap deny list for allow list. I'm not > > really sure if I should make a change proposal. I figured I'll send an > > email first and see the feedback. > > > > The driving force of this change is feedback from RHEL customers, that they > > would like to have cronie and crontabs CIS compliant out of the box. Which > > means changing some of the file permissions and swapping `cron.deny` for > > `cron.allow`. As it stands now, they have to run their own scripts or dnf > > plugin (post-transaction-actions) to ensure that each update doesn't > > overwrite the file permissions they manually set. > > This CIS compliance problem is not something that is limited to cron. Their > list of hardening steps covers a wide variety of software. IOW, even if cron > were changed, presuambly such customers will need need their own scripts / > dnf plugin to fix all the other apps listed in the CIS compliance guide. > > IOW, I feel like the real question here is whether the distro *as a whole*, > not cron, wants/needs to be CIS compliant out of the box, or whether it > should be explicitly an admin deployment task to enable compliance via a > plugin / script. > > I understand some organizations have no choice in whether or not they > comply with the CIS guidance - its mandated for many. At the same time > though some of the recommendations, including those for cron, are verging > on snakeoil / extreme paranoia, and as such are dubious to impose on > every users of the distro by default. I think you set the right question there. With the cybersecurity regulatory trend on EU and US, almost all organizations need to comply with a secure configuration / hardening scheme like CIS. The main reason is that if you want to follow any respectable security path that puts the org on the due care set, you need to ensure that your systems are configured securely, meaning no more options than the necessary are enabled on the system. The CIS benchmarks provide that. Now applying the benchmark can be pretty complex as some of the rules CIS prohibits are required by some organizations because they run (e.g.) on the cloud that requires it, but others on a different environment do not. The question you set is, to the point and useful. Even if the default installation doesn't follow CIS closely, but provides a better balance of usability and security based on the CIS guidelines, it will add value to Fedora derivatives -both by reducing the default attack surface and by making the more advanced hardening easier-. Regards, Nikos -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue