Re: Change of cronie and crontabs CIS compliance

Wed, 06 Dec 2023 02:26:55 -0800 

Am Mi., 6. Dez. 2023 um 11:17 Uhr schrieb Ondrej Pohorelsky <
opoho...@redhat.com>:

> Hi everyone,
>
> For F40 I would like to change file permissions of few files that are
> provided by cronie and crontabs and swap deny list for allow list. I'm not
> really sure if I should make a change proposal. I figured I'll send an
> email first and see the feedback.
>
> The driving force of this change is feedback from RHEL customers, that
> they would like to have cronie and crontabs CIS compliant out of the box.
> Which means changing some of the file permissions and swapping `cron.deny`
> for `cron.allow`. As it stands now, they have to run their own scripts or
> dnf plugin (post-transaction-actions) to ensure that each update doesn't
> overwrite the file permissions they manually set.
>
> I would like these changes for F40, as this is going to be a branching
> point for next RHEL and I would like to go with upstream first approach.
>
> *cronie* changes:
> `cron.allow` replaces `cron.deny`  (file permission 600)
> `cron.d` permission change (755 → 700)
> `cron.hourly` permission change (755 → 700)
>
> *crontabs* changes:
> `crontab` permission change (644 → 600)
> `cron.{hourly,daily,weekly,monthly}` permission change (755 → 700)
>
> Reference for these changes:
> static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis.html
>
> PR:
> https://src.fedoraproject.org/rpms/cronie/pull-request/12
> https://src.fedoraproject.org/rpms/crontabs/pull-request/6
>
> Let me know what you think.
> Cheers,
> --
>
Hi there,

what is the impact of these changes:
- Do default installs work the same way as before?
- Do existing setups (crontabs) keep working?

If yes then I'd consider the permission changes to be fixes, or at least
standard packaging changes.

What is is the policy for existing cron.allow/cron.deny, i.e. what would
`rpmconf -a` tell me?

Cheers
Michael

--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to