----- Original Message ----- > From: "Robert Sanders" <[email protected]> > To: [email protected] > Sent: Tuesday, December 17, 2013 4:24:22 PM > Subject: RE: Should the remediation enforce the restart of service > configuration of which it's changing? > > As you expand from must the local machine to an Enterprise environment, this > can be even more important. Suppose an over-eager admin decides to > remediate (via SCAP or some other process) an entire Enterprise > installation. If boxes are rebooted automagically after the remediation you > can unintentionally take out the entire installation. Factor in cases where > there is a required start order (which I bet we've all seen), and you've got > the makings of a first class mess, with really upset users/higher-ups.
Thank you, Robert. Agree, that in the light of the above not enforcing the restart makes more sense. > I'd > submit that having the option of a reboot is worthwhile, but it needs to be > wrapped in a couple layers of 'mother-may-I'. But to follow-up on Luis' post yet (to continue on their proposal): https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004712.html If there's some 'disruption' or 'reboot' attribute present in the XCCDF rule definition, should SSG be able to handle these in automated way (IOW be able to add certain explanatory messages for each of them automagically)? Or would we (for cases when it's clear) want to mention service restart / reload is necessary for the configuration change to take affect? Something like "2.7.4.n. Make the auditd Configuration Immutable" rule has now .. "With this setting, a reboot will be required to change any audit rules." .. which reflected into case of sshd could read as "With this setting the sshd service needs to be restarted for the change to take effect." Should we manually go through the content we already have and manually add those where appropriate? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > -Rob > > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Steve > Grubb [[email protected]] > Sent: Tuesday, December 17, 2013 9:51 AM > To: [email protected] > Subject: Re: Should the remediation enforce the restart of service > configuration of which it's changing? > > On Tuesday, December 17, 2013 05:33:29 AM Jan Lieskovsky wrote: > > in relation with applying sshd remediations, wondering if > > the fix should enforce restart of sshd (include command ensuring it). > > No. The update itself takes care of what is sane to do. If you force a > restart, you can kill rsync or an admin session at a really bad point in > time. > > There can be a check that shows unrestarted daemons if that is desirable. The > sectool content used to do that. So, its possible to script. But I'd leave > the > decision about when to restart to the local admins. > > -Steve > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
