remove rule package_telnet_removed from profiles in rhel7, rhel8, rhv4 #4958
Conversation
|
I wonder if other Profiles should drop the rule |
vojtapolasek
force-pushed
the
not_remove_telnet_client
branch
from
85c5210
to
bcf0393
Compare
vojtapolasek
changed the title
|
This is a NACK. Any use of telnet whether client or server brings unencrypted remote authentication and is a huge problem. |
@redhatrises Note it is just removing rule for the "client removed", any rule for server removed is preserved. Can you clarify what is the problematic use case with the telnet client installed? |
|
Just to clarify why I am suggesting this, telnet is a dependency of several fence agents, to be exact 11 packages in rhel7 and 10 packages in rhel8. |
The problem is that it initiates an unencrypted remote session which can pass username and password in the clear. The fence agents a part of layered products need to start following good security practices as well now which means they need to start removing |
|
Closing. See Steve Grubb's added comments about this https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org/message/CYAR26WBNZIZHIO76LNKQINORX3UPWL7/ |
Description:
The rule package_telnet_removed was removet from all profiles shipped with rhel7, rhel8 and rhv4
Rationale:
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1729222
The rule package_telnet_removed removes Telnet client which is needed by some installations, especially fence agents. The Telnet server, which introduces much bigger security problem, is removed by a different rule. It should be fine to keep the Telnet client as it does not introduce direct security risk.