Your message dated Mon, 28 Oct 2024 13:56:52 +0100
with message-id <[email protected]>
and subject line Done: #692590 cfengine3: file_changes wrongly reports new
setuid root progams
has caused the Debian Bug report #692590,
regarding cfengine3: file_changes wrongly reports new setuid root progams
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
692590: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692590
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cfengine3
Version: 3.0.5+dfsg-1
Severity: important
In order to track whether or not a setuid root program is "new", cfengine3
writes a list of these files to /var/lib/cfengine3/cfagent.HOSTNAME.log.
The first problem I encountered is that cfengine3 does not create this file
if it does not exist, leading to the following error message:
cf_ds_ajlc_waterloo_on_ca__1352259918_Tue_Nov__6_22_45_18_2012__b73fe8d0: !!
Can no longer access file /var/lib/cfengine3/cfagent.ds.log, which needed
editing!
If I create this file, I run into the second problem, which is if you do a
files_changed check on more than one directory, the file is overwritten for
each directory. So if I run files_changed on /sbin and /usr/sbin, when it
scans /sbin, cfagent.HOSTNAME.log contains all the suid files in /sbin, then
when it runs on usr/sbin, none of the suid files match, it complains about
them, and overwrites the file with all the suid files in /usr/sbin. So on the
next run, when it scans /sbin, none of the files match, it overwrites the
file, .....
Basicly, the check for new suid files is useless, since they will all be
reported as new every time.
Here's the bundle that does this. I also turn on file_changes reports in the
control bundle, but I don't have setuid turned on.
################################################
# Manage tripware functionality
################################################
# $Id: tripwire.cf,v 1.3 2012-11-07 03:51:09 ajlill Exp $
bundle agent tripwire {
vars:
"ordinary" slist => {
"/boot",
"/bin",
"/sbin",
"/usr/bin",
"/usr/sbin",
"/lib",
"/usr/lib"
};
"homedirs" slist => readstringlist("/etc/passwd","#",":",1000,100000);
files:
"$(sys.workdir)/cfagent.$(sys.host).log"
comment => "Work around a bug in debian package",
perms => mo("600","root"),
create => true;
tripwire::
"/etc"
changes => lay_a_tripwire,
depth_search => recurse("inf"),
file_select => exclude_active_etc,
action => measure("/etc");
"$(homedirs)/.ssh"
changes => lay_a_tripwire,
depth_search => recurse("1"),
file_select => authorized_keys,
action => measure("$(this.promiser)");
"$(ordinary)"
changes => lay_a_tripwire,
depth_search => recurse("inf"),
file_select => exclude_cfsaved,
action => measure("$(this.promiser)");
}
body file_select exclude_cfsaved {
leaf_name => {
".*\.cfsaved",
".*~",
"#.*"
};
file_result => "!leaf_name";
}
body file_select exclude_active_etc {
leaf_name => {
".*.cf",
"mtab",
".*\.cfsaved",
"\.depend\..*",
"adjtime",
".*~",
"#.*"
};
file_result => "!leaf_name";
}
body file_select authorized_keys {
leaf_name => {
"authorized_keys",
"authorized_keys2"
};
file_result => "leaf_name";
}
body action measure(dir)
{
measurement_class => "Detect Changes in $(dir)";
ifelapsed => "240"; # 4 hours
expireafter => "240"; # 4 hours
}
body changes lay_a_tripwire
{
hash => "md5";
report_changes => "content";
updatetrp::
update_hashes => "yes";
}
# $Log: tripwire.cf,v $
# Revision 1.3 2012-11-07 03:51:09 ajlill
# Find a better way to check homedirectories, try a workaround to setuid
# whining
#
# Revision 1.2 2012-11-06 01:07:42 ajlill
# Extend tripwire to all directories
#
# Revision 1.1 2012-11-05 21:28:27 ajlill
# Add tripwire
#
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.37.1 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages cfengine3 depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
cfengine3 recommends no packages.
cfengine3 suggests no packages.
-- Configuration Files:
/etc/default/cfengine3 changed:
RUN_CFMONITORD=1
RUN_CFSERVERD=0
RUN_CFEXECD=1
CFMONITORD_OPTS=""
CFSERVERD_OPTS=""
CFEXECD_OPTS=""
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 3.15.2-3
Since we switched from using our patch to the upstream FHS compliance
configure flag, this should be solved.
--
Moritz Schlarb
Unix und Cloud
Zentrum für Datenverarbeitung
Johannes Gutenberg-Universität Mainz
OpenPGP-Fingerprint: DF01 2247 BFC6
5501 AFF2 8445 0C24 B841 C7DD BAAF
smime.p7s
Description: S/MIME Cryptographic Signature
--- End Message ---
