diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst index 6c77f7fcfe..6cf7b30330 100644 --- a/doc/sphinx/arm/agent.rst +++ b/doc/sphinx/arm/agent.rst @@ -288,7 +288,7 @@ Starting and Stopping the Control Agent - ``-X`` - As of Kea 3.0, disables security restrictions. The server will still check for violations but will emit warning logs when they are found rather than fail with an error. Please see - :ref:`sec-kea-runtime-security-risk-checking` for details. + :ref:`sec-kea-runtime-security-policy-checking` for details. The CA is started by running its binary and specifying the configuration file it should use. For example: diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index 24527bc331..fdc6515505 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -166,7 +166,7 @@ directly. It accepts the following command-line switches: - ``-X`` - As of Kea 3.0, disables security restrictions. The server will still check for violations but will emit warning logs when they are found rather than fail with an error. Please see - :ref:`sec-kea-runtime-security-risk-checking` for details. + :ref:`sec-kea-runtime-security-policy-checking` for details. Upon startup, the module loads its configuration and begins listening for NCRs based on that configuration. diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index d497594726..f24e063e82 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -81,7 +81,7 @@ the following command-line switches: - ``-X`` - As of Kea 3.0, disables security restrictions. The server will still check for violations but will emit warning logs when they are found rather than fail with an error. Please see - :ref:`sec-kea-runtime-security-risk-checking` for details. + :ref:`sec-kea-runtime-security-policy-checking` for details. On startup, the server detects available network interfaces and attempts to open UDP sockets on all interfaces listed in the diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 002a4f346e..d8e87e538d 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -81,7 +81,7 @@ the following command-line switches: - ``-X`` - As of Kea 3.0, disables security restrictions. The server will still check for violations but will emit warning logs when they are found rather than fail with an error. Please see - :ref:`sec-kea-runtime-security-risk-checking` for details. + :ref:`sec-kea-runtime-security-policy-checking` for details. On startup, the server detects available network interfaces and attempts to open UDP sockets on all interfaces listed in the diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 85865cc444..54400f5b1a 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -556,15 +556,16 @@ and DDNS servers since Kea version 2.7.2. The three primary Kea daemons (:iscman:`kea-dhcp4`, :iscman:`kea-dhcp6` and :iscman:`kea-dhcp-ddns`) all support a control channel, which is implemented as a UNIX socket. The control channel, which opens a UNIX socket, is disabled by default. -.. _sec-kea-runtime-security-risk-checking: +.. _sec-kea-runtime-security-policy-checking: -Kea Runtime Security Risk Checking -================================== +Kea Runtime Security Policy Checking +==================================== -Runtime security risk checking was initially added to Kea daemons :iscman:`kea-dhcp4`, +Runtime security policy checking was initially added to Kea daemons :iscman:`kea-dhcp4`, :iscman:`kea-dhcp6`, :iscman:`kea-dhcp-ddns`, :iscman:`kea-ctrl-agent`. in Kea 2.7.9 release. In Kea 3.0 additional checks were added. By default, when a daemon detects -a security risk it emits an error log and exits. The following checks are performed: +a security policy violation it emits an error log and exits. The following checks are +performed: - Use of unsupported file paths or permissions as detailed in :ref:`sec-summary-of-path-restrictions`