Bug 1150549 – AUDIT-1: munin: review of cron job file(s): /etc/cron.d/munin

Bug 1150549 - AUDIT-1: munin: review of cron job file(s): /etc/cron.d/munin


Summary:	AUDIT-1: munin: review of cron job file(s): /etc/cron.d/munin

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1150175
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-12 11:59 UTC by Matthias Gerstner
Modified:	2019-12-05 11:09 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2019-09-12 11:59:00 UTC

+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

munin installs a cron file in /etc/cron.d/munin. It should be reviewed and
whitelisted if all is well.

Comment 1 Wolfgang Rosenauer 2019-09-12 12:02:53 UTC

There is currently work in progress to move to a systemd timer. It is mainly blocked on the fact that the upgrade process is somewhat complicated. At least I'm not sure how to cover this nicely. (That's another topic though).
So what is the plan according to systemd timers? Would this one be obsolete in case we move?

Comment 2 Matthias Gerstner 2019-09-12 12:11:40 UTC

(In reply to wolfgang@rosenauer.org from comment #1)
> So what is the plan according to systemd timers? Would this one be obsolete
> in case we move?

At the moment we only want to cover cron jobs. systemd timers should currently
be subject to reviews only when they're enabled by default.

Technically we care only for cron jobs currently found in packages in
openSUSE:Factory. So if you remove yours it wouldn't be strictly necessary to
handle it. It will still make sense to have a look in case older products are
affected by a security issue.

We will need some time to process all the reviews for cron jobs anyways. Don't
worry, we will tell you when there's a problem and at the moment we don't
apply any restrictions.

Comment 3 Matthias Gerstner 2019-11-07 14:15:41 UTC

In Tumbleweed the cron job is indeed gone now. I've looked into Leap 15.1
where the cron job still exists. It calls a couple of munin perl scripts that
process pretty complex logic, too much too completely review it.

The good thing is that the cron job runs as the 'munin' user and all file
system operation seem to concentrate on directories owned by munin. I couldn't
find any /tmp races, symlink attacks or similar right away.

Comment 4 Matthias Gerstner 2019-12-05 11:09:10 UTC

Since the Factory package no longer ships the cron job and the older
codestreams look sufficiently sane we can close this bug. No whitelisting will
be necessary.