CentOS - Dec 2015 - Network services start before network is up since migrating to 7.2

On 22 December 2015 at 10:33, Sylvain CANOINE <sylvain.canoine at
tv5monde.org>
wrote:
>
> ----- Mail original -----
> > De: "Marcelo Ricardo Leitner" <marcelo.leitner at
gmail.com>
> > ?: "centos" <centos at centos.org>
> > Envoy?: Lundi 21 D?cembre 2015 21:46:10
> > Objet: Re: [CentOS] Network services start before network is up since
> migrating to 7.2
>
> > Agreed. Sylvain, if possible, please elaborate on their reasoning for
> > this, because it just seems like a case of "we fear what we
don't know",
> > so they are recommending to stick to old habits instead.
> >
> > Or have they identified real attack vectors in NM? If yes, we would
love
> > to hear that so it can be fixed.
> In short, "you don't need it, so don't use it".
> They said NM is more a desktop-oriented tool, already had privilege
> escalation issues in the past (I didn't search if they're right),
has too
> many dependencies (such as wpa_supplicant and avahi, which are, of course,
> also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users
> changing its settings, needs D-bus just to work, so it is too much complex
> just to set static IP addresses on network interfaces. They said multiples
> administrator actions, and potentially human errors, to set it up, may be a
> security risk...
>
>
>
Also known as "we have our policies for EL6 and we haven't paid any
attention to EL7 to see how things have changed" ... Wonder if they have
read my NM blog article yet ...

Honestly any 'security' people banning wpa_supplicant needs their heads
examined given that is used for 802.1x authentication ... which if they
care about security they should be paying attention to.

As for polkit and dbus ... well they have to be there in EL7 and systemd
relies on these mechanisms.

That said if they're having kittens about NM, polkit, dbus and
wpa_supplicant they probably hate systemd and frankly I'm surprised they
permit EL7 at all ;)

Note that by default a non administrator user cannot change system network
configuration ... bah idiots ...

James Hogarth wrote:
> On 22 December 2015 at 10:33, Sylvain CANOINE
> <sylvain.canoine at tv5monde.org> wrote:
>> > De: "Marcelo Ricardo Leitner" <marcelo.leitner at
gmail.com>
<snip>
>> In short, "you don't need it, so don't use it".
>> They said NM is more a desktop-oriented tool, already had privilege
>> escalation issues in the past (I didn't search if they're
right), has
>> too many dependencies (such as wpa_supplicant and avahi, which are, of
>> course, also forbidden), needs extra mechanisms (PAM ? Polkit ?)
>> to avoid users changing its settings, needs D-bus just to work, so
>> it is too much complex just to set static IP addresses on network
>> interfaces. They said> multiples> administrator actions, and
>> potentially human errors, to set it up, may be a security risk...
>
> Also known as "we have our policies for EL6 and we haven't paid
any
> attention to EL7 to see how things have changed" ... Wonder if they
have
> read my NM blog article yet ...
>
> Honestly any 'security' people banning wpa_supplicant needs their
heads
> examined given that is used for 802.1x authentication ... which if they
> care about security they should be paying attention to.
Really? Why?

a) All the servers I've ever dealt with (and I don't mean a large tower
under someone's desk) are racked in locked rooms and hardwired.

b)  NONE I've ever seen has any wifi, so I've never understood why
avahi,
and the firewall hole for it, was installed in the "server" version by
default.

c) wpa-supplicant - again, why? If it's hardwired, and behind switches and
firewalls, why PNAC if every server is running firewalls?
<snip>
        mark "let's *please* NOT talk about NAC via Cisco,
                and people who allegedly know and have planned
                rolling it out...."

On 12/22/2015 5:29 AM, James Hogarth wrote:
> Also known as "we have our policies for EL6 and we haven't paid
any
> attention to EL7 to see how things have changed" ... Wonder if they
have
> read my NM blog article yet ...
more likely their policies were developed in the days of RHEL <= 4, and 
have only begrudgingly been brought forward to support 6.


-- 
john r pierce, recycling bits in santa cruz

On Tue, 22 Dec 2015 14:29, James Hogarth wrote:
> On 22 December 2015 at 10:33, Sylvain CANOINE wrote
>> ----- Mail original -----
>>> De: "Marcelo Ricardo Leitner" 
>>> ?: "centos" 
>>> Envoy?: Lundi 21 D?cembre 2015 21:46:10
>>> Objet: Re: [CentOS] Network services start before network is up
since
>> migrating to 7.2
>>
[snip]
> Also known as "we have our policies for EL6 and we haven't paid
any
> attention to EL7 to see how things have changed" ... Wonder if they
have
> read my NM blog article yet ...
>
> Honestly any 'security' people banning wpa_supplicant needs their
heads
> examined given that is used for 802.1x authentication ... which if they
> care about security they should be paying attention to.
>
> As for polkit and dbus ... well they have to be there in EL7 and systemd
> relies on these mechanisms.
>
> That said if they're having kittens about NM, polkit, dbus and
> wpa_supplicant they probably hate systemd and frankly I'm surprised
they
> permit EL7 at all ;)
>
> Note that by default a non administrator user cannot change system network
> configuration ... bah idiots ...
You speak of this post:
  https://www.hogarthuk.com/?q=node/8
don't you?

An interesting read on the backgrounds of RHEL7 / Centos7. Thanks.

On Avahi: well, the job it SHOULD do is: to announce the services running 
on the machine to the network. As this is done via broadcast, these
announcements should not be routed to outside, anyway.

But yes, there are many admins, who do not like this 'auto-discovery'
stuff.
To 'MS Windows' / 'Apple MacOS' like, not 'pure' or
'hardcore' enough.

  - Yamaban.

Yamaban wrote:
> On Tue, 22 Dec 2015 14:29, James Hogarth wrote:
>> On 22 December 2015 at 10:33, Sylvain CANOINE wrote
>>> ----- Mail original -----
>>>> De: "Marcelo Ricardo Leitner"
>>>> ?: "centos"
>>>> Envoy?: Lundi 21 D?cembre 2015 21:46:10
>>>> Objet: Re: [CentOS] Network services start before network is up
since
>>> migrating to 7.2
>>>
> [snip]
> On Avahi: well, the job it SHOULD do is: to announce the services running
> on the machine to the network. As this is done via broadcast, these
> announcements should not be routed to outside, anyway.
>
> But yes, there are many admins, who do not like this
'auto-discovery'
> stuff.
> To 'MS Windows' / 'Apple MacOS' like, not 'pure' or
'hardcore' enough.
I beg your pardon. What *possible* reason is there for a server,
hardwired, to "announce" itself to anything, other than DHCP?
Everywhere
I've worked, and what I know, is that servers are assigned IP addresses,
they don't just take whatever's offered, willy-nilly. And if they do...
I
do *not* want to work there. That's not only unprofessional, it's an
insane security risk. Suppose someone puts their laptop on the intranet,
and has *it* running a DHCP server?

         mark

Em 22-12-2015 13:53, m.roth at 5-cent.us escreveu:
<snip>
> c) wpa-supplicant - again, why? If it's hardwired, and behind switches
and
> firewalls, why PNAC if every server is running firewalls?
> <snip>
>          mark "let's *please* NOT talk about NAC via Cisco,
>                  and people who allegedly know and have planned
>                  rolling it out...."
It's the same reason you think that adding one layer of management (dbus 
& cia) adds more risk than not adding it. It's another wall to be 
crossed, if anything happens. Some thing firewalls are enough, some not.