yum-cron not actually required
jamescassell opened this issue · comments
RHEL-07-020260 requires that systems be up-to-date. It is not proscribed how this should be done.
The finding details in V2R2 are:
If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.
Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.
The Fix Text is
Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.
Installing yum-cron and configuring it is toublesome for offline systems and systems whose "optional" repo name doesn't match the expected value for an online, subscribed system. Further, even setting
rhel7stig_auto_package_updates:
enabled: no
fails because it tries to enable the problematic repos when removing the yum-cron package. The only workaround is to set rhel_07_020260: no
, which makes it appear at first glance like the system is non-compliant with that rule.
I don't think we need yum-cron, but if we want to keep it, we should make it optional. If we're installing it from the 'optional' repo, we should enable that repo permanently in case there is a security bug with yum-cron itself. The most the role should do here, in my opinion is to do a one-off yum-update, perhaps only if not otherwise done within 30 days.
+1 on making yum-cron optional