Bug 1150547 - AUDIT-1: logwatch: review of cron job file(s): /etc/cron.d/dmeventd, /etc/cron.daily/0logwatch
AUDIT-1: logwatch: review of cron job file(s): /etc/cron.d/dmeventd, /etc/cro...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Segitz
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 11:57 UTC by Matthias Gerstner
Modified: 2020-03-04 13:05 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 11:57:05 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

logwatch installs cron files in:

- /etc/cron.d/dmeventd
- /etc/cron.daily/0logwatch

They should be reviewed and whitelisted when all is well.
Comment 1 Matthias Gerstner 2019-11-06 15:26:39 UTC
logwatch runs a very complex ~2.000 lines ++ perl script as root via cron.
It's difficult to completely audit it and I have a bad feeling running such a
complex perl script as root all the time.

At least the temporary directory is safely placed within /var/cache/logwatch.
Additional scripts from /usr/share/logwatch are also executed in the logwatch
context. A more in-depth review may be required here.
Comment 2 Matthias Gerstner 2020-02-27 13:43:49 UTC
The logwatch cron job was replaced in Factory by a systemd timer in the
meantime. This means we won't require a whitelisting. We could still continue
with the peer review given that the cron is still in released Leap/SLE
versions. I leave that up to Johannes to decide.
Comment 3 Johannes Segitz 2020-03-04 13:05:12 UTC
(In reply to Matthias Gerstner from comment #2)
Based on the other outstanding task I think it doesn't make sense to invest time here. We introduced this whitelist recently and a certain amount of old cruft will be unavoidable. I'll have a look at the cron jobs we actually keep