Hello folks, slightly related with my previous post, and with experience seen from customer systems (whole system not rebooted for many of days, possibly even for years to ensure its work / compatibility), wondering if the agencies focused on computer security have a recommendation / requirement underlying system reboots to be scheduled on regular basis (like once per month).
As already mentioned, on one hand there can be often seen scenarios when customer(s) don't reboot the system due the fear of breaking the functionality / compatibility. Such behaviour on the other hand obviously means, that for example fixes for selected security flaws (mainly in the kernel) can't be applied completely / correctly, leaving the system in question still vulnerable to particular attack. Therefore was thinking if we would want to introduce XCCDF rule / recommendation requiring the system to be rebooted on regular basis (like once per month looks reasonable, but opened for proposals), to ensure this (kernel still being vulnerable) wouldn't happen. Besides that (I think) even when the reboot should result into system not being bootable, it's better to find it immediately, than after period like ~3 years (many of fixes applied at once => harder to find out which concrete one actually caused the failure to boot). The corresponding OVAL check could see if there exists particular crontab entry scheduling reboot once per month (and fail if not). The fix then would be to add such crontab entry (possibly including "wall" notification with some delay prior actually performing the reboot). Opinions appreciated. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
