[Bug 1132919] New: seccheck systemd timers not started at system boot
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 Bug ID: 1132919 Summary: seccheck systemd timers not started at system boot Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: d_werner@gmx.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 Build Identifier: Recently for Tumbleweed and Leap 15.1 the seccheck package was changed to use systemd timers instead of cron. Leap 15.1: rpm -q seccheck seccheck-3.0-lp151.4.1.noarch After installation the timers are all disabled even when before with cron jobs the checks were activated and although /etc/sysconfig/seccheck contains START_SECCHK="yes" I think this should at least be documented so that users can activate them. Somebody who installs this package probably wants them active. As I want these checks to be executed I enabled and started the timers. After the next boot the timers are still enabled, but they are not started: systemctl status -l seccheck-{dai,week,month}ly.timer ● seccheck-daily.timer - Daily seccheck run Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled; vendor preset: disabled) Active: inactive (dead) Trigger: n/a ● seccheck-weekly.timer - Weekly seccheck run Loaded: loaded (/usr/lib/systemd/system/seccheck-weekly.timer; enabled; vendor preset: disabled) Active: inactive (dead) Trigger: n/a ● seccheck-monthly.timer - Monthly seccheck run Loaded: loaded (/usr/lib/systemd/system/seccheck-monthly.timer; enabled; vendor preset: disabled) Active: inactive (dead) Trigger: n/a Timers which are enabled should be started automatically during system startup I think, e.g. the logrotate.timer is. Reproducible: Always Steps to Reproduce: 1.install the seccheck package (e.g. "zypper in seccheck") 2.activate the systemd timers: (systemctl enable seccheck-{dai,week,month}ly.timer) 3.verify the timers have correctly been enabled: systemctl status seccheck-{dai,week,month}ly.timer and check "enabled" state 4.reboot, check if the timers are Active, e.g. wrong state: ● seccheck-daily.timer - Daily seccheck run Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled; vendor preset: disabled) Active: inactive (dead) Trigger: n/a correct state would be: ● seccheck-daily.timer - Daily seccheck run Loaded: loaded (/usr/lib/systemd/system/seccheck-daily.timer; enabled; vendor preset: disabled) Active: active (waiting) since Fri 2019-04-19 18:55:16 CEST; 8s ago Trigger: Sat 2019-04-20 00:00:00 CEST; 5h 4min left Actual Results: the systemd seccheck related timers are inactive after boot although enabled Expected Results: Timers should be active automatically after boot when enabled -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c2 --- Comment #2 from Dirk Weber <d_werner@gmx.net> --- BTW: the current Tumbleweed package seccheck-3.0-16.1.noarch.rpm (Tumbleweed snapshot 20190428) has the same bug. Additionally: the package description should also be updated as the scripts are no longer started by cron: rpm -q --info -p seccheck-3.0-lp151.4.1.noarch.rpm ... Description : Regularly executable scripts (via cron) for checking the security of your system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c3 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abergmann@suse.com --- Comment #3 from Alexander Bergmann <abergmann@suse.com> --- Thanks Dirk, I will have a look at this problem and update the description. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c4 --- Comment #4 from Dirk Weber <d_werner@gmx.net> --- Two more observations: 1) The seccheck-autologout.timer has the same bug, I did not notice it before: grep WantedBy /usr/lib/systemd/system/seccheck-autologout.timer WantedBy=seccheck-autologout.service should also read WantedBy=timers.target 2) when you update the seccheck package, maybe you could also correct bug 985802 (the here document in security-control.sh for weekly and monthly mails uses space instead of tabs for indentation of the line 'From: $SECCHK_FROM' resulting in mail headers which are not properly recognized). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c5 --- Comment #5 from Dirk Weber <d_werner@gmx.net> --- The seccheck package is broken in Tumbleweed ever since it was switched from cron to systemd timers in March 2019. There are several problems with this switch: 1. the timers are not enabled by default and there is no hint that this has to be done by the user/administrator after the distribution update or after package installation. 2. even if the timers are enabled manually they do not work as the systemd timer configurations included in the package are faulty which is the main issue of this bug report. The faulty systemd timer configuration was then taken over to Leap 15.1. The intention of the seccheck package are simple security checks for a system. Users could feel secure when they do not get mail notifications about changes on their system but actually the checks are not executed at all because the timers do not trigger. The bug was reported almost 6 months ago and before the final release of Leap 15.1. This is a security related package and the fix is actually quite simple, even patches are provided within this bug. Submit Request 729253 to include the patches is pending for roughly 1 month. I would really appreciate if there was some progress with this bug even when I already applied workarounds on the systems administrated by me to enable the functionality. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c6 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Major --- Comment #6 from Dirk Weber <d_werner@gmx.net> --- I slowly got the impression that the seccheck package is unmaintained and deprecated and that I am its last user, but now I stumbled over https://documentation.suse.com/sles/15-SP1/pdf/book-hardening_color_en.pdf which sort of recommends its usage. Publication Date: November 25, 2019 Therefore I try to increase the severity, because according to my observations as documented in this very bugzilla it is just not working on Leap 15.1 and Tumbleweed, and if SUSE Linux Enterprise Server 15 SP1 uses the same package I am quite sure it is also not working there. If a corrected version of the package exists for SUSE Linux Enterprise Server 15 SP1 it would be nice to get it also into Leap 15.1 and Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c7 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #7 from Dirk Weber <d_werner@gmx.net> --- This bug and bug 985802 were fixed in Tumbleweed with sr 759886 resulting in seccheck-3.0-17.1.noarch which was included in snapshot 20191229. Now this correction needs to be picked up for a maintenance update of Leap 15.1 (and SLE 15 SP1) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c8 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maintenance@opensuse.org Flags| |needinfo?(maintenance@opens | |use.org) --- Comment #8 from Dirk Weber <d_werner@gmx.net> --- As described in comment 7 the fix has landed in Tumbleweed. As the package in Leap originates from SLE - is it ok to submit the correction from Tumbleweed so the fix can land in Leap at least for 15.2? Also a maintenance update for Leap 15.1 I think would make sense. And the SLE counterparts... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c9 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Flags| |needinfo?(security-team@sus | |e.de) --- Comment #9 from Dirk Weber <d_werner@gmx.net> --- openSUSE Leap 15.2 entered Beta phase: https://lists.opensuse.org/opensuse-factory/2020-02/msg00429.html Would be nice if the released version would contain a seccheck package with working systemd timers configurations. This correction and others are available in Tumbleweed for almost 2 months, see comment 7. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1132919 http://bugzilla.opensuse.org/show_bug.cgi?id=1132919#c13 Dirk Weber <d_werner@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #13 from Dirk Weber <d_werner@gmx.net> --- solved by https://build.opensuse.org/request/show/729253 -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com