-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable network management of chrony daemon. #4449
Disable network management of chrony daemon. #4449
Conversation
@@ -0,0 +1,6 @@ | |||
# platform = multi_platform_rhel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the remediation script can be also applicable to Fedora.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added Fedora and OL in ed89b59. Also rebased in master.
43a7c27
to
ed89b59
Compare
Thanks! The output of the test run:
|
Not exposing the management interface of the chrony daemon on | ||
the network diminishes the attack space. | ||
|
||
severity: unknown |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What severity should this rule be assigned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevegrubb, what severity is this?
severity: unknown | ||
|
||
identifiers: | ||
cce@rhel8: 82840-0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be RHEL 7 or RHEL 6 CCEs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly. I'm working based on the RHEL 8 kickstart by @stevegrubb, so not really focusing on older versions.
@yuumasato, do we want to add these things to older versions as well as part of the RHEL 8 review / work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adelton If it is cheap, yes, we can add them, but I don't consider it essential for the PR.
What I consider important is the content itself, the rule, check and fix.
I'd like to avoid expanding the scope too much, and having to check configuration settings for three distributions.
@@ -0,0 +1,30 @@ | |||
documentation_complete: true | |||
|
|||
prodtype: rhel8,fedora,ol8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this truly only applicable to RHEL 8?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yuumasato, similar question to the above.
Description:
Rationale: