adding SSG list.
Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a):
Hello all,
I am fixing the following bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1729222
Brief summary: as part of several profiles, in this case NCP profile
in rhel7, we are removing the telnet package containing the Telnet
client.
But this removal of telnet package causes removal of the
fence-agents-all package and this causes removal of VDSM.
So if an user wants to be compliant with NCP, they can't use VDSM nor
some fence agents at the same time.
I proposed a PR which removes the "package_telnet_removed" rule from
rhel7, rhel8 and rhv4 profiles.
https://github.com/ComplianceAsCode/content/pull/4958
I understand that Telnet server introduces a security risk because it
uses unencrypted traffic, it is a common port attackers scan for etc.
We are removing the telnet-server package and also making sure that
the telnet service is disabled in two other separate rules.
But do we really need to explicitly remove also the Telnet client?
Especially if it prevents features like VDSM from working? I
understand that it uses unencrypted traffic as well, but is it such a
high security risk?
Steve, anyone else, could you give an opinion on this please?
Thank you,
Vojta
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
