Bug 1150559 - AUDIT-1: yum: review of cron job file(s): /etc/cron.daily/0yum.cron
AUDIT-1: yum: review of cron job file(s): /etc/cron.daily/0yum.cron
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 12:08 UTC by Matthias Gerstner
Modified: 2019-12-05 12:48 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 12:08:03 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

yum installs a cron file in /etc/cron.daily/0yum.cron. It should be reviewed
and whitelisted if all is well.
Comment 1 Tomáš Chvátal 2019-09-12 12:32:21 UTC
Does it make sense since we hard required migration to timer systemd services?

Looking on the cron script it seems pretty useless and could be removed from this package.
Comment 2 Matthias Gerstner 2019-09-12 13:14:22 UTC
(In reply to tchvatal@suse.com from comment #1)
> Does it make sense since we hard required migration to timer systemd services?
> 
> Looking on the cron script it seems pretty useless and could be removed from this package.

When you want to remove it we're happy. No cron job is always more secure than
anything else.

We should still keep the bug open to have a quick look at it in case older
releases are affected by anything. It will take a while until we cover all
reviews since there's a larger number of packages we'll need to look into.
Comment 3 Tomáš Chvátal 2019-11-15 12:14:28 UTC
Just fyi I checked how we use yum.

We have it as a dep for createrepo, which should be replaced by createrepo_c.

As such it might make sense to just remove createrepo and yum completely from the distribution and be done with it.
Comment 4 Matthias Gerstner 2019-11-15 14:04:48 UTC
It looks like the cron job doesn't work on any of our maintained codestreams
of yum. These are the first lines of the script:

```
if [ ! -f /var/lock/subsys/yum-cron ]; then
  exit 0
fi
```

I couldn't even find on SLE-12-SP4 any trace of this init script that creates
this file. Maybe I'm missing something else but as far as I can see there's no
canonical way to enable the cron job in the first place.

If this is the case and since you want to remove yum and/or the cron job
anyways I can skip an in-depth review of the cron job's security. I'd like to
ask you so simply remove the cron job from the packaging in openSUSE:Factory,
or remove yum from openSUSE:Factory whatever is quicker for you.
Comment 5 Matthias Gerstner 2019-12-05 12:48:02 UTC
Yum seems to have been removed from Factory. Threrefore no whitelisting will
become necessary. Old codestreams are disfunctional cron job wise. So nothing
to worry about.