Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2022-02-04 21:49:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Fri Feb 4 21:49:27 2022 rev:50 rq:951577 version:3.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2022-01-20 00:13:14.114622796 +0100 +++ /work/SRC/openSUSE:Factory/.lynis.new.1898/lynis.changes 2022-02-04 21:52:49.414975360 +0100 @@ -1,0 +2,6 @@ +Fri Feb 4 10:08:03 UTC 2022 - Robert Frohl <[email protected]> + +- cover /usr/etc/security/limits.conf too (boo#1194446) + added additional_paths_security-limits.patch + +------------------------------------------------------------------- New: ---- additional_paths_security-limits.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.SYNdQt/_old 2022-02-04 21:52:50.014971233 +0100 +++ /var/tmp/diff_new_pack.SYNdQt/_new 2022-02-04 21:52:50.018971205 +0100 @@ -51,6 +51,8 @@ Patch5: %{name}_1.3.6_include-osdetection.diff # https://github.com/CISOfy/lynis/pull/1215 Patch6: additional_module_blacklist_locations.patch +# https://github.com/CISOfy/lynis/issues/1264 +Patch7: additional_paths_security-limits.patch BuildRequires: gcc-c++ BuildRequires: libxml2-devel Requires: bash @@ -78,6 +80,7 @@ %patch2 %patch5 %patch6 -p1 +%patch7 -p1 %build ++++++ additional_paths_security-limits.patch ++++++ commit 14fd7dabc8537922543147d280158cab5735ef3e Author: Robert Frohl <[email protected]> Date: Fri Feb 4 13:41:31 2022 +0100 [KRNL-5820] additional path for security/limits.conf Changes the user facing output to display a full path, allowing the user to better grasp which security/limits.conf file is affected. fix issue #1264 diff --git a/include/tests_kernel b/include/tests_kernel index c197798..52d72f8 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -532,62 +532,67 @@ fi fi # Limits option - LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" - if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then - LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" - # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + ROOTDIR_BACKUP=$ROOTDIR + for ALTERNATIVE_DIR in "/usr/" "/"; do + ROOTDIR=$ALTERNATIVE_DIR + LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" + if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then + LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" + # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. + FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) - # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. - if [ "${FIND3}" = "core dumps disabled" ]; then - FIND1="soft core disabled" - FIND2="hard core disabled" - elif [ "${FIND3}" = "core dumps enabled" ]; then - FIND1="soft core enabled" - FIND2="hard core enabled" - fi + # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. + if [ "${FIND3}" = "core dumps disabled" ]; then + FIND1="soft core disabled" + FIND2="hard core disabled" + elif [ "${FIND3}" = "core dumps enabled" ]; then + FIND1="soft core enabled" + FIND2="hard core enabled" + fi - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - if [ "${FIND2}" = "hard core disabled" ]; then - LogText "Result: core dumps are hard disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" - if [ "${FIND1}" = "soft core disabled" ]; then - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + if [ "${FIND2}" = "hard core disabled" ]; then + LogText "Result: core dumps are hard disabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" + if [ "${FIND1}" = "soft core disabled" ]; then + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + else + Display --indent 4 --text "- 'soft' config in ${ROOTDIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + fi + AddHP 3 3 + elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft and hard) are enabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 0 3 + elif [ "${FIND1}" = "soft core disabled" ]; then + LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + AddHP 2 3 + elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + AddHP 0 3 else - Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + LogText "Result: core dumps are not explicitly disabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" + AddHP 1 3 fi - AddHP 3 3 - elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft and hard) are enabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" - AddHP 0 3 - elif [ "${FIND1}" = "soft core disabled" ]; then - LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" - AddHP 2 3 - elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - AddHP 0 3 else - LogText "Result: core dumps are not explicitly disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" - AddHP 1 3 + LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" fi - else - LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" - fi + done + ROOTDIR=$ROOTDIR_BACKUP # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable"
