Hi everyone,
For F40 I would like to change file permissions of few files that are
provided by cronie and crontabs and swap deny list for allow list. I'm not
really sure if I should make a change proposal. I figured I'll send an
email first and see the feedback.
The driving force of this change is feedback from RHEL customers, that they
would like to have cronie and crontabs CIS compliant out of the box. Which
means changing some of the file permissions and swapping `cron.deny` for
`cron.allow`. As it stands now, they have to run their own scripts or dnf
plugin (post-transaction-actions) to ensure that each update doesn't
overwrite the file permissions they manually set.
I would like these changes for F40, as this is going to be a branching
point for next RHEL and I would like to go with upstream first approach.
*cronie* changes:
`cron.allow` replaces `cron.deny` (file permission 600)
`cron.d` permission change (755 → 700)
`cron.hourly` permission change (755 → 700)
*crontabs* changes:
`crontab` permission change (644 → 600)
`cron.{hourly,daily,weekly,monthly}` permission change (755 → 700)
Reference for these changes:
static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis.html
PR:
https://src.fedoraproject.org/rpms/cronie/pull-request/12
https://src.fedoraproject.org/rpms/crontabs/pull-request/6
Let me know what you think.
Cheers,
--
Ondřej Pohořelský
Software Engineer
Red Hat <https://www.redhat.com>
opoho...@redhat.com
<https://www.redhat.com>
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
