[chrony-users] (SCAP-Finding) command port has to be closed

[chrony-users] (SCAP-Finding) command port has to be closed

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] (SCAP-Finding) command port has to be closed
From: Nuß Bratling <nussbratling@xxxxxxxxx>
Date: Wed, 21 Aug 2024 13:53:13 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724241206; x=1724846006; darn=chrony.tuxfamily.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=CjUMWdQm7rXeVp8af0RxJ4PiVhjifADSK2oZThwDSfk=; b=mTufmjzyvI3jaGbkOgUf8Qd1JYqCx48UlLPulyOPv2wF0LaRPQSPWlejb+zd6RHA7t K1tGeoYZESaQ8mOwm7QckuKFgfAH/m/qczshZapdsGB+fxvYNHzpZmIAk4tJVhpZkVRt rgZ2aqossM2qkgDejSQnHODoOf8IxXN9pcpzAYZDEahUlD7S/6dtwGV8JsFts6uWrNBl RxSSBO3WOtTPdxCOTepPq3SQSefl+MexeFnumRg1koZiZumLmr5w28687okxy/tt4xVj Jevzoq5CmICXAJeYDiUtcHmpOAgv4TczT3RNGowXzcw7xZxnVowJvU/Al/Dtpp361q8U sNOQ==

Hi,

There are these rules:

RHEL9: https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-257947

RHEL8: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-06-14/finding/V-230486

We do monitoring, and these, above, rules define that the network monitoring (command) port (with less permissions) has to be closed, so that we have to connect to the unix socket with more permissions to get the monitoring metrics.

I'd argue that those rules make the security of a chrony installation worse instead of better.

I don't know if you know about these rules, and if no, would bringt it to your attention, that this rules perhaps should be changes, or, if you do know about these rules, I would like to ask what the rationale behind those are.

Thank you,

Moritz Molle

Follow-Ups:
- Re: [chrony-users] (SCAP-Finding) command port has to be closed
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Recommendation for chrony with 1PPS setup
Next by Date: Re: [chrony-users] (SCAP-Finding) command port has to be closed
Previous by thread: Re: [chrony-users] Recommendation for chrony with 1PPS setup
Next by thread: Re: [chrony-users] (SCAP-Finding) command port has to be closed

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/