Bugzilla – Bug 1150547
AUDIT-1: logwatch: review of cron job file(s): /etc/cron.d/dmeventd, /etc/cron.daily/0logwatch
Last modified: 2020-03-04 13:05:12 UTC
+++ This bug was initially created as a clone of Bug #1150175 As discussed in the proactive security team we want to restrict the installation of cron job files in the future. To achieve this we first need to cover the currently existing packages that do this. logwatch installs cron files in: - /etc/cron.d/dmeventd - /etc/cron.daily/0logwatch They should be reviewed and whitelisted when all is well.
logwatch runs a very complex ~2.000 lines ++ perl script as root via cron. It's difficult to completely audit it and I have a bad feeling running such a complex perl script as root all the time. At least the temporary directory is safely placed within /var/cache/logwatch. Additional scripts from /usr/share/logwatch are also executed in the logwatch context. A more in-depth review may be required here.
The logwatch cron job was replaced in Factory by a systemd timer in the meantime. This means we won't require a whitelisting. We could still continue with the peer review given that the cron is still in released Leap/SLE versions. I leave that up to Johannes to decide.
(In reply to Matthias Gerstner from comment #2) Based on the other outstanding task I think it doesn't make sense to invest time here. We introduced this whitelist recently and a certain amount of old cruft will be unavoidable. I'll have a look at the cron jobs we actually keep