seccheck: prune directories possible?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

seccheck: prune directories possible?

Werner Flamme
Hi everyone,

I wonder if it is possible to make seccheck (on SLES 11/12) ignore some
directories, like it is with the locate command.

In /etc/sysconfig/locate, there are entries like UPDATEDB_PRUNEPATHS and
UPDATEB_PRUNEFS, but I do not see anything like this in
/etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on SLES 12.

Reason for my question: seccheck runs here on a host that contains 3
daily backups of 10+ SAP hosts, and the "Local Monthly Security" Mail
size is 562 MB. This mail size causes an unfriednly, suspicious grin on
the face of my mail admin...

Regards,
Werner

--



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-12-01 07:59, Werner Flamme wrote:

> Hi everyone,
>
> I wonder if it is possible to make seccheck (on SLES 11/12) ignore
> some directories, like it is with the locate command.
>
> In /etc/sysconfig/locate, there are entries like
> UPDATEDB_PRUNEPATHS and UPDATEB_PRUNEFS, but I do not see anything
> like this in /etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on
> SLES 12.
>
> Reason for my question: seccheck runs here on a host that contains
> 3 daily backups of 10+ SAP hosts, and the "Local Monthly Security"
> Mail size is 562 MB. This mail size causes an unfriednly,
> suspicious grin on the face of my mail admin...

LOL. :-)

I don't have SLES, so I'm looking at my oS 13.1.

Locate finds these files:

/etc/cron.d/seccheck
/etc/sysconfig/seccheck


So there is a configuration file, but nothing in there that you can
use for the purpose. In the "/usr/share/doc/packages/seccheck/README"
there is a contact email, but I don't know if that person is still active.

The cron job runs /usr/lib/secchk/security-control.sh, which in turn
runs: security-daily.sh, security-monthly.sh, security-weekly.sh.

A quick grep for "find" in the scripts locates it, in the weekly
script, and a variable:

( nice -n 1 find $MNT -mount \( -perm -04000 -o -per...


So the important thing to look for is that 'MNT'. It is created this way:


# get the ext2 and reiserfs mount points
MNT=`/bin/mount | grep -E "^/dev/"  | cut -d' ' -f 3 | \
grep -v "/media" | xargs  echo "/dev/"`

What you wish would be adding a grep -v "/backups" or wherever after
the one for /media.

Here it produces:

/dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
/data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
...

I wonder about "/dev/" and "/".

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlR8ddIACgkQtTMYHG2NR9UvQgCffEGTy/hXVVRjQdLblNrE5O88
/bYAnj3OosdqitHcn2uEihl+H8yzD7qn
=nUOr
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Werner Flamme
Carlos E. R. [01.12.2014 15:08]:

> On 2014-12-01 07:59, Werner Flamme wrote:
>> Hi everyone,
>
>> I wonder if it is possible to make seccheck (on SLES 11/12) ignore
>> some directories, like it is with the locate command.
>
>> In /etc/sysconfig/locate, there are entries like
>> UPDATEDB_PRUNEPATHS and UPDATEB_PRUNEFS, but I do not see anything
>> like this in /etc/sysconfig/seccheck, neither on SLES 11 SP3 nor on
>> SLES 12.
>
>> Reason for my question: seccheck runs here on a host that contains
>> 3 daily backups of 10+ SAP hosts, and the "Local Monthly Security"
>> Mail size is 562 MB. This mail size causes an unfriednly,
>> suspicious grin on the face of my mail admin...
>
> LOL. :-)
Ha, you too ;)


[...]

> A quick grep for "find" in the scripts locates it, in the weekly
> script, and a variable:
>
> ( nice -n 1 find $MNT -mount \( -perm -04000 -o -per...
>
>
> So the important thing to look for is that 'MNT'. It is created this way:

Yes, and so on, but I'd like not to modify the scripts themselves, since
they are overwritten with every update of the package, even when it's
caused by an automatic rebuild, and only the last cipher has increased.

[..]

> Here it produces:
>
> /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
> /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
> ...
>
> I wonder about "/dev/" and "/".

I sure want security checks in those places :)

The part "/bin/mount | grep -E "^/dev/"  | cut -d' ' -f 3" delivers all
the mount points for the currently mounted filesystems. / is obviously
mounted, 'xargs  echo "/dev/"' adds the /dev/ entry :)

Regards,
Werner

--



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-12-01 15:36, Werner Flamme wrote:
> Carlos E. R. [01.12.2014 15:08]:


>> So the important thing to look for is that 'MNT'. It is created
>> this way:
>
> Yes, and so on, but I'd like not to modify the scripts themselves,
> since they are overwritten with every update of the package, even
> when it's caused by an automatic rebuild, and only the last cipher
> has increased.

You can wait months for an update with this modification. Even for
next release cycle...

You could add a cron job that emails you when the script has been
replaced or modified, so that you can reconsider edit it back again.
You can even email yourself the diff, and perhaps just replace with
your copy. Or automatically undo the changes and store the update in
quarantine, for your manual consideration. I don't think there are
many upstream changes, though — at least, not on openSUSE. Maybe SLES
is different :-?

I don't see any other immediate solution for that grin ;-)


> [..]
>
>> Here it produces:
>>
>> /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
>> /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
>> ...
>>
>> I wonder about "/dev/" and "/".
>
> I sure want security checks in those places :)

Well, dev yes, but not root, because it is everything, including your
backup. All the directories on the first level are printed in that
command output, so "/" is not needed, unless it means just "/", not
its directories.

> The part "/bin/mount | grep -E "^/dev/"  | cut -d' ' -f 3" delivers
> all the mount points for the currently mounted filesystems. / is
> obviously mounted, 'xargs  echo "/dev/"' adds the /dev/ entry :)

Ah, right.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlR8g+cACgkQtTMYHG2NR9Wi3QCgkZxL0f8fI4hCcbs6UGsbNYKE
2noAnR/g8H/iSDxPQFSU2vocR/TbBtiO
=65Iz
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Werner Flamme
Carlos E. R. [01.12.2014 16:06]:

> On 2014-12-01 15:36, Werner Flamme wrote:
>> Carlos E. R. [01.12.2014 15:08]:
>
>
>>> So the important thing to look for is that 'MNT'. It is created
>>> this way:
>
>> Yes, and so on, but I'd like not to modify the scripts themselves,
>> since they are overwritten with every update of the package, even
>> when it's caused by an automatic rebuild, and only the last cipher
>> has increased.
>
> You can wait months for an update with this modification. Even for
> next release cycle...
Depends. When I use the (newer) version from security repo, I'm in for a
change every few days sometimes.

> You could add a cron job that emails you when the script has been
> replaced or modified, so that you can reconsider edit it back again.
> You can even email yourself the diff, and perhaps just replace with
> your copy. Or automatically undo the changes and store the update in
> quarantine, for your manual consideration. I don't think there are
> many upstream changes, though — at least, not on openSUSE. Maybe SLES
> is different :-?
>
> I don't see any other immediate solution for that grin ;-)

I try to think about something that will make manual interaction
unneeded, until the changes are very incompatible...

>> [..]
>
>>> Here it produces:
>>>
>>> /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
>>> /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
>>> ...
>>>
>>> I wonder about "/dev/" and "/".
>
>> I sure want security checks in those places :)
>
> Well, dev yes, but not root, because it is everything, including your
> backup. All the directories on the first level are printed in that
> command output, so "/" is not needed, unless it means just "/", not
> its directories.
If / means everything, why would the script bother to find out about
mountpoints at all?

As you found out, $MNT is used by the "find" command with the option
"-mount", which is explained on my manpage as "Don't descend directories
on other filesystems.". That's why there is a need to discover
mountpoints at all.

Werner

--



smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Carlos E. R.-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-12-03 08:33, Werner Flamme wrote:
> Carlos E. R. [01.12.2014 16:06]:


> Depends. When I use the (newer) version from security repo, I'm in
> for a change every few days sometimes.

I see. Yes, that changes things. Then you do need to report in
Bugzilla. At this moment it doesn't occur to me a change that could be
generalized.


However, is the script really changed that often? Make diffs and find
out, perhaps it is not changed.

> I try to think about something that will make manual interaction
> unneeded, until the changes are very incompatible...

The alternative is accepting huge emails. You will have to report in
bugzilla, and wait. Meanwhile, you have to edit the file manually, or
write a sed script in cron or somewhere that changes back the line in
the weekly security script.



> If / means everything, why would the script bother to find out
> about mountpoints at all?

True. That's what I don't understand.


> As you found out, $MNT is used by the "find" command with the
> option "-mount", which is explained on my manpage as "Don't descend
> directories on other filesystems.". That's why there is a need to
> discover mountpoints at all.

Ah, I understand now. It is mountpoints, not directories.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlR/DOwACgkQtTMYHG2NR9UbCQCfQZoB93rVvY1EyvdsfNp+1LH6
xxIAoI5h1CvQn5t68mlpfApBC/YSb3ck
=HxkR
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Victor Pereira
In reply to this post by Werner Flamme
Hi,

I'm the guy maintaining the seccheck.

To prune directories would be nice, however we need a more generic solution.

btw I pushed some changes as suggested in bnc#904544. They are waiting
to be approved, but they should land in factory, 13.1, 13,2 and SLE-12.

The upstream I'm maintaining here https://github.com/vpereira/seccheck.

patches and git pulls are always welcome :)

best regards,

VP

On 12/03/2014 08:33 AM, Werner Flamme wrote:

> Carlos E. R. [01.12.2014 16:06]:
>> On 2014-12-01 15:36, Werner Flamme wrote:
>>> Carlos E. R. [01.12.2014 15:08]:
>>
>>>> So the important thing to look for is that 'MNT'. It is created
>>>> this way:
>>> Yes, and so on, but I'd like not to modify the scripts themselves,
>>> since they are overwritten with every update of the package, even
>>> when it's caused by an automatic rebuild, and only the last cipher
>>> has increased.
>> You can wait months for an update with this modification. Even for
>> next release cycle...
> Depends. When I use the (newer) version from security repo, I'm in for a
> change every few days sometimes.
>
>> You could add a cron job that emails you when the script has been
>> replaced or modified, so that you can reconsider edit it back again.
>> You can even email yourself the diff, and perhaps just replace with
>> your copy. Or automatically undo the changes and store the update in
>> quarantine, for your manual consideration. I don't think there are
>> many upstream changes, though — at least, not on openSUSE. Maybe SLES
>> is different :-?
>>
>> I don't see any other immediate solution for that grin ;-)
> I try to think about something that will make manual interaction
> unneeded, until the changes are very incompatible...
>
>>> [..]
>>>> Here it produces:
>>>>
>>>> /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
>>>> /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
>>>> ...
>>>>
>>>> I wonder about "/dev/" and "/".
>>> I sure want security checks in those places :)
>> Well, dev yes, but not root, because it is everything, including your
>> backup. All the directories on the first level are printed in that
>> command output, so "/" is not needed, unless it means just "/", not
>> its directories.
> If / means everything, why would the script bother to find out about
> mountpoints at all?
>
> As you found out, $MNT is used by the "find" command with the option
> "-mount", which is explained on my manpage as "Don't descend directories
> on other filesystems.". That's why there is a need to discover
> mountpoints at all.
>
> Werner
>

--
Victor Pereira

SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
21284 (AG Nürnberg)

Maxfeldstraße 5

90409 Nürnberg

Germany

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: seccheck: prune directories possible?

Markus Gaugusch
Hi Victor!

The last update caused some new entries in "daily" checks, which seem to
differ _every_ day ...

- fs.dentry-state = 47926       35315   45      0       0       0
+ fs.dentry-state = 69540       56902   45      0       0       0
- fs.file-nr = 1120     0       205530
- fs.inode-nr = 38051   344
- fs.inode-state = 38051        344     0       0       0       0       0
+ fs.file-nr = 1248     0       205530
+ fs.inode-nr = 50386   344
+ fs.inode-state = 50386        344     0       0       0       0       0
- kernel.random.entropy_avail = 546
+ kernel.random.entropy_avail = 752
- kernel.random.uuid = 31c93659-c328-43ca-a065-55cb6666e7d6
+ kernel.random.uuid = 26ab78db-9963-4635-9962-2e80728b8c77

A filter would be good for that :)
I'd also vote to filter specific directories out of seccheck's reach :)

br,
Markus

On Dec 16, Victor Pereira <[hidden email]> wrote:

> Hi,
>
> I'm the guy maintaining the seccheck.
>
> To prune directories would be nice, however we need a more generic solution.
>
> btw I pushed some changes as suggested in bnc#904544. They are waiting
> to be approved, but they should land in factory, 13.1, 13,2 and SLE-12.
>
> The upstream I'm maintaining here https://github.com/vpereira/seccheck.
>
> patches and git pulls are always welcome :)
>
> best regards,
>
> VP
>
> On 12/03/2014 08:33 AM, Werner Flamme wrote:
>> Carlos E. R. [01.12.2014 16:06]:
>>> On 2014-12-01 15:36, Werner Flamme wrote:
>>>> Carlos E. R. [01.12.2014 15:08]:
>>>
>>>>> So the important thing to look for is that 'MNT'. It is created
>>>>> this way:
>>>> Yes, and so on, but I'd like not to modify the scripts themselves,
>>>> since they are overwritten with every update of the package, even
>>>> when it's caused by an automatic rebuild, and only the last cipher
>>>> has increased.
>>> You can wait months for an update with this modification. Even for
>>> next release cycle...
>> Depends. When I use the (newer) version from security repo, I'm in for a
>> change every few days sometimes.
>>
>>> You could add a cron job that emails you when the script has been
>>> replaced or modified, so that you can reconsider edit it back again.
>>> You can even email yourself the diff, and perhaps just replace with
>>> your copy. Or automatically undo the changes and store the update in
>>> quarantine, for your manual consideration. I don't think there are
>>> many upstream changes, though — at least, not on openSUSE. Maybe SLES
>>> is different :-?
>>>
>>> I don't see any other immediate solution for that grin ;-)
>> I try to think about something that will make manual interaction
>> unneeded, until the changes are very incompatible...
>>
>>>> [..]
>>>>> Here it produces:
>>>>>
>>>>> /dev/ / /usr /boot /home /home_aux /home1 /opt /data/storage_d
>>>>> /data/storage_b /usr/src /usr/local /data/homedvl /data/vmware
>>>>> ...
>>>>>
>>>>> I wonder about "/dev/" and "/".
>>>> I sure want security checks in those places :)
>>> Well, dev yes, but not root, because it is everything, including your
>>> backup. All the directories on the first level are printed in that
>>> command output, so "/" is not needed, unless it means just "/", not
>>> its directories.
>> If / means everything, why would the script bother to find out about
>> mountpoints at all?
>>
>> As you found out, $MNT is used by the "find" command with the option
>> "-mount", which is explained on my manpage as "Don't descend directories
>> on other filesystems.". That's why there is a need to discover
>> mountpoints at all.
>>
>> Werner
>>
>
>
--
__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                       / \