Bug ID 903989
Summary lynis permissions needs small changes.
Classification openSUSE
Product openSUSE Distribution
Version 13.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter roeland@linux-it.nl
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I just installed lynis-1.6.2-1.2.noarch to assess the syate of my 13.2 setup.

It appears that the rpm content does not have correct permissions on some
files.

if I exec the first time:

taplop:~ # lynis -h
[!] Change file permissions of /usr/share/lynis/include/consts to 640.
    Command: chmod 640 /usr/share/lynis/include/consts
[!] Change file permissions of /usr/share/lynis/include/functions to 640.
    Command: chmod 640 /usr/share/lynis/include/functions


[X] Security check failed: See action above to correct this issue.
    Please change ownership and permissions of the related files and start
Lynis again.


taplop:~ # chmod 640 /usr/share/lynis/include/consts
taplop:~ # chmod 640 /usr/share/lynis/include/functions
taplop:~ # lynis -h
Fatal error: permissions of file /usr/share/lynis/include/parameters are not
strict enough. Access to 'other' should be denied or read-only.
taplop:~ # ls -l  /usr/share/lynis/include/parameters
-rwxr-xr-x 1 root root 5187 Oct  6 17:43 /usr/share/lynis/include/parameters
taplop:~ # chmod o-x /usr/share/lynis/include/parameters
taplop:~ # ls -l  /usr/share/lynis/include/parameters
-rwxr-xr-- 1 root root 5187 Oct  6 17:43 /usr/share/lynis/include/parameters


after this correction it works:


taplop:~ # lynis -h

[ Lynis 1.6.2 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2014 - Michael Boelen, http://cisofy.com
 Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################

[+] Initializing program
------------------------------------
  Scan options:
    --auditor "<name>"            : Auditor name
    --check-all (-c)              : Check system
    --no-log                      : Don't create a log file
    --pentest                     : Non-privileged scan (useful for pentest)
    --profile <profile>           : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --tests "<tests>"             : Run only tests defined by <tests>
    --tests-category "<category>" : Run only tests defined by <category>

  Layout options:
    --no-colors                   : Don't use colors in output
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light
backgrounds

  Misc options:
    --check-update                : Check for updates
    --debug                       : Debug logging to screen
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  Enterprise options:
    --plugin-dir "<path">         : Define path of available plugins
    --upload                      : Upload data to central node

  See man page and documentation for all available options.

Exiting..

You are receiving this mail because: