Hello community, here is the log from the commit of package rpmlint-mini for openSUSE:Factory checked in at 2019-12-16 15:19:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint-mini (Old) and /work/SRC/openSUSE:Factory/.rpmlint-mini.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint-mini" Mon Dec 16 15:19:06 2019 rev:95 rq:756805 version:1.10 Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint-mini/rpmlint-mini.changes 2019-12-11 12:04:44.400750074 +0100 +++ /work/SRC/openSUSE:Factory/.rpmlint-mini.new.4691/rpmlint-mini.changes 2019-12-16 15:19:07.583170201 +0100 @@ -0,0 +1,6 @@ +Tue Dec 10 14:50:26 UTC 2019 - matthias.gerst...@suse.com + +- Update to version master: + * add _servicedata which I forgot previously when adding the new + rpmlnit-security-whitelistings. + @@ -12 +17,0 @@ - New: ---- _servicedata ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/rpmlint-security-whitelistings</param> <param name="changesrevision">17823647a36e556ed27d389e9293900c370ca0d7</param></service></servicedata>++++++ rpmlint-security-whitelistings-master.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/README.md new/rpmlint-security-whitelistings-master/README.md --- old/rpmlint-security-whitelistings-master/README.md 2019-11-19 13:00:51.000000000 +0100 +++ new/rpmlint-security-whitelistings-master/README.md 2019-11-22 15:12:53.000000000 +0100 @@ -7,7 +7,7 @@ team](https://www.suse.com/support/security/). This repository here is used to administer whitelisting information consumed -by the rpmlint-mini package to actually implement whitelisting restriction on +by the rpmlint-mini package to actually implement whitelisting restrictions on certain packaging features. The maintainer of this repository is the SUSE [security @@ -22,27 +22,73 @@ explicit "comment" field is supported for each audit entry. Most of the whitelisting files should be self-explanatory by looking at them. -For each package and whitelisted file a single entry is present in the -whitelist. To be extra prudent the whitelisting usually also checks file -contents by keeping tracking of the sha256 digests of the whitelisted files. -If the content changes then a follow-up review by the security team becomes -necessary. Therefore a list of related audits is maintained for each -whitelisting entry complete with Bugzilla reference, file digest and an -optional whitelisting comment. - -Since in some cases the cron job file is only a small wrapper around the -actual program, the whitelisting format also supports a `related` dictionary -for each audit entry. This can list additional files that are related to the -whitelisting and which should be checked for changes. +For each package a single entry is present in the whitelist. To be extra +prudent the whitelisting usually also checks file contents by keeping track of +the sha256 digests of the whitelisted files. If the packaged file content +changes then a follow-up review by the security team becomes necessary. +Therefore a list of related audits is maintained for each whitelisting entry +complete with Bugzilla reference, file digests and an optional whitelisting +comment. Types of Whitelistings ---------------------- -=== Cron Jobs +### Cron Jobs The file `cron-whitelist.json` contains whitelisting entries for files installed in one of the directories in /etc/cron.{d,daily,hourly,montly,weekly}. -Cron jobs often run as the `root` user and efault-enabled cron jobs are high +Cron jobs often run as the `root` user and default-enabled cron jobs are high risk candidates for security issues. Therefore the security team puts restrictions on the introduction of new cron jobs or changes to existing cron jobs. + +Whitelisting Examples +--------------------- + +In the following example, comment lines introduced with '#' are embedded for +being able to more easily document the data structure. The actual JSON format +does *not* support such comments, however. + +<pre> +{ + # the package name + "atop-daemon": { + + # a dictionary containing all the audits and related + # whitelistings done so far + "audits": { + + # the key is the SUSE Bugzilla bug number where the # Audit of the + # package's security features has been performed. + # The value is another dictionary. + "bsc#1150533": { + + # This comment is for documentation purposes and is not + # further used in whitelisting checks. + "comment": "Performs maintenance and (re)starting of the atop daemon", + + # This contains another dictionary listing the files for which + # restrictions apply. The whitelisting restriction is not + # limited to the file causing the whitelisting check to + # trigger in the first place (like a cron job) but may also + # list related files that are involved and may cause security + # issues. + "digests": { + + # the keys are the absolute file paths # that are subject + # of the whitelisting + # + # the values are of the form <alg>:<digest>, where <alg> + # is a hash algorithm supported by the Python hashlib. + "/etc/cron.d/atop": "sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430" + + # it is also possible to explicitly whitelist a file with + # arbirary content for special cases where the content of + # the whitelisted file isn't fixed for some reason + "/usr/share/atop/atop.daily": "skip:<none>", + } + } + } + } +} +</pre> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/cron-whitelist.json new/rpmlint-security-whitelistings-master/cron-whitelist.json --- old/rpmlint-security-whitelistings-master/cron-whitelist.json 2019-11-19 13:00:51.000000000 +0100 +++ new/rpmlint-security-whitelistings-master/cron-whitelist.json 2019-11-22 15:12:53.000000000 +0100 @@ -1,16 +1,13 @@ -[ - { - "package": "atop-daemon", - "path": "/etc/cron.d/atop", - "audits": [ - { - "bug": "bsc#1150533", +{ + "atop-daemon": { + "audits": { + "bsc#1150533": { "comment": "Performs maintenance and (re)starting of the atop daemon", - "digest": "sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430", - "related": { - "/usr/share/atop/atop.daily": "sha256:298a6e86b0862a1f2492b11b3af327850ba8c58232ef99753e8c6606548aa5cd" + "digests": { + "/usr/share/atop/atop.daily": "sha256:298a6e86b0862a1f2492b11b3af327850ba8c58232ef99753e8c6606548aa5cd", + "/etc/cron.d/atop": "sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430" } } - ] + } } -] +}