Package: checksecurity
Version: 2.0.14
Severity: wishlist
Tags: patch
The package description for checksecurity is in need of some work.
< Description: basic system security checks
Good so far!
< Checksecurity does some very basic system security checks, such as
< looking for changes in which programs have setuid permissions, and that
< remote filesystems are not allowed to have runnable setuid programs.
"Such as (1) Xing and (2) that Ys are not Z" is ungrammatical. But
don't give examples anyway - the set of scripts is short and stable,
so why not just list them?
< .
< Note that these are not to be considered in any way complete, and
< you should not rely on checksecurity to actually provide any useful
< information concerning the security or vulnerability of your system.
This undersells the package to the point of making it sound completely
pointless - what's the good of installing it if it can't provide *any*
useful information?
< .
< The lockfile-progs package is only a "Suggests" because of the poor
< way that dselect handles "Recommends", but I do strongly suggest that
< you install it; it prevents /etc/cron.daily/standard from running multiple
< times if something gets jammed.
This is thick with cobwebs:
* dselect bug #6394 was closed a decade ago;
* by which time dselect itself was already largely irrelevant;
* /etc/cron.daily/standard was never in this package;
* indeed, /etc/cron.daily/standard is no longer in *any* package;
* there's no need to install lockfile-progs just to get file locking
when there's a /usr/bin/flock in (Essential) util-linux;
* besides, /usr/sbin/checksecurity is a Perl script and could simply
include calls to flock()!
In fact this description is so out of date that I worry whether fixing
it might give readers a false impression about how well-maintained
the package is...
< .
< Checksecurity was previously part of the cron package.
So many releases ago that there's really no point mentioning it.
My suggested rewrite:
> Description: basic system security checks
> Checksecurity can do some very basic system security checks:
> .
> * check-diskfree - scans for mounted filesystems nearing capacity;
> * check-passwd - scans for empty or duplicate system accounts;
> * check-setuid - scans for insecurely mounted remote file systems,
> and tracks changes in setuid programs;
> * check-sockets - tracks changes in open ports.
> .
> Be aware that this is no substitute for a full security auditing and
> integrity checking system.
> .
> Installing the suggested package lockfile-progs can help to prevent
> the cron jobs running multiple times if something gets jammed.
--
JBR
Ankh kak! (Ancient Egyptian blessing)
diff -ru checksecurity-2.0.14.pristine/debian/control checksecurity-2.0.14/debian/control
--- checksecurity-2.0.14.pristine/debian/control 2010-10-27 22:44:37.000000000 +0100
+++ checksecurity-2.0.14/debian/control 2012-09-18 20:47:50.992411365 +0100
@@ -12,19 +12,17 @@
Suggests: apt-watch | cron-apt, lockfile-progs
Conflicts: lockfile-progs (<< 0.1.7)
Replaces: cron
-Provides:
Description: basic system security checks
- Checksecurity does some very basic system security checks, such as
- looking for changes in which programs have setuid permissions, and that
- remote filesystems are not allowed to have runnable setuid programs.
+ Checksecurity can do some very basic system security checks:
.
- Note that these are not to be considered in any way complete, and
- you should not rely on checksecurity to actually provide any useful
- information concerning the security or vulnerability of your system.
+ * check-diskfree - scans for mounted filesystems nearing capacity;
+ * check-passwd - scans for empty or duplicate system accounts;
+ * check-setuid - scans for insecurely mounted remote file systems,
+ and tracks changes in setuid programs;
+ * check-sockets - tracks changes in open ports.
.
- The lockfile-progs package is only a "Suggests" because of the poor
- way that dselect handles "Recommends", but I do strongly suggest that
- you install it; it prevents /etc/cron.daily/standard from running multiple
- times if something gets jammed.
+ Be aware that this is no substitute for a full security auditing and
+ integrity checking system.
.
- Checksecurity was previously part of the cron package.
+ Installing the suggested package lockfile-progs can help to prevent
+ the cron jobs from running multiple times if something gets jammed.
