[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)



Steve Greenland wrote:
> On 28-Dec-02, 14:54 (CST), Bob Proulx <bob@proulx.com> wrote: 
> > I was completely surpised to see that installing cron also installed
> > several scripts that served completely different agendas. 
> 
> What, besides checksecurity, are you thinking of here?

First let me say that I think we are in agreement.  Life is good.  Be
happy.  I am just responding to supply the requested information.

It surprised me since I found it by having a stale NFS mount.  It
eventually sent me email as output from the root cron script.  I
tracked it down and discovered /etc/cron.daily/standard and
checksecurity.  I think the 'df -P --type=ext2' printed it.  Probably
that should have a -l on it as well to ensure it is only looking at
the local disk and not any nfs mounted directories.

> I suppose the backups of /etc/{passwd,shadow,group,gshadow} and the
> dpkg status file could be put in basefiles and dpkg, but that would

Actually those backups are so trivial that they are of no matter.  I
would not give them any more thought.

> The check for files in lost+found is pretty trivial.

Agreed.  And perhaps a good reminder.  Again, don't worry too much
about this.

> So, while I might not choose to add these functions to a cron
> package I started from scratch, I don't see them as particular
> problems.

There are no particular problems in the above.  Just from a
modularity point of view they did not fit.

However, I was concerned about the full filesystem find of every
mounted filesystem.  My systems frequently have large amounts of data
mounted on them.  I would not want gratuitous finds running across
them if it is not needed.

On normal desktops or other small systems that is not a concern.  But
when there are terabytes of data with zillions of small files this can
take a long time to walk.  I see that /mnt is skipped.  And I also saw
that I can adjust CHECKSECURITY_FILTER and now that I know about this
it is not a concern.  I have adjusted it to disable this feature from
the disks I care about.  Which leaves the above checks of lost+found
and passwd et al which have a possibility of being both trivial and
useful.  The concern was that I was not expecting these just by having
cron and especially not the full filesystem walk of my huge
filesystems.

Also, if one blocks everything from CHECKSECURITY_FILTER then find
would seem to search everything instead of nothing in the find
command.  So one must be sure to leave at least something trivial in
the list, such as /boot.  I think that is arguably a bug and I will
file a BTS on it.

Bob

Attachment: pgpumqLQx5evd.pgp
Description: PGP signature


Reply to: