Hello folks, in relation with applying sshd remediations, wondering if the fix should enforce restart of sshd (include command ensuring it).
From my point of view it should (the configuration till not reloaded is still unsafe, even when configured safely), but since this touches area of runtime state again, rather checking with you first (prior proposing enhancement). Justification: -------------- Absence of service restart past modification of its configuration file can be misleading, since though service configuration is safe already (and the subsequent check passes), it isn't really safe till not reloaded (which might happen in timeframe of months from the time point service configuration got changed). On the other hand, should the service configuration file remediation / fix cause any issues, preventing the service from start (unlikely, but let's consider such a case might happen), in my opinion it's more straightforward the service to stop working immediately rather than in timeframe (possibly of months) making it subsequent debugging / identifying the reasons why it stopped to work more difficult. Thoughts appreciated. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
