[Open-scap] removing telnet client breaks fence agents

2019-11-01 Thread Vojtech Polasek 

Hello all,

I am fixing the following bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1729222

Brief summary: as part of several profiles, in this case NCP profile in 
rhel7, we are removing the telnet package containing the Telnet client.


But this removal of telnet package causes removal of the 
fence-agents-all package and this causes removal of VDSM.


So if an user wants to be compliant with NCP, they can't use VDSM nor 
some fence agents at the same time.


I proposed a PR which removes the "package_telnet_removed" rule from 
rhel7, rhel8 and rhv4 profiles.


https://github.com/ComplianceAsCode/content/pull/4958

I understand that Telnet server introduces a security risk because it 
uses unencrypted traffic, it is a common port attackers scan for etc. We 
are removing the telnet-server package and also making sure that the 
telnet service is disabled in two other separate rules.


But do we really need to explicitly remove also the Telnet client? 
Especially if it prevents features like VDSM from working? I understand 
that it uses unencrypted traffic as well, but is it such a high security 
risk?


Steve, anyone else, could you give an opinion on this please?

Thank you,

Vojta




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] removing telnet client breaks fence agents

2019-11-01 Thread Vojtech Polasek 

adding SSG list.


Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a):

Hello all,

I am fixing the following bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1729222

Brief summary: as part of several profiles, in this case NCP profile 
in rhel7, we are removing the telnet package containing the Telnet 
client.


But this removal of telnet package causes removal of the 
fence-agents-all package and this causes removal of VDSM.


So if an user wants to be compliant with NCP, they can't use VDSM nor 
some fence agents at the same time.


I proposed a PR which removes the "package_telnet_removed" rule from 
rhel7, rhel8 and rhv4 profiles.


https://github.com/ComplianceAsCode/content/pull/4958

I understand that Telnet server introduces a security risk because it 
uses unencrypted traffic, it is a common port attackers scan for etc. 
We are removing the telnet-server package and also making sure that 
the telnet service is disabled in two other separate rules.


But do we really need to explicitly remove also the Telnet client? 
Especially if it prevents features like VDSM from working? I 
understand that it uses unencrypted traffic as well, but is it such a 
high security risk?


Steve, anyone else, could you give an opinion on this please?

Thank you,

Vojta






___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] removing telnet client breaks fence agents

2019-11-01 Thread Trevor Vaughan 
I don't see a reason to remove the rule in general but:

1) Having the telnet *client* present isn't really a big deal if you have
pretty much any scripting language, or modern SSH that allows the NULL
cipher
2) All rules are 'unless you need them' at which point you can tailor them
out of your profile. You won't pass the default tests but the default tests
are just that, defaults.

Trevor

On Fri, Nov 1, 2019 at 12:21 PM Vojtech Polasek  wrote:

> adding SSG list.
>
>
> Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a):
> > Hello all,
> >
> > I am fixing the following bugzilla:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1729222
> >
> > Brief summary: as part of several profiles, in this case NCP profile
> > in rhel7, we are removing the telnet package containing the Telnet
> > client.
> >
> > But this removal of telnet package causes removal of the
> > fence-agents-all package and this causes removal of VDSM.
> >
> > So if an user wants to be compliant with NCP, they can't use VDSM nor
> > some fence agents at the same time.
> >
> > I proposed a PR which removes the "package_telnet_removed" rule from
> > rhel7, rhel8 and rhv4 profiles.
> >
> > https://github.com/ComplianceAsCode/content/pull/4958
> >
> > I understand that Telnet server introduces a security risk because it
> > uses unencrypted traffic, it is a common port attackers scan for etc.
> > We are removing the telnet-server package and also making sure that
> > the telnet service is disabled in two other separate rules.
> >
> > But do we really need to explicitly remove also the Telnet client?
> > Especially if it prevents features like VDSM from working? I
> > understand that it uses unencrypted traffic as well, but is it such a
> > high security risk?
> >
> > Steve, anyone else, could you give an opinion on this please?
> >
> > Thank you,
> >
> > Vojta
> >
> >
> >
> >
> ___
> scap-security-guide mailing list --
> scap-security-gu...@lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] removing telnet client breaks fence agents

2019-11-01 Thread Gabe Alford 
On Fri, Nov 1, 2019 at 10:46 AM Trevor Vaughan 
wrote:

> I don't see a reason to remove the rule in general but:
>
> 1) Having the telnet *client* present isn't really a big deal if you have
> pretty much any scripting language, or modern SSH that allows the NULL
> cipher
>

IIRC as of one of the OpenSSH 7.6 releases, a cipher of `none` is no longer
allowed.


> 2) All rules are 'unless you need them' at which point you can tailor them
> out of your profile. You won't pass the default tests but the default tests
> are just that, defaults.
>

This is for a layered product anyway which is starting to go through the
security evaluation process, and tickets haven't been filed yet for them to
remove their dependency on telnet.


>
> Trevor
>
> On Fri, Nov 1, 2019 at 12:21 PM Vojtech Polasek 
> wrote:
>
>> adding SSG list.
>>
>>
>> Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a):
>> > Hello all,
>> >
>> > I am fixing the following bugzilla:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=1729222
>> >
>> > Brief summary: as part of several profiles, in this case NCP profile
>> > in rhel7, we are removing the telnet package containing the Telnet
>> > client.
>> >
>> > But this removal of telnet package causes removal of the
>> > fence-agents-all package and this causes removal of VDSM.
>> >
>> > So if an user wants to be compliant with NCP, they can't use VDSM nor
>> > some fence agents at the same time.
>> >
>> > I proposed a PR which removes the "package_telnet_removed" rule from
>> > rhel7, rhel8 and rhv4 profiles.
>> >
>> > https://github.com/ComplianceAsCode/content/pull/4958
>> >
>> > I understand that Telnet server introduces a security risk because it
>> > uses unencrypted traffic, it is a common port attackers scan for etc.
>> > We are removing the telnet-server package and also making sure that
>> > the telnet service is disabled in two other separate rules.
>> >
>> > But do we really need to explicitly remove also the Telnet client?
>> > Especially if it prevents features like VDSM from working? I
>> > understand that it uses unencrypted traffic as well, but is it such a
>> > high security risk?
>> >
>> > Steve, anyone else, could you give an opinion on this please?
>> >
>> > Thank you,
>> >
>> > Vojta
>> >
>> >
>> >
>> >
>> ___
>> scap-security-guide mailing list --
>> scap-security-gu...@lists.fedorahosted.org
>> To unsubscribe send an email to
>> scap-security-guide-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org
>>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
>
> -- This account not approved for unencrypted proprietary information --
> ___
> scap-security-guide mailing list --
> scap-security-gu...@lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org
>
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] removing telnet client breaks fence agents

2019-11-01 Thread Przemek Klosowski 

On 11/1/19 1:29 PM, Gabe Alford wrote:


On Fri, Nov 1, 2019 at 10:46 AM Trevor Vaughan > wrote:


I don't see a reason to remove the rule in general but:

1) Having the telnet *client* present isn't really a big deal if
you have pretty much any scripting language, or modern SSH that
allows the NULL cipher


IIRC as of one of the OpenSSH 7.6 releases, a cipher of `none` is no 
longer allowed.


OK, netcat ('nc') then, or a two-line TCL/Perl/Python  script that opens 
a socket. Or just open it in the shell via the /dev/ filesystem network 
socket nodes:


exec 3<>/dev/tcp/mytelnetbox.example.com/23

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list