[Bug 1150554] New: AUDIT-1: sarg: review of cron job file(s): /etc/cron.daily/suse.de-sarg, /etc/cron.monthly/suse.de-sarg, /etc/cron.weekly/suse.de-sarg
http://bugzilla.suse.com/show_bug.cgi?id=1150554 Bug ID: 1150554 Summary: AUDIT-1: sarg: review of cron job file(s): /etc/cron.daily/suse.de-sarg, /etc/cron.monthly/suse.de-sarg, /etc/cron.weekly/suse.de-sarg Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: jsegitz@suse.com, malte.kraus@suse.com, matthias.gerstner@suse.com, tabraham@suse.com Blocks: 1150175 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1150175 As discussed in the proactive security team we want to restrict the installation of cron job files in the future. To achieve this we first need to cover the currently existing packages that do this. sarg installs the following cron files: - /etc/cron.daily/suse.de-sarg - /etc/cron.monthly/suse.de-sarg - /etc/cron.weekly/suse.de-sarg They should be reviewed and whitelisted when all is well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1156643 Comment #1 is|1 |0 private| | Group|SUSE Security Internal, | |novellonly | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c3 --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- Still waiting for bug 1156643 to be fixed in Factory before a whitelisting can be made. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 Bug 1150554 depends on bug 1156643, which changed state. Bug 1156643 Summary: VUL-0: CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS vector http://bugzilla.suse.com/show_bug.cgi?id=1156643 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |tabraham@suse.com --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- I still wanted to harden the way sarg is executed. The upstream author confirmed to me that the squid user is sufficient to run sarg. Therefore I'd like the merged and adjusted cron job script from attachment 824051 to be used before I whitelist this cron job. I created a submission sr#779928 that does this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c5 --- Comment #5 from Matthias Gerstner <matthias.gerstner@suse.com> --- I have replaced the submission by sr#780202 in the meantime. In the original approach only the cron job dropped privileges. But this could have caused additional security issues when somebody calls sarg-reports a different way (e.g. manually on the command line). Therefore I've moved the privilege drop code into the sarg-reports script itself. It now drops privilege to the owner:group of the /srv/www/sarg directory. This also allows users to easily restore the original behaviour with sarg running as root, if desired for some reason. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c6 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- My submit request from comment 5 was accepted by now and I also submitted a whitelisting for the new cron job files and the privilege drop code. Therefore we can close this bug as FIXED. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c7 --- Comment #7 from Thomas Abraham <tabraham@suse.com> --- I got an email about sarg build failing in factory since March 19th. I'm assuming that they haven't been whitelisted yet? Log shows: [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.daily/suse.de-sarg [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.monthly/suse.de-sarg [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.weekly/suse.de-sarg [ 30s] A cron job or cron job related file installed by this package changed [ 30s] in content. Please open a bug report to request follow-up review of the [ 30s] introduced changes by the security team. Please refer to [ 30s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 30s] more information. [ 30s] [ 30s] (none): E: badness 30000 exceeds threshold 1000, aborting. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c8 --- Comment #8 from Malte Kraus <malte.kraus@suse.com> --- There's a whitelisting in place, but something about it is broken. I've opened https://github.com/openSUSE/rpmlint-security-whitelistings/issues/5 to track this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c9 --- Comment #9 from Matthias Gerstner <matthias.gerstner@suse.com> --- A fix is on the way via sr#790150 to Factory. Sorry for the inconvenience, turned out test coverage was still not high enough for the new rpmlint-check. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com