Re: removing telnet client breaks fence agents

adding SSG list. Dne 01. 11. 19 v 11:30 Vojtech Polasek napsal(a): > Hello all, > > I am fixing the following bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=1729222 > > Brief summary: as part of several profiles, in this case NCP profile > in rhel7, we are removing the telnet package containing the Telnet > client. > > But this removal of telnet package causes removal of the > fence-agents-all package and this causes removal of VDSM. > > So if an user wants to be compliant with NCP, they can't use VDSM nor > some fence agents at the same time. > > I proposed a PR which removes the "package_telnet_removed" rule from > rhel7, rhel8 and rhv4 profiles. > > https://github.com/ComplianceAsCode/content/pull/4958 > > I understand that Telnet server introduces a security risk because it > uses unencrypted traffic, it is a common port attackers scan for etc. > We are removing the telnet-server package and also making sure that > the telnet service is disabled in two other separate rules. > > But do we really need to explicitly remove also the Telnet client? > Especially if it prevents features like VDSM from working? I > understand that it uses unencrypted traffic as well, but is it such a > high security risk? > > Steve, anyone else, could you give an opinion on this please? > > Thank you, > > Vojta > > > > _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...