Bug 1150557 - AUDIT-1: tmpwatch: review of cron job file(s): /etc/cron.daily/tmpwatch
AUDIT-1: tmpwatch: review of cron job file(s): /etc/cron.daily/tmpwatch
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Malte Kraus
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 12:06 UTC by Matthias Gerstner
Modified: 2019-11-15 14:02 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 12:06:28 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

tmpwatch installs a cron file in /etc/cron.daily/tmpwatch. It should be
reviewed and whitelisted if all is well.
Comment 1 Cristian Rodríguez 2019-09-12 13:17:48 UTC
the functionality of tmpwatch and more is provided by systemd-tmpfiles nowadays, you could also consider filling a drop request instead.
Comment 2 Matthias Gerstner 2019-09-12 13:22:14 UTC
(In reply to crrodriguez@opensuse.org from comment #1)
> the functionality of tmpwatch and more is provided by systemd-tmpfiles
> nowadays, you could also consider filling a drop request instead.

Thanks for the hint. We will consider it. A review makes sense anyways since
the package is still shipped with older products. It will take some time until
we manage to review all affected packages.
Comment 3 Malte Kraus 2019-11-15 14:02:33 UTC
The file-handling had me do a double-take, but it's safe after all. So this is fine.