Hi, I'm the guy maintaining the seccheck. To prune directories would be nice, however we need a more generic solution. btw I pushed some changes as suggested in bnc#904544. They are waiting to be approved, but they should land in factory, 13.1, 13,2 and SLE-12. The upstream I'm maintaining here https://github.com/vpereira/seccheck. patches and git pulls are always welcome :) best regards, VP On 12/03/2014 08:33 AM, Werner Flamme wrote:
Carlos E. R. [01.12.2014 16:06]:
On 2014-12-01 15:36, Werner Flamme wrote:
Carlos E. R. [01.12.2014 15:08]:
So the important thing to look for is that 'MNT'. It is created this way: Yes, and so on, but I'd like not to modify the scripts themselves, since they are overwritten with every update of the package, even when it's caused by an automatic rebuild, and only the last cipher has increased. You can wait months for an update with this modification. Even for next release cycle... Depends. When I use the (newer) version from security repo, I'm in for a change every few days sometimes.
You could add a cron job that emails you when the script has been replaced or modified, so that you can reconsider edit it back again. You can even email yourself the diff, and perhaps just replace with your copy. Or automatically undo the changes and store the update in quarantine, for your manual consideration. I don't think there are many upstream changes, though — at least, not on openSUSE. Maybe SLES is different :-?
I don't see any other immediate solution for that grin ;-) I try to think about something that will make manual interaction unneeded, until the changes are very incompatible...
[..]
Here it produces:
/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware ...
I wonder about "/dev/" and "/". I sure want security checks in those places :) Well, dev yes, but not root, because it is everything, including your backup. All the directories on the first level are printed in that command output, so "/" is not needed, unless it means just "/", not its directories. If / means everything, why would the script bother to find out about mountpoints at all?
As you found out, $MNT is used by the "find" command with the option "-mount", which is explained on my manpage as "Don't descend directories on other filesystems.". That's why there is a need to discover mountpoints at all.
Werner
-- Victor Pereira SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org