This seems like a reasonable argument to me. Let's chat with the owners of the Profiles (DISA FSO etc) that are using it, and get their take too.
I think that the original motivation (likely from old guidance) was simply to remove unnecessary services, but you're right -- this one seems more likely to be very helpful in systems that not up 24/7 (which is growing in number vs the old always-on server, given the growth in cloud deployments). The rule may have once made sense from a general software minimization effort, but seems to make less sense as a compliance rule today (whether the system runs occasionally or 24/7). Here's requesting comment from the Profile owners (or else I'll reach out individually to you to check). On Tue, Apr 15, 2014 at 5:19 PM, Trevor Vaughan <[email protected]> wrote: > So, I was re-reading the RHEL6 guide and I'm not seeing the imminent threat > on leaving anacron on a server. > > 1) I usually want anacron to take care of things that I missed if a server > has been down for a while. > 2) Anacron can only be used by root. Regular users can't modify anacron > settings. > 3) Cron is already locked down based on further guidance (which I don't see > a CCE for) > > So, given 1-3, what is the practical harm in leaving anacron on the system? > > Given the above, unless there is a solid attack vector behind this that I'm > missing, I would like to propose the deletion of "Disable anacron Service". > > Thanks, > > Trevor > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > [email protected] > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
