Hi, I don’t know how this rules are checked, but if they are checked from the outside, you could block the port via firewall on anything but loopback. This way you’d follow the rule and still can use the UDP port for local monitoring.
Regards, Frank From: Nuß Bratling <nussbratl...@gmail.com> Sent: Wednesday, 21 August, 2024 1:53 PM To: chrony-users@chrony.tuxfamily.org Subject: [chrony-users] (SCAP-Finding) command port has to be closed *EXTERNAL source* Hi, There are these rules: RHEL9: https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-257947 RHEL8: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-06-14/finding/V-230486 We do monitoring, and these, above, rules define that the network monitoring (command) port (with less permissions) has to be closed, so that we have to connect to the unix socket with more permissions to get the monitoring metrics. I'd argue that those rules make the security of a chrony installation worse instead of better. I don't know if you know about these rules, and if no, would bringt it to your attention, that this rules perhaps should be changes, or, if you do know about these rules, I would like to ask what the rationale behind those are. Thank you, Moritz Molle
