As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
Why is NetworkManager required? I hate that on servers.
On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Everyone I know hates that on servers.
Apparently firewalld tries to use it and it's mentioned in the SSG explicitly.
Since it's mentioned, there needs to be surrounding guidance on how to make it not be so "user friendly".
If it's not needed, it should fall under "run no unnecessary services" and be slated to be killed explicitly since it does try to give people the ability to do things in the network stack by default (which they should not have).
Thanks,
Trevor
On Sat, Sep 8, 2018 at 12:38 PM Matthew simontek@gmail.com wrote:
Why is NetworkManager required? I hate that on servers.
On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Oh, this is also related to the 'hidepid' discussion. If NetworkManager is going to be a blocker on hidepid, then it needs to be fully locked down and I can't find good guidance on doing that.
On Sun, Sep 9, 2018 at 12:56 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Everyone I know hates that on servers.
Apparently firewalld tries to use it and it's mentioned in the SSG explicitly.
Since it's mentioned, there needs to be surrounding guidance on how to make it not be so "user friendly".
If it's not needed, it should fall under "run no unnecessary services" and be slated to be killed explicitly since it does try to give people the ability to do things in the network stack by default (which they should not have).
Thanks,
Trevor
On Sat, Sep 8, 2018 at 12:38 PM Matthew simontek@gmail.com wrote:
Why is NetworkManager required? I hate that on servers.
On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
Hello Trevor,
I don't know the answers for these questions. It would be better to discuss with RHEL NetworkManager devels. I am adding them into the thread.
Hello Thomas, Lubomir, can you help us on this topic? There are some questions which we (Security Compliance team) are unable to answer and we need your help:
1. Is NetworkManager meant to be a required service in RHEL 7? 2. What is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...)? Do you have any pointers (manuals/blogs/...)?
Thanks, Matus Marhefka
On Sun, Sep 9, 2018 at 6:57 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
Oh, this is also related to the 'hidepid' discussion. If NetworkManager is going to be a blocker on hidepid, then it needs to be fully locked down and I can't find good guidance on doing that.
On Sun, Sep 9, 2018 at 12:56 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Everyone I know hates that on servers.
Apparently firewalld tries to use it and it's mentioned in the SSG explicitly.
Since it's mentioned, there needs to be surrounding guidance on how to make it not be so "user friendly".
If it's not needed, it should fall under "run no unnecessary services" and be slated to be killed explicitly since it does try to give people the ability to do things in the network stack by default (which they should not have).
Thanks,
Trevor
On Sat, Sep 8, 2018 at 12:38 PM Matthew simontek@gmail.com wrote:
Why is NetworkManager required? I hate that on servers.
On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
Actually, I was just poking through the rules around firewalld and realized that it has the same issue.
Firewalld can be controlled by polkit but there doesn't seem to be any content in the SSG to tell users how to properly restrict it and what the restrictions should be.
Ideally, of course, we would want rules that restrict these settings to only authorized users which means we need a good chunk of the SSG dedicated to polkit, javascript, and the fun therein.
Or...we could disable firewalld and NetworkManager as unnecessary services and fall back to iptables and network (which taste great and are less filling).
Thanks,
Trevor
On Mon, Sep 10, 2018 at 9:02 AM Matus Marhefka mmarhefk@redhat.com wrote:
Hello Trevor,
I don't know the answers for these questions. It would be better to discuss with RHEL NetworkManager devels. I am adding them into the thread.
Hello Thomas, Lubomir, can you help us on this topic? There are some questions which we (Security Compliance team) are unable to answer and we need your help:
- Is NetworkManager meant to be a required service in RHEL 7?
- What is the proper mechanism for restricting DBus access to
NetworkManager to only allowed users (i.e. no GUI utilities, etc...)? Do you have any pointers (manuals/blogs/...)?
Thanks, Matus Marhefka
On Sun, Sep 9, 2018 at 6:57 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
Oh, this is also related to the 'hidepid' discussion. If NetworkManager is going to be a blocker on hidepid, then it needs to be fully locked down and I can't find good guidance on doing that.
On Sun, Sep 9, 2018 at 12:56 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Everyone I know hates that on servers.
Apparently firewalld tries to use it and it's mentioned in the SSG explicitly.
Since it's mentioned, there needs to be surrounding guidance on how to make it not be so "user friendly".
If it's not needed, it should fall under "run no unnecessary services" and be slated to be killed explicitly since it does try to give people the ability to do things in the network stack by default (which they should not have).
Thanks,
Trevor
On Sat, Sep 8, 2018 at 12:38 PM Matthew simontek@gmail.com wrote:
Why is NetworkManager required? I hate that on servers.
On Fri, Sep 7, 2018, 5:42 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
As I was digging around some of the content, I realized that I had a question that I never managed to get answered.
Namely, is NetworkManager now a required service?
If so, what is the proper mechanism for restricting DBus access to NetworkManager to only allowed users (i.e. no GUI utilities, etc...).
I feel like this should be codified somewhere in the SSG content.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org
-
Matthew -
Matus Marhefka -
Trevor Vaughan