As you expand from must the local machine to an Enterprise environment, this can be even more important. Suppose an over-eager admin decides to remediate (via SCAP or some other process) an entire Enterprise installation. If boxes are rebooted automagically after the remediation you can unintentionally take out the entire installation. Factor in cases where there is a required start order (which I bet we've all seen), and you've got the makings of a first class mess, with really upset users/higher-ups. I'd submit that having the option of a reboot is worthwhile, but it needs to be wrapped in a couple layers of 'mother-may-I'. -Rob
________________________________________ From: [email protected] [[email protected]] on behalf of Steve Grubb [[email protected]] Sent: Tuesday, December 17, 2013 9:51 AM To: [email protected] Subject: Re: Should the remediation enforce the restart of service configuration of which it's changing? On Tuesday, December 17, 2013 05:33:29 AM Jan Lieskovsky wrote: > in relation with applying sshd remediations, wondering if > the fix should enforce restart of sshd (include command ensuring it). No. The update itself takes care of what is sane to do. If you force a restart, you can kill rsync or an admin session at a really bad point in time. There can be a check that shows unrestarted daemons if that is desirable. The sectool content used to do that. So, its possible to script. But I'd leave the decision about when to restart to the local admins. -Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
