Bug 455654 - Review Request: pads - Passive Asset Detection System
Review Request: pads - Passive Asset Detection System
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-16 15:52 EDT by Steve Grubb
Modified: 2008-08-13 18:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-13 18:07:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pvrabec: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2008-07-16 15:52:21 EDT
Spec URL: http://people.redhat.com/sgrubb/files/pads.spec
SRPM URL: http://people.redhat.com/sgrubb/files/pads-1.2-1.fc9.src.rpm

Description: 
PADS is a libpcap based detection engine used to passively
detect network assets.  It is designed to complement IDS
technology by providing context to IDS alerts. When new assets
are found, it can send IDMEF alerts via prelude.
Comment 1 Steve Grubb 2008-08-07 10:33:39 EDT
The prelude setup for pads was added as step 13 on 
http://people.redhat.com/sgrubb/audit/prelude.txt
Comment 2 Peter Vrabec 2008-08-08 12:36:47 EDT
$ rpmlint pads-1.2-1.fc9.src.rpm
pads.src: W: strange-permission pads.init 0755
pads.src: W: strange-permission pads.sysconfig 0640

- pads.init and pads.sysconfig might be 0644


$ rpmlint /usr/src/redhat/RPMS/i386/pads-1.2-1.fc9.i386.rpm
pads.i386: E: non-readable /etc/sysconfig/pads 0640
pads.i386: W: non-conffile-in-etc /etc/pads-ether-codes
pads.i386: W: non-conffile-in-etc /etc/pads-signature-list
pads.i386: E: non-readable /etc/pads.conf 0640
pads.i386: W: incoherent-subsys /etc/rc.d/init.d/pads $prog
pads.i386: W: incoherent-subsys /etc/rc.d/init.d/pads $prog
1 packages and 0 specfiles checked; 2 errors, 4 warnings.

- is there a reason why not 0644 for /etc/sysconfig/pads and /etc/pads.conf
- incoherent-subsys? it doesn't seem to me. prog=pads
- non-conffile-in-etc - seems ok to me

Everything else is OK.
Comment 3 Steve Grubb 2008-08-08 14:47:52 EDT
>$ rpmlint pads-1.2-1.fc9.src.rpm
>pads.src: W: strange-permission pads.init 0755
>pads.src: W: strange-permission pads.sysconfig 0640
>
>- pads.init and pads.sysconfig might be 0644

These are just the src files. I can change them, but I generally make them what they would be when installed. I do set the permission explicitly on install so I can make these 644 if needed.


>$ rpmlint /usr/src/redhat/RPMS/i386/pads-1.2-1.fc9.i386.rpm
>pads.i386: E: non-readable /etc/sysconfig/pads 0640
>
>- is there a reason why not 0644 for /etc/sysconfig/pads and /etc/pads.conf

It can give out details that non-root users shouldn't see. You can specify what networks to listen too, what uid to run as, what config file to use. I generally believe this info is not required for someone that is not the admin.
Comment 4 Peter Vrabec 2008-08-12 06:26:10 EDT
Steve, change pads.init and pads.sysconfig permissions please. I don't consider it as a blocker, but it will make rpmlint more happy at least.

/etc/sysconfig/pads and /etc/pads.conf
$pgrep pads and I know the user. I can also check which interface is in promisc. mode so I can assume, where is pads listening to. Personally, I feel that there are some more files in /etc that are readable by non root users, even thou it is not needful. If you still stand for the 0640 go ahead, but I wouldn't like to do it until it is not necessary.
Comment 5 Steve Grubb 2008-08-12 08:36:53 EDT
New package uploaded. The permissions for the source files are fixed. I feel strongly that non-admin users should not be able to look at how IDS software is configured. If there are other packages with loose permissions, we will be fixing those at some point. :) Thanks.
Comment 6 Peter Vrabec 2008-08-12 09:12:15 EDT
OK, the package is APPROVED now.
Comment 7 Steve Grubb 2008-08-13 11:22:37 EDT
New Package CVS Request
=======================
Package Name: pads
Short Description: Passive Asset Detection System
Owners: sgrubb
Branches: F-9
InitialCC:
Cvsextras Commits: no
Comment 8 Kevin Fenzi 2008-08-13 13:23:45 EDT
cvs done. 

Why the cvsextras no?
Comment 9 Steve Grubb 2008-08-13 13:27:51 EDT
Thanks for taking taking care of cvs. pads is a security program that we've interfaced to IDS software. I was going to add other comitters from the security team to help keep an eye on it.
Comment 10 Steve Grubb 2008-08-13 18:07:49 EDT
pads was built in rawhide...closing bug. Thanks for the review.

Note You need to log in before you can comment on or make changes to this bug.