Bug 165311
| Summary: | Review Request: Tiger, security auditing on UNIX systems | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aurelien Bompard <gauret> |
| Component: | Package Review | Assignee: | Hans de Goede <hdegoede> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | fedora-package-review, hdegoede, joost.soeterbroek, oliver |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.nongnu.org/tiger/ | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-20 08:07:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 163779 | ||
|
Description
Aurelien Bompard
2005-08-07 16:32:16 UTC
Seems fine to me. Does that mean you approve the package ? If so please change the blocker bug to FE-ACCEPT (bug 163779) I would suppose the comment was about the procedure you suggested. This seems like it would be best discussed on fedora-devel or fedora-extras list in order to fine tune the default configuration. Not a review, but to attempt to restart discussion/interest. :) Package: - Builds ok on current devel error messages from tiger: 12:03> Checking password files... /bin/sort: invalid option -- 3 Try `/bin/sort --help' for more information. 12:03> Checking group files... /bin/sort: invalid option -- 3 Try `/bin/sort --help' for more information. 12:07> Checking for indications of break-in... /usr/bin/tail: cannot open `+2' for reading: No such file or directory Does the tiger.ignore file allow comments? If so, perhaps you could comment why each thing should be ignored? Ie, something like: # Fedora uses a "mail" group to allow some access to /var/spool/mail. Login ID mail's home directory \(/var/spool/mail\) has group `mail' write access. Is the package still being maintained? I don't see much activity on it's web site (no mailing list posts this year), etc. Or is development taking place only in debian? This sounds like an interesting package, I might be willing to help / do a review. Can you for starters post a version which works on current FC-5 / has the sort errors fixed. Thanks for your help both of you. I'll fix the sort problem so you can give it a try. Changing back to FE-NEW. Jochen, the review hasn't started yet, to quote Keven: "Not a review" and me "might be willing todo a review" so no review has been started yet. I saw your mail to f-e-list that you're going todo this to other bugs too, please don't unless the review has really started. Also see the asigned field. Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-1.src.rpm I've fixed the command options which caused problems on FC5, and added comments to tiger.ignore The Debian package changelog has "updated to CVS" entries, so I guess upstream is still active (or Debian has taken over upstream). Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-2.src.rpm I've fixed the command options which caused problems on FC5, and added comments to tiger.ignore The Debian package changelog has "updated to CVS" entries, so I guess upstream is still active (or Debian has taken over upstream). Not an offial review, but some comments: 1) Some suspicious errors during %install phase: Copying miscellaneous dirs... tar: ./check.d/README.doc: Cannot open: Permission denied tar: Error exit delayed from previous errors tar: ./html/integrit.html.doc: Cannot open: Permission denied tar: ./html/ndd.html.doc: Cannot open: Permission denied tar: ./html/ssh.html.doc: Cannot open: Permission denied tar: ./html/aide.html.doc: Cannot open: Permission denied tar: ./html/rootkit.html.doc: Cannot open: Permission denied tar: Error exit delayed from previous errors tar: ./systems/Linux/2/check_xinetd.scripts: Cannot open: Permission denied tar: Error exit delayed from previous errors Copying miscellaneous files... Copying scripts... sed: can't read ./systems/Linux/2/check_xinetd.scripts: Permission denied Copying platform scripts... cp: cannot open `./systems/Linux/2/check_xinetd.scripts' for reading: Permission denied 2) In /usr/lib/tiger/systems/Linux/2/ some files have an equivalent ending in .orig or .old which are probably backups left during development. I suggest not to package these files: [joost@alexandria SPECS]$ rpm -qil tiger | grep orig /usr/lib/tiger/systems/Linux/2/check_listeningprocs.orig /usr/lib/tiger/systems/Linux/2/gen_passwd_sets.orig [joost@alexandria SPECS]$ rpm -qil tiger | grep old /usr/lib/tiger/systems/Linux/0/gen_cron.old /usr/lib/tiger/systems/Linux/2/services.old 3) In /usr/lib/tiger/systems/Linux/2/ most files have an equivalent ending in .scripts which are clearly leftovers from an earlier stage of development and left abandoned in 2003. The equivalent files without the .scripts extension all have inline comments dated 2005. I suggest not to package these .scripts files also, unless there is a reason for these that I don't understand. 4) rpmlint errors and warnings: [joost@alexandria SPECS]$ rpmlint /home/joost/Development/rpm/RPMS/i386/tiger-3.2.1-2.i386.rpm W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger W: tiger conffile-without-noreplace-flag /etc/tiger/cronrc W: tiger conffile-without-noreplace-flag /etc/tiger/tiger.ignore W: tiger conffile-without-noreplace-flag /etc/tiger/tigerrc E: tiger zero-length /usr/lib/tiger/systems/default/suid_list E: tiger non-readable /etc/tiger/tigerrc 0640 E: tiger non-readable /etc/tiger/tiger.ignore 0600 E: tiger non-standard-dir-perm /var/log/tiger 0700 W: tiger file-not-utf8 /usr/share/man/man8/tiger.8.gz E: tiger non-readable /etc/tiger/cronrc 0640 W: tiger symlink-should-be-relative /usr/lib/tiger/tigexp /usr/sbin/tigexp E: tiger non-standard-dir-perm /etc/tiger 0700 E: tiger zero-length /usr/lib/tiger/systems/default/rel_file_exp_list E: tiger zero-length /usr/lib/tiger/systems/Linux/2/rel_file_exp_list E: tiger non-standard-dir-perm /var/run/tiger/work 0700 E: tiger zero-length /usr/lib/tiger/systems/Linux/2/check_xinetd.scripts E: tiger script-without-shellbang /usr/lib/tiger/systems/Linux/2/check_xinetd.scripts W: tiger devel-file-in-non-devel-package /usr/lib/tiger/version.h W: tiger log-files-without-logrotate /var/log/tiger Hope this is helpfull.. > Hope this is helpfull Extremely useful, thanks a lot. * Sat Apr 22 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-3 - don't backup some patches, or the files will be copied in the buildroot - set conf files to noreplace - fix manpage encoding Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-3.src.rpm (1) and (3) are fixed by not making backups for some patches (2) is fixed by removing the files in %prep (4) rpmlint : > W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger > W: tiger conffile-without-noreplace-flag /etc/tiger/tiger.ignore > W: tiger conffile-without-noreplace-flag /etc/tiger/tigerrc Fixed. > W: tiger conffile-without-noreplace-flag /etc/tiger/cronrc This one is not supposed to be customized, so I leave it as %config only. > E: tiger non-readable /etc/tiger/tigerrc 0640 > E: tiger non-readable /etc/tiger/tiger.ignore 0600 > E: tiger non-standard-dir-perm /var/log/tiger 0700 > E: tiger non-readable /etc/tiger/cronrc 0640 > E: tiger non-standard-dir-perm /etc/tiger 0700 > E: tiger non-standard-dir-perm /var/run/tiger/work 0700 > E: tiger zero-length /usr/lib/tiger/systems/default/suid_list > E: tiger zero-length /usr/lib/tiger/systems/default/rel_file_exp_list > E: tiger zero-length /usr/lib/tiger/systems/Linux/2/rel_file_exp_list Intended. > W: tiger file-not-utf8 /usr/share/man/man8/tiger.8.gz Fixed. > W: tiger symlink-should-be-relative /usr/lib/tiger/tigexp /usr/sbin/tigexp > W: tiger devel-file-in-non-devel-package /usr/lib/tiger/version.h Harmless. > E: tiger zero-length /usr/lib/tiger/systems/Linux/2/check_xinetd.scripts > E: tiger script-without-shellbang /usr/[...]/Linux/2/check_xinetd.scripts Fixed by not backuping this patch > W: tiger log-files-without-logrotate /var/log/tiger Tiger takes care of rotation by itself. Thanks for your input. I've build your SRPM and installed it on both FC-5 and devel and I must say I like it, it gives a few false positives that need fixing (but thats something which can be best done later, iow not a blocker for review and approval). And it indeed needs extending with some Fedora specific tests like rpm --verify -a and an SELinux label check, but in general its a nice tool. As such I'm assigning this to me and going todo a review somewhere the next week, please let me know if you have / are planning on a newer version and if you rather would want that reviewed. Thanks a lot for reviewing ! I'm not planning on updating this package here unless a new upstream version comes out, which should not happen soon. This is the oldest open review request, I'm glad it comes to an end :) MUST:
=====
* rpmlint output is:
W: tiger conffile-without-noreplace-flag /etc/cron.d/tiger
E: tiger non-standard-dir-perm /var/log/tiger 0700
E: tiger non-readable /etc/tiger/tigerrc 0640
E: tiger zero-length /usr/lib64/tiger/systems/default/suid_list
E: tiger non-readable /etc/tiger/cronrc 0640
E: tiger non-readable /etc/tiger/tiger.ignore 0600
E: tiger zero-length /usr/lib64/tiger/systems/Linux/2/rel_file_exp_list
E: tiger non-standard-dir-perm /var/run/tiger/work 0700
E: tiger non-standard-dir-perm /etc/tiger 0700
W: tiger symlink-should-be-relative /usr/lib64/tiger/tigexp /usr/sbin/tigexp
E: tiger zero-length /usr/lib64/tiger/systems/default/rel_file_exp_list
W: tiger devel-file-in-non-devel-package /usr/lib64/tiger/version.h
W: tiger log-files-without-logrotate /var/log/tiger
Most of these are OK / have a good reason / intentional (also see previous
comments), so they are ok.I
It would be nice if you could fix the symlink though, but that is not a blocker.
* Package and spec file named appropriately
* Packaged according to packaging guidelines
* License (GPL) ok but license file not included!
* spec file is legible and in Am. English.
* Source matches upstream
* Compiles and builds on devel-x86_64
* BR: ok
* No locales
* No shared libraries
* Not relocatable
* Package owns / or requires all dirs
* No duplicate files & Permissions ok
* %clean & macro usage OK
* Contains code only
* %doc does not affect runtime, and isn't large enough to warrent a sub package
* no -devel package needed, no libs / .la files.
* no gui -> no .desktop file required
MUST fix:
=========
* Include COPYING in %doc
* Does /usr/lib64/tiger/html actually gets used during execution or are
those just docs. If they are just docs the html dir should be under %doc
instead of under /usr/lib64/tiger/
* Remove /usr/share/doc/tiger-3.2.1/tiger_logo* these aren't docs nor are they
used by any of the docs (no html docs there) if you decide to keep them
someplace else (or if the moved html docs need them) remove the x permisson
bits .
Should fix:
===========
* Please remove the:
"Please adjust your %{_sysconfdir}/tiger/tigerrc before running."
line from %description. Usage notes do not belong in %description.
If you want to you can add this to README.fedora. I didn't modify tigerrc
and it ran fine though.
* Move these 2 lines from %install to %prep replacing buildroot with . :
#find $RPM_BUILD_ROOT -type d -name CVS | xargs -iX rm -rf "X"
find $RPM_BUILD_ROOT -type d -name CVS | xargs rm -rf
* Sat May 13 2006 Aurelien Bompard <gauret[AT]free.fr> 3.2.1-4 - include the COPYING file - put HTML doc in %%doc - drop useless logos - fix %%description - remove CVS dirs in %%prep Spec : http://gauret.free.fr/fichiers/rpms/fedora/tiger.spec SRPM : http://gauret.free.fr/fichiers/rpms/fedora/tiger-3.2.1-4.src.rpm Thanks Hans. All MUST and Should items fixed. Approved! And your welcome :) |