On Fri, Nov 1, 2019 at 10:46 AM Trevor Vaughan <[email protected]> wrote:
> I don't see a reason to remove the rule in general but: > > 1) Having the telnet *client* present isn't really a big deal if you have > pretty much any scripting language, or modern SSH that allows the NULL > cipher > IIRC as of one of the OpenSSH 7.6 releases, a cipher of `none` is no longer allowed. > 2) All rules are 'unless you need them' at which point you can tailor them > out of your profile. You won't pass the default tests but the default tests > are just that, defaults. > This is for a layered product anyway which is starting to go through the security evaluation process, and tickets haven't been filed yet for them to remove their dependency on telnet. > > Trevor > > On Fri, Nov 1, 2019 at 12:21 PM Vojtech Polasek <[email protected]> > wrote: > >> adding SSG list. >> >> >> Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a): >> > Hello all, >> > >> > I am fixing the following bugzilla: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=1729222 >> > >> > Brief summary: as part of several profiles, in this case NCP profile >> > in rhel7, we are removing the telnet package containing the Telnet >> > client. >> > >> > But this removal of telnet package causes removal of the >> > fence-agents-all package and this causes removal of VDSM. >> > >> > So if an user wants to be compliant with NCP, they can't use VDSM nor >> > some fence agents at the same time. >> > >> > I proposed a PR which removes the "package_telnet_removed" rule from >> > rhel7, rhel8 and rhv4 profiles. >> > >> > https://github.com/ComplianceAsCode/content/pull/4958 >> > >> > I understand that Telnet server introduces a security risk because it >> > uses unencrypted traffic, it is a common port attackers scan for etc. >> > We are removing the telnet-server package and also making sure that >> > the telnet service is disabled in two other separate rules. >> > >> > But do we really need to explicitly remove also the Telnet client? >> > Especially if it prevents features like VDSM from working? I >> > understand that it uses unencrypted traffic as well, but is it such a >> > high security risk? >> > >> > Steve, anyone else, could you give an opinion on this please? >> > >> > Thank you, >> > >> > Vojta >> > >> > >> > >> > >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
