Hello Trevor, I don't know the answers for these questions. It would be better to discuss with RHEL NetworkManager devels. I am adding them into the thread.
Hello Thomas, Lubomir, can you help us on this topic? There are some questions which we (Security Compliance team) are unable to answer and we need your help: 1. Is NetworkManager meant to be a required service in RHEL 7? 2. What is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...)? Do you have any pointers (manuals/blogs/...)? Thanks, Matus Marhefka On Sun, Sep 9, 2018 at 6:57 PM, Trevor Vaughan <[email protected]> wrote: > Oh, this is also related to the 'hidepid' discussion. If NetworkManager is > going to be a blocker on hidepid, then it needs to be fully locked down and > I can't find good guidance on doing that. > > On Sun, Sep 9, 2018 at 12:56 PM Trevor Vaughan <[email protected]> > wrote: > >> Everyone I know hates that on servers. >> >> Apparently firewalld tries to use it and it's mentioned in the SSG >> explicitly. >> >> Since it's mentioned, there needs to be surrounding guidance on how to >> make it not be so "user friendly". >> >> If it's not needed, it should fall under "run no unnecessary services" >> and be slated to be killed explicitly since it does try to give people the >> ability to do things in the network stack by default (which they should not >> have). >> >> Thanks, >> >> Trevor >> >> On Sat, Sep 8, 2018 at 12:38 PM Matthew <[email protected]> wrote: >> >>> Why is NetworkManager required? I hate that on servers. >>> >>> On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan <[email protected]> >>> wrote: >>> >>>> As I was digging around some of the content, I realized that I had a >>>> question that I never managed to get answered. >>>> >>>> Namely, is NetworkManager now a required service? >>>> >>>> If so, what is the proper mechanism for restricting DBus access to >>>> NetworkManager to only allowed users (i.e. no GUI utilities, etc...). >>>> >>>> I feel like this should be codified somewhere in the SSG content. >>>> >>>> Thanks, >>>> >>>> Trevor >>>> >>>> -- >>>> Trevor Vaughan >>>> Vice President, Onyx Point, Inc >>>> (410) 541-6699 x788 >>>> >>>> -- This account not approved for unencrypted proprietary information -- >>>> _______________________________________________ >>>> scap-security-guide mailing list -- scap-security-guide@lists. >>>> fedorahosted.org >>>> To unsubscribe send an email to scap-security-guide-leave@ >>>> lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/scap- >>>> [email protected] >>>> >>> _______________________________________________ >>> scap-security-guide mailing list -- scap-security-guide@lists. >>> fedorahosted.org >>> To unsubscribe send an email to scap-security-guide-leave@ >>> lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/scap- >>> [email protected] >>> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 x788 >> >> -- This account not approved for unencrypted proprietary information -- >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/scap- > [email protected] > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
