Actually, I was just poking through the rules around firewalld and realized that it has the same issue.
Firewalld can be controlled by polkit but there doesn't seem to be any content in the SSG to tell users how to properly restrict it and what the restrictions should be. Ideally, of course, we would want rules that restrict these settings to only authorized users which means we need a good chunk of the SSG dedicated to polkit, javascript, and the fun therein. Or...we could disable firewalld and NetworkManager as unnecessary services and fall back to iptables and network (which taste great and are less filling). Thanks, Trevor On Mon, Sep 10, 2018 at 9:02 AM Matus Marhefka <[email protected]> wrote: > Hello Trevor, > > I don't know the answers for these questions. It would be better to > discuss with RHEL NetworkManager devels. I am adding them into the thread. > > Hello Thomas, Lubomir, can you help us on this topic? There are some > questions which we (Security Compliance team) are unable to answer and we > need your help: > > 1. Is NetworkManager meant to be a required service in RHEL 7? > 2. What is the proper mechanism for restricting DBus access to > NetworkManager to only allowed users (i.e. no GUI utilities, etc...)? Do > you have any pointers (manuals/blogs/...)? > > Thanks, > Matus Marhefka > > > On Sun, Sep 9, 2018 at 6:57 PM, Trevor Vaughan <[email protected]> > wrote: > >> Oh, this is also related to the 'hidepid' discussion. If NetworkManager >> is going to be a blocker on hidepid, then it needs to be fully locked down >> and I can't find good guidance on doing that. >> >> On Sun, Sep 9, 2018 at 12:56 PM Trevor Vaughan <[email protected]> >> wrote: >> >>> Everyone I know hates that on servers. >>> >>> Apparently firewalld tries to use it and it's mentioned in the SSG >>> explicitly. >>> >>> Since it's mentioned, there needs to be surrounding guidance on how to >>> make it not be so "user friendly". >>> >>> If it's not needed, it should fall under "run no unnecessary services" >>> and be slated to be killed explicitly since it does try to give people the >>> ability to do things in the network stack by default (which they should not >>> have). >>> >>> Thanks, >>> >>> Trevor >>> >>> On Sat, Sep 8, 2018 at 12:38 PM Matthew <[email protected]> wrote: >>> >>>> Why is NetworkManager required? I hate that on servers. >>>> >>>> On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan <[email protected]> >>>> wrote: >>>> >>>>> As I was digging around some of the content, I realized that I had a >>>>> question that I never managed to get answered. >>>>> >>>>> Namely, is NetworkManager now a required service? >>>>> >>>>> If so, what is the proper mechanism for restricting DBus access to >>>>> NetworkManager to only allowed users (i.e. no GUI utilities, etc...). >>>>> >>>>> I feel like this should be codified somewhere in the SSG content. >>>>> >>>>> Thanks, >>>>> >>>>> Trevor >>>>> >>>>> -- >>>>> Trevor Vaughan >>>>> Vice President, Onyx Point, Inc >>>>> (410) 541-6699 x788 >>>>> >>>>> -- This account not approved for unencrypted proprietary information -- >>>>> _______________________________________________ >>>>> scap-security-guide mailing list -- >>>>> [email protected] >>>>> To unsubscribe send an email to >>>>> [email protected] >>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>> >>>> _______________________________________________ >>>> scap-security-guide mailing list -- >>>> [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> >>> >>> >>> -- >>> Trevor Vaughan >>> Vice President, Onyx Point, Inc >>> (410) 541-6699 x788 >>> >>> -- This account not approved for unencrypted proprietary information -- >>> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 x788 >> >> -- This account not approved for unencrypted proprietary information -- >> >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
