I don't see a reason to remove the rule in general but:

1) Having the telnet *client* present isn't really a big deal if you have
pretty much any scripting language, or modern SSH that allows the NULL
cipher
2) All rules are 'unless you need them' at which point you can tailor them
out of your profile. You won't pass the default tests but the default tests
are just that, defaults.

Trevor

On Fri, Nov 1, 2019 at 12:21 PM Vojtech Polasek <vpola...@redhat.com> wrote:

> adding SSG list.
>
>
> Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a):
> > Hello all,
> >
> > I am fixing the following bugzilla:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1729222
> >
> > Brief summary: as part of several profiles, in this case NCP profile
> > in rhel7, we are removing the telnet package containing the Telnet
> > client.
> >
> > But this removal of telnet package causes removal of the
> > fence-agents-all package and this causes removal of VDSM.
> >
> > So if an user wants to be compliant with NCP, they can't use VDSM nor
> > some fence agents at the same time.
> >
> > I proposed a PR which removes the "package_telnet_removed" rule from
> > rhel7, rhel8 and rhv4 profiles.
> >
> > https://github.com/ComplianceAsCode/content/pull/4958
> >
> > I understand that Telnet server introduces a security risk because it
> > uses unencrypted traffic, it is a common port attackers scan for etc.
> > We are removing the telnet-server package and also making sure that
> > the telnet service is disabled in two other separate rules.
> >
> > But do we really need to explicitly remove also the Telnet client?
> > Especially if it prevents features like VDSM from working? I
> > understand that it uses unencrypted traffic as well, but is it such a
> > high security risk?
> >
> > Steve, anyone else, could you give an opinion on this please?
> >
> > Thank you,
> >
> > Vojta
> >
> >
> >
> >
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-gu...@lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-gu...@lists.fedorahosted.org
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to