Bug ID 1132919
Summary seccheck systemd timers not started at system boot
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter d_werner@gmx.net
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101
Firefox/60.0
Build Identifier: 

Recently for Tumbleweed and Leap 15.1 the seccheck package was changed to use
systemd timers instead of cron.

Leap 15.1: rpm -q    seccheck 
seccheck-3.0-lp151.4.1.noarch

After installation the timers are all disabled even when before with cron jobs
the checks were activated and although /etc/sysconfig/seccheck contains
START_SECCHK="yes"

I think this should at least be documented so that users can activate them.
Somebody who installs this package probably wants them active.

As I want these checks to be executed I enabled and started the timers.

After the next boot the timers are still enabled, but they are not started:

systemctl status -l seccheck-{dai,week,month}ly.timer 
��� seccheck-daily.timer - Daily seccheck run
   Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled;
vendor preset: disabled)
   Active: inactive (dead)
  Trigger: n/a

��� seccheck-weekly.timer - Weekly seccheck run
   Loaded: loaded (/usr/lib/systemd/system/seccheck-weekly.timer; enabled;
vendor preset: disabled)
   Active: inactive (dead)
  Trigger: n/a

��� seccheck-monthly.timer - Monthly seccheck run
   Loaded: loaded (/usr/lib/systemd/system/seccheck-monthly.timer; enabled;
vendor preset: disabled)
   Active: inactive (dead)
  Trigger: n/a


Timers which are enabled should be started automatically during system startup
I think, e.g. the logrotate.timer is.

Reproducible: Always

Steps to Reproduce:
1.install the seccheck package (e.g. "zypper in seccheck")
2.activate the systemd timers: (systemctl enable 
seccheck-{dai,week,month}ly.timer)
3.verify the timers have correctly been enabled: systemctl status 
seccheck-{dai,week,month}ly.timer and check "enabled" state
4.reboot, check if the timers are Active, e.g.
wrong state:
��� seccheck-daily.timer - Daily seccheck run
   Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled;
vendor preset: disabled)
   Active: inactive (dead)
  Trigger: n/a

correct state would be:
��� seccheck-daily.timer - Daily seccheck run
   Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled;
vendor preset: disabled)
   Active: active (waiting) since Fri 2019-04-19 18:55:16 CEST; 8s ago
  Trigger: Sat 2019-04-20 00:00:00 CEST; 5h 4min left

Actual Results:  
the systemd seccheck related timers are inactive after boot although enabled

Expected Results:  
Timers should be active automatically after boot when enabled

You are receiving this mail because: