https://bugzilla.novell.com/show_bug.cgi?id=207322
Summary: seccheck improvements
Product: openSUSE 10.2
Version: Alpha 4 plus
Platform: Other
OS/Version: Other
Status: NEW
Severity: Enhancement
Priority: P5 - None
Component: Other
AssignedTo: thomas@novell.com
ReportedBy: thomas@novell.com
QAContact: qa@suse.de
For me:
From: Michael James
To: suse-security@suse.com
Date: Thu, 21 Sep 2006 09:38:21 +1000
User-Agent: KMail/1.8
Subject: [suse-security] Improvements to seccheck
Who is looking after seccheck these days?
The header says:
Daily security check v2.0 by Marc Heuse
But I sent an email to him and it bounced. Has he moved on?
Here's what I am suggesting:
The seccheck scripts provide some interesting reading
for the systems administrator, pointers for tightening things etc.
But I get pages of false positives from the writeable,
executable, and suid parts of the script.
You see some partitions on my disks contain
regular rsync-ed backups of other machines,
including machines not under my control.
To protect my machine, backup partitions are mounted noexec,nosuid.
When your scripts get the list of mounts they take no account of this.
Would it be an improvement to split your $MNT list into 3?
Say: $MNT_WRITE $MNT_EXEC $MNT_SUID
This would allow the find to only be fired into
the branches of the filesystem where the permissions matter.
I'd be happy to work out and suggest some patches,
but if you think it better left simple, I won't bother you...
michaelj
--
Michael James michael.james@csiro.au
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.