[opensuse-security] seccheck: prune directories possible?
Hi everyone, I wonder if it is possible to make seccheck (on SLES 11/12) ignore some directories, like it is with the locate command. In /etc/sysconfig/locate, there are entries like UPDATEDB_PRUNEPATHS and UPDATEB_PRUNEFS, but I do not see anything like this in /etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on SLES 12. Reason for my question: seccheck runs here on a host that contains 3 daily backups of 10+ SAP hosts, and the "Local Monthly Security" Mail size is 562 MB. This mail size causes an unfriednly, suspicious grin on the face of my mail admin... Regards, Werner --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-01 07:59, Werner Flamme wrote:
Hi everyone,
I wonder if it is possible to make seccheck (on SLES 11/12) ignore some directories, like it is with the locate command.
In /etc/sysconfig/locate, there are entries like UPDATEDB_PRUNEPATHS and UPDATEB_PRUNEFS, but I do not see anything like this in /etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on SLES 12.
Reason for my question: seccheck runs here on a host that contains 3 daily backups of 10+ SAP hosts, and the "Local Monthly Security" Mail size is 562 MB. This mail size causes an unfriednly, suspicious grin on the face of my mail admin...
LOL. :-) I don't have SLES, so I'm looking at my oS 13.1. Locate finds these files: /etc/cron.d/seccheck /etc/sysconfig/seccheck So there is a configuration file, but nothing in there that you can use for the purpose. In the "/usr/share/doc/packages/seccheck/README" there is a contact email, but I don't know if that person is still active. The cron job runs /usr/lib/secchk/security-control.sh, which in turn runs: security-daily.sh, security-monthly.sh, security-weekly.sh. A quick grep for "find" in the scripts locates it, in the weekly script, and a variable: ( nice -n 1 find $MNT -mount \( -perm -04000 -o -per... So the important thing to look for is that 'MNT'. It is created this way: # get the ext2 and reiserfs mount points MNT=`/bin/mount | grep -E "^/dev/" | cut -d' ' -f 3 | \ grep -v "/media" | xargs echo "/dev/"` What you wish would be adding a grep -v "/backups" or wherever after the one for /media. Here it produces: /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ... I wonder about "/dev/" and "/". - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR8ddIACgkQtTMYHG2NR9UvQgCffEGTy/hXVVRjQdLblNrE5O88 /bYAnj3OosdqitHcn2uEihl+H8yzD7qn =nUOr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Carlos E. R. [01.12.2014 15:08]:
On 2014-12-01 07:59, Werner Flamme wrote:
Hi everyone,
I wonder if it is possible to make seccheck (on SLES 11/12) ignore some directories, like it is with the locate command.
In /etc/sysconfig/locate, there are entries like UPDATEDB_PRUNEPATHS and UPDATEB_PRUNEFS, but I do not see anything like this in /etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on SLES 12.
Reason for my question: seccheck runs here on a host that contains 3 daily backups of 10+ SAP hosts, and the "Local Monthly Security" Mail size is 562 MB. This mail size causes an unfriednly, suspicious grin on the face of my mail admin...
LOL. :-)
Ha, you too ;) [...]
A quick grep for "find" in the scripts locates it, in the weekly script, and a variable:
( nice -n 1 find $MNT -mount \( -perm -04000 -o -per...
So the important thing to look for is that 'MNT'. It is created this way:
Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased. [..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/".
I sure want security checks in those places :) The part "/bin/mount | grep -E "^/dev/" | cut -d' ' -f 3" delivers all the mount points for the currently mounted filesystems. / is obviously mounted, 'xargs echo "/dev/"' adds the /dev/ entry :) Regards, Werner --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-01 15:36, Werner Flamme wrote:
Carlos E. R. [01.12.2014 15:08]:
So the important thing to look for is that 'MNT'. It is created this way:
Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased.
You can wait months for an update with this modification. Even for next release cycle... You could add a cron job that emails you when the script has been replaced or modified, so that you can reconsider edit it back again. You can even email yourself the diff, and perhaps just replace with your copy. Or automatically undo the changes and store the update in quarantine, for your manual consideration. I don't think there are many upstream changes, though — at least, not on openSUSE. Maybe SLES is different :-? I don't see any other immediate solution for that grin ;-)
[..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/".
I sure want security checks in those places :)
Well, dev yes, but not root, because it is everything, including your backup. All the directories on the first level are printed in that command output, so "/" is not needed, unless it means just "/", not its directories.
The part "/bin/mount | grep -E "^/dev/" | cut -d' ' -f 3" delivers all the mount points for the currently mounted filesystems. / is obviously mounted, 'xargs echo "/dev/"' adds the /dev/ entry :)
Ah, right. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR8g+cACgkQtTMYHG2NR9Wi3QCgkZxL0f8fI4hCcbs6UGsbNYKE 2noAnR/g8H/iSDxPQFSU2vocR/TbBtiO =65Iz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Carlos E. R. [01.12.2014 16:06]:
On 2014-12-01 15:36, Werner Flamme wrote:
Carlos E. R. [01.12.2014 15:08]:
So the important thing to look for is that 'MNT'. It is created this way:
Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased.
You can wait months for an update with this modification. Even for next release cycle...
Depends. When I use the (newer) version from security repo, I'm in for a change every few days sometimes.
You could add a cron job that emails you when the script has been replaced or modified, so that you can reconsider edit it back again. You can even email yourself the diff, and perhaps just replace with your copy. Or automatically undo the changes and store the update in quarantine, for your manual consideration. I don't think there are many upstream changes, though — at least, not on openSUSE. Maybe SLES is different :-?
I don't see any other immediate solution for that grin ;-)
I try to think about something that will make manual interaction unneeded, until the changes are very incompatible...
[..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/".
I sure want security checks in those places :)
Well, dev yes, but not root, because it is everything, including your backup. All the directories on the first level are printed in that command output, so "/" is not needed, unless it means just "/", not its directories.
If / means everything, why would the script bother to find out about mountpoints at all? As you found out, $MNT is used by the "find" command with the option "-mount", which is explained on my manpage as "Don't descend directories on other filesystems.". That's why there is a need to discover mountpoints at all. Werner --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-03 08:33, Werner Flamme wrote:
Carlos E. R. [01.12.2014 16:06]:
Depends. When I use the (newer) version from security repo, I'm in for a change every few days sometimes.
I see. Yes, that changes things. Then you do need to report in Bugzilla. At this moment it doesn't occur to me a change that could be generalized. However, is the script really changed that often? Make diffs and find out, perhaps it is not changed.
I try to think about something that will make manual interaction unneeded, until the changes are very incompatible...
The alternative is accepting huge emails. You will have to report in bugzilla, and wait. Meanwhile, you have to edit the file manually, or write a sed script in cron or somewhere that changes back the line in the weekly security script.
If / means everything, why would the script bother to find out about mountpoints at all?
True. That's what I don't understand.
As you found out, $MNT is used by the "find" command with the option "-mount", which is explained on my manpage as "Don't descend directories on other filesystems.". That's why there is a need to discover mountpoints at all.
Ah, I understand now. It is mountpoints, not directories. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR/DOwACgkQtTMYHG2NR9UbCQCfQZoB93rVvY1EyvdsfNp+1LH6 xxIAoI5h1CvQn5t68mlpfApBC/YSb3ck =HxkR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, I'm the guy maintaining the seccheck. To prune directories would be nice, however we need a more generic solution. btw I pushed some changes as suggested in bnc#904544. They are waiting to be approved, but they should land in factory, 13.1, 13,2 and SLE-12. The upstream I'm maintaining here https://github.com/vpereira/seccheck. patches and git pulls are always welcome :) best regards, VP On 12/03/2014 08:33 AM, Werner Flamme wrote:
Carlos E. R. [01.12.2014 16:06]:
On 2014-12-01 15:36, Werner Flamme wrote:
Carlos E. R. [01.12.2014 15:08]:
So the important thing to look for is that 'MNT'. It is created this way: Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased. You can wait months for an update with this modification. Even for next release cycle... Depends. When I use the (newer) version from security repo, I'm in for a change every few days sometimes.
You could add a cron job that emails you when the script has been replaced or modified, so that you can reconsider edit it back again. You can even email yourself the diff, and perhaps just replace with your copy. Or automatically undo the changes and store the update in quarantine, for your manual consideration. I don't think there are many upstream changes, though — at least, not on openSUSE. Maybe SLES is different :-?
I don't see any other immediate solution for that grin ;-) I try to think about something that will make manual interaction unneeded, until the changes are very incompatible...
[..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/". I sure want security checks in those places :) Well, dev yes, but not root, because it is everything, including your backup. All the directories on the first level are printed in that command output, so "/" is not needed, unless it means just "/", not its directories. If / means everything, why would the script bother to find out about mountpoints at all?
As you found out, $MNT is used by the "find" command with the option "-mount", which is explained on my manpage as "Don't descend directories on other filesystems.". That's why there is a need to discover mountpoints at all.
Werner
-- Victor Pereira SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi Victor! The last update caused some new entries in "daily" checks, which seem to differ _every_ day ... - fs.dentry-state = 47926 35315 45 0 0 0 + fs.dentry-state = 69540 56902 45 0 0 0 - fs.file-nr = 1120 0 205530 - fs.inode-nr = 38051 344 - fs.inode-state = 38051 344 0 0 0 0 0 + fs.file-nr = 1248 0 205530 + fs.inode-nr = 50386 344 + fs.inode-state = 50386 344 0 0 0 0 0 - kernel.random.entropy_avail = 546 + kernel.random.entropy_avail = 752 - kernel.random.uuid = 31c93659-c328-43ca-a065-55cb6666e7d6 + kernel.random.uuid = 26ab78db-9963-4635-9962-2e80728b8c77 A filter would be good for that :) I'd also vote to filter specific directories out of seccheck's reach :) br, Markus On Dec 16, Victor Pereira <vpereira@suse.de> wrote:
Hi,
I'm the guy maintaining the seccheck.
To prune directories would be nice, however we need a more generic solution.
btw I pushed some changes as suggested in bnc#904544. They are waiting to be approved, but they should land in factory, 13.1, 13,2 and SLE-12.
The upstream I'm maintaining here https://github.com/vpereira/seccheck.
patches and git pulls are always welcome :)
best regards,
VP
On 12/03/2014 08:33 AM, Werner Flamme wrote:
Carlos E. R. [01.12.2014 16:06]:
On 2014-12-01 15:36, Werner Flamme wrote:
Carlos E. R. [01.12.2014 15:08]:
So the important thing to look for is that 'MNT'. It is created this way: Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased. You can wait months for an update with this modification. Even for next release cycle... Depends. When I use the (newer) version from security repo, I'm in for a change every few days sometimes.
You could add a cron job that emails you when the script has been replaced or modified, so that you can reconsider edit it back again. You can even email yourself the diff, and perhaps just replace with your copy. Or automatically undo the changes and store the update in quarantine, for your manual consideration. I don't think there are many upstream changes, though — at least, not on openSUSE. Maybe SLES is different :-?
I don't see any other immediate solution for that grin ;-) I try to think about something that will make manual interaction unneeded, until the changes are very incompatible...
[..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/". I sure want security checks in those places :) Well, dev yes, but not root, because it is everything, including your backup. All the directories on the first level are printed in that command output, so "/" is not needed, unless it means just "/", not its directories. If / means everything, why would the script bother to find out about mountpoints at all?
As you found out, $MNT is used by the "find" command with the option "-mount", which is explained on my manpage as "Don't descend directories on other filesystems.". That's why there is a need to discover mountpoints at all.
Werner
-- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
participants (4)
-
Carlos E. R. -
Markus Gaugusch -
Victor Pereira -
Werner Flamme