Bug 1150549 - AUDIT-1: munin: review of cron job file(s): /etc/cron.d/munin
AUDIT-1: munin: review of cron job file(s): /etc/cron.d/munin
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 11:59 UTC by Matthias Gerstner
Modified: 2019-12-05 11:09 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 11:59:00 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

munin installs a cron file in /etc/cron.d/munin. It should be reviewed and
whitelisted if all is well.
Comment 1 Wolfgang Rosenauer 2019-09-12 12:02:53 UTC
There is currently work in progress to move to a systemd timer. It is mainly blocked on the fact that the upgrade process is somewhat complicated. At least I'm not sure how to cover this nicely. (That's another topic though).
So what is the plan according to systemd timers? Would this one be obsolete in case we move?
Comment 2 Matthias Gerstner 2019-09-12 12:11:40 UTC
(In reply to wolfgang@rosenauer.org from comment #1)
> So what is the plan according to systemd timers? Would this one be obsolete
> in case we move?

At the moment we only want to cover cron jobs. systemd timers should currently
be subject to reviews only when they're enabled by default.

Technically we care only for cron jobs currently found in packages in
openSUSE:Factory. So if you remove yours it wouldn't be strictly necessary to
handle it. It will still make sense to have a look in case older products are
affected by a security issue.

We will need some time to process all the reviews for cron jobs anyways. Don't
worry, we will tell you when there's a problem and at the moment we don't
apply any restrictions.
Comment 3 Matthias Gerstner 2019-11-07 14:15:41 UTC
In Tumbleweed the cron job is indeed gone now. I've looked into Leap 15.1
where the cron job still exists. It calls a couple of munin perl scripts that
process pretty complex logic, too much too completely review it.

The good thing is that the cron job runs as the 'munin' user and all file
system operation seem to concentrate on directories owned by munin. I couldn't
find any /tmp races, symlink attacks or similar right away.
Comment 4 Matthias Gerstner 2019-12-05 11:09:10 UTC
Since the Factory package no longer ships the cron job and the older
codestreams look sufficiently sane we can close this bug. No whitelisting will
be necessary.