Questions

To: debian-security@lists.debian.org
Subject: Questions
From: Jérôme Bardot <bardot.jerome@gmail.com>
Date: Fri, 16 Nov 2018 16:31:39 +0100
Message-id: <[🔎] CAK6hYTtYyUHewf-_=z7TDQDsQFMOmDEJ=SHZy-ZgXoZC=BqXgw@mail.gmail.com>

Hello i try to harden my debian server.

I use yasat for perform some «stupid» check.

#yasat -f

In the Check system rights Debian i have some WARNING, BAD status.

First :
331 files have invalid others rights in /boot                  [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /boot: 755                                                     [ BAD ]

I use an full (exept boot (ext2)) encrypt lvm «hard drive». (haven’t
try the grub2 full encrypt beta option).
I understand security implication for wrong rights. There is a real
risk with boot wrong rights ? Why are not set by default, it prevent
some things to work ?

Pretty same question for others rights warning :
 /etc/shadow is not 600 root root                                 [ WARNING ]
/etc/gshadow is not 400 root root                                [ WARNING ]

and for a bunch of cron files :

8 files have invalid others rights in /etc/cron.d              [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/cron.d: 755                                      [ BAD ]

same for hourly/daily/weekly/monthly

And for services like :
Checking /etc/apache2                                            [ INFO ]
170 files have invalid others rights in /etc/apache2    [ WARNING ]
Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/apache2: 755                                     [ BAD ]

Checking /etc/mysql                                              [ INFO ]
12 files have invalid others rights in /etc/mysql              [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/mysql: 755                                       [ BAD ]

/etc/sysctl.conf is not 640 root root                           [ WARNING ]
/etc/logrotate.conf is not 640 root root                       [ WARNING ]
/etc/crontab is not 640 root root                                [ WARNING ]

/var/log/faillog is not 600 root root                            [ WARNING ]
/var/log/mysql is not 750 mysql mysql                            [ WARNING ]

  Checking /var/lib/mysql                                          [ INFO ]
    2 files have invalid others rights in /var/lib/mysql           [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
    Right of /var/lib/mysql: 755                                   [ BAD ]
  Bad owner /var/lib/mysql (must be mysql)                         [ WARNING ]
    /var/lib/mysql/debian-10.1.flag                                [ root ]
    /var/lib/mysql/mysql_upgrade_info                              [ root ]
  Bad group /var/lib/mysql (must be mysql)                         [ WARNING ]
    /var/lib/mysql/debian-10.1.flag                                [ root ]
    /var/lib/mysql/mysql                                           [ root ]
    /var/lib/mysql/mysql_upgrade_info                              [ root ]


I want do understand all of this «warning».
If they are false positive maybe this part should be update because
it’s debian related ?

Thx.

Reply to:

Follow-Ups:
- Re: Questions
  - From: qmi <lista@miklos.info>

Prev by Date: Re: Upcoming stable point release (9.6)
Next by Date: squid3 security update in oldstable
Previous by thread: Re: Upcoming stable point release (9.6)
Next by thread: Re: Questions
Index(es):
- Date
- Thread