----- Original Message ----- > From: "Jan Lieskovsky" <[email protected]> > To: [email protected] > Sent: Tuesday, December 17, 2013 11:47:39 AM > Subject: Worthy to add XCCDF rule to ensure regular system reboots? > > Hello folks, > > slightly related with my previous post, and with experience seen > from customer systems (whole system not rebooted for many of days, > possibly even for years to ensure its work / compatibility), wondering if > the agencies focused on computer security have a recommendation / > requirement underlying system reboots to be scheduled on regular > basis (like once per month). > > As already mentioned, on one hand there can be often seen scenarios > when customer(s) don't reboot the system due the fear of breaking > the functionality / compatibility. Such behaviour on the other hand > obviously means, that for example fixes for selected security flaws > (mainly in the kernel) can't be applied completely / correctly, > leaving the system in question still vulnerable to particular attack. > > Therefore was thinking if we would want to introduce XCCDF rule / > recommendation requiring the system to be rebooted on regular basis > (like once per month looks reasonable, but opened for proposals),
Looked more: [1] http://www.unix.com/solaris/34784-reboot-unix-servers-recommended.html and looks once per month might be too strict. But what about to recommend for automated reboot once per 90-120 days like written there? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > to ensure this (kernel still being vulnerable) wouldn't happen. > > Besides that (I think) even when the reboot should result into > system not being bootable, it's better to find it immediately, > than after period like ~3 years (many of fixes applied at once => > harder to find out which concrete one actually caused the failure > to boot). > > The corresponding OVAL check could see if there exists particular crontab > entry scheduling reboot once per month (and fail if not). The fix then > would be to add such crontab entry (possibly including "wall" notification > with some delay prior actually performing the reboot). > > Opinions appreciated. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
