That language always helps and should probably just be a preface to the
whole guide. A written justification *should* always suffice.
On Mon, Apr 6, 2015 at 5:12 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 4/6/15 3:16 PM, Steve Grubb wrote:
> On Monday, April 06, 2015 03:02:20 PM Trevor Vaughan wrote:
>
>> >Hi All,
>> >
>> >Since the new-ish (6 and 7) guides indicate that xinetd should be
>> disabled,
>> >what is the preferred method for running VNC and TFTP sessions to a
>> host?
>> >
>> >The tftp-server package installs the /etc/xinetd.d/tftp file but could
>> >certainly drop an init script/systemd script with associated sysconfig
>> file.
>> >
>> >The VNC one is a bit more difficult since it gets difficult to have
>> dynamic
>> >SSH-based terminals without something like xinetd (or, again, a highly
>> >configurable init script).
>> >
>> >I know this falls under the "if you need it, use it" category
>>
> I'd say this is still the case. Tfpd and vnc are not universally needed. I
> think the aim is to reduce root running daemons (xinetd) in the common use
> case so that the attack surface is smaller. In your situation on RHEL6,
> install xinetd if you need it. In the case of RHEL7, systemd socket
> activation
> should work (should even be shipped that way).
>
Reviewed the RHEL6 xinetd language, and the rules don't have the standard
"if you need it, use it" clause.
Trevor, would adding that wording help you?
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --