On Wed, 6 Dec 2023 at 06:49, Ondrej Pohorelsky <opoho...@redhat.com> wrote:
> > > On Wed, Dec 6, 2023 at 12:39 PM Fabio Valentini <decatho...@gmail.com> > wrote: > >> On Wed, Dec 6, 2023 at 11:17 AM Ondrej Pohorelsky <opoho...@redhat.com> >> wrote: >> > >> > Hi everyone, >> > >> > For F40 I would like to change file permissions of few files that are >> provided by cronie and crontabs and swap deny list for allow list. I'm not >> really sure if I should make a change proposal. I figured I'll send an >> email first and see the feedback. >> > >> > The driving force of this change is feedback from RHEL customers, that >> they would like to have cronie and crontabs CIS compliant out of the box. >> Which means changing some of the file permissions and swapping `cron.deny` >> for `cron.allow`. As it stands now, they have to run their own scripts or >> dnf plugin (post-transaction-actions) to ensure that each update doesn't >> overwrite the file permissions they manually set. >> >> Just out of curiosity - what does CIS even stand for? >> The linked Red Hat docs don't expand the acronym, and googling for it >> obviously yields results for something entirely different >> > > Basically, it is a Center for Internet Security (CIS) benchmark that some > companies use as a reference to limit configuration-based security > vulnerabilities. > I'm not really sure, but I think some governments require that their > systems are compliant. > > This standard is used in various Universities, local governments, hospitals, financial organizations, and can be required in some cases for PCI compliance (if your acreditor likes that kind of thing). Basically it is one of the major standards like the US DOD STIG https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide / https://ncp.nist.gov/repository Like any standard, there are things which are good and some which are 'that is a choice you could make, but...' > You can look at CIS wikipedia page for more info: > > https://en.wikipedia.org/wiki/Center_for_Internet_Security#CIS_Controls_and_CIS_Benchmarks > > -- > > Ondřej Pohořelský > > Software Engineer > > Red Hat <https://www.redhat.com> > > opoho...@redhat.com > <https://www.redhat.com> > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
