DevHeads.net

Postings by Steve Grubb

Audit-3.0 pre-release coming to rawhide

Hello,

This is to let everyone know that audit-3.0 pre-release is coming to rawhide.
The big change that is prompting this email is that there is a config change
that people might need to be aware of. One of the improvements is to drop
audispd (realtime audit event dispatcher) and merge its functionality into
auditd. This will eliminate one source of overflow messages and decrease the
time from event occurrence to plugin seeing it.

Lots a permission denied activity

Hello,

I have been testing a new set of audit rules and have run across some
processes that are doing things that might out to be changed. Typically,
audit users expect a normally functioning system to not be noisy. There is a
requirement to audit failed file access due to permission denied. What I'm
finding is that two processes are generating tens of thousands of events
every day.

There is a /usr/libexec/tracker-extract process that searches my directories
about every 11 seconds. I can imagine on a laptop that would be a lot of disk
activity.

F27 strange rpmbuild failure

Hello,

I am building a package locally and run across a failure that seems to be
unexplained.

R 3.4 update

Hello,

First, I appreciate the work that goes into maintaining the R ecosystem. But
there is now a problem that I don't think people would allow in other
languages. Namely, the recently pushed R-3.4 update breaks the whole world.
Something this disruptive usually has to wait for a new Fedora release to get
pushed out. I really think the same thing has to apply for R.

For example, when I run RStudio, I get:

R graphics engine version 12 is not supported by this version of RStudio. The
Plots tab will be disabled until a newer version of RStudio is installed.

PSA - Kontact is royally screwed up

Hello,

I wanted to mention to people that kontact is very broken and dangerous to
use. I have filed 5 or 6 upstream bugs about the many ways its broken. It
constantly aborts, akonadi constantly segfaults, you have to reboot your
system because it dies holding a video driver mutex, it deletes email when you
click on them. And to top it off, yesterday it deleted 25,000+ emails from my
inbox. That is without me asking it to do anything. They did not go to trash,
they are just gone. This is a huge personal set back and Linux Security plans
will be affected by this loss.

Emails about new packages

Hello,

I have a package, suricata, that I maintain. I closely follow upstream. Some
how I got signed up for a new package notification that I never asked for. It
sends emails like this:

A new version of "suricata" has been detected: "3.2.1" newer than "3.2",
packaged as "suricata"
<a href="https://release-monitoring.org/project/10925/" title="https://release-monitoring.org/project/10925/">https://release-monitoring.org/project/10925/</a>

The 3.2.1 version is in koji, why was this email sent to bother me? At some
time in the past, I tracked it down and found a way to "turn this off". But
guess what? Now I get 2 emails.

Bodhi issue

Hello,

Yesterday I built a security update for the suricata package, 3.2.1-1:

<a href="https://koji.fedoraproject.org/koji/packageinfo?packageID=10021" title="https://koji.fedoraproject.org/koji/packageinfo?packageID=10021">https://koji.fedoraproject.org/koji/packageinfo?packageID=10021</a>

Any time I try to create the bodhi new release, it finds an older build, 3.2-1.
Typing the version in causes it to say it can't find any package that matches
the query. How should I go about getting this security update out?

Thanks,
-Steve

Rstudio

Hello,

I like to have everything on my system in a package. So, I looked around and
found no recipe or rpm for Rstudio. This is really a shame because every
tutorial on R kinda tells you to install it. Even the Coursera classes in the
Data Science track make you install it and send a screenshot to prove it.

So, I spent some time getting it packaged and working. I am placing the spec
file and necessary patch here so that google finds it and saves other people the
trouble. I'm not wanting to submit the package to Fedora because its more work
than I have time for.

How do you unsubscribe from mdapi meta-data update?

Hello,

Something started sending me emails about $SUBJECT. The email says this is due
to my preferences and give an URL. Clicking on that URL leads to a page that
says, "Transaction expired, or cookies not available. Try to login again."

Logging in again leads to no useful page. It simply says "You will be
redirected to this application whenever another application requires you to
authenticate."

Reclicking the original link still says I'm not logged in. Logging into my FAS
account does not allow me to pick any preference about this email. How does
one stop it?

DISTRIBUTION tag seems wrong

Hello,

Not sure if this is bz worthy or just something to mention on a mail
list. I was doing some experimenting on creating SWID tags out of the
rpm database and noticed some inconsistencies.

Trousers package changed license to BSD

Hi,

The 0.3.11 release of trousers has changed from the CPL license to the 3
clause BSD license.

-Steve

F19 upgrade pulls in a lot of i686 packages

Hi,

Did anyone notice all the i686 packages that get pulled in if you try to
upgrade from F18? My system has no i686 packages on it today. But
when I try to upgrade it starts getting i686 dependencies pulled in.

Retiring Prelude IDS

Hello,

I am going to retire the Prelude Intrusion Detections System in F20. Upstream
has been dead for over 3 years. The only packages that I know that link
against it is pads, audit, and suricata. I own all 3 of those packages, so
this should mostly be a FYI for everyone here.

-Steve

Bad file access on the rise

Hello,

Every now and then I look at the distribution to see that from an auditing
perspective the OS is nicely behaving in the absence of intrusion. Meaning we
are not getting audit events unnecessarily. One of the typical rules required
by the DISA STIG is to watch for file access being denied due to permissions.
This could be indicative of someone trying to access something they shouldn't.

Libs with applications

Hello,

I was curious how many library packages we have that also includes applications in
them, so I wrote a small shell script:

<a href="http://people.redhat.com/sgrubb/security/lib-bin-check" title="http://people.redhat.com/sgrubb/security/lib-bin-check">http://people.redhat.com/sgrubb/security/lib-bin-check</a>

On my F16 installation, it finds around 60 packages that are libraries with
applications. I'd like to ask if anyone else sees this as a problem? For example, if a
32 bit library is installed, which application is left - the 64 or 32 bit one? And
wouldn't that also pull in unnecessary dependencies?

-Steve

DISA STIG file permission testing

Hello,

I do a lot of work on making sure Linux meets various security standards. One of the
better known security profiles is the DISA STIG. (STIG means Security Technical
Information Guide.) Back in February, there was a big update to it. I have reviewed it
and sent feedback to get some items corrected. But in the mean time, I wanted to check
how far off we have gotten and wrote a script to do some checking. The guide requires a
UMASK of 027 for users, so you may find that home dir file permissions are not right.

gvfs causes hangs

Hello,

I have been running into something on F-12 that is really annoying and was
wondering if anyone else is seeing this. When I use kmail and want to attach a
file that is not in my Documents folder and go up one level to my homedir, it
hangs.

AM_SILENT_RULES

Hello,

I was looking at a package's build logs to see what kinds of problems gcc is
reporting for the code and found a lot of lines with "CC object_name" and
nothing else. This is really not helpful when you scan koji build logs or look
for problems. Should we have a policy of requiring "--silent=no" configure
option for packages that are hiding gcc warnings?

-Steve

rpm %verify

Hello,

I have 2 bugzillas asking for %verify to be added to %config files. I am
wondering if this is a good idea at all. The issue is that if you wanted to
verify whether or not config files have changed, then this causes you to lose
that ability. Adding --noscript to the verify command does not make rpm
suddenly report the issues it was hiding. Does this mean that rpm is not
working right?

selinux hasn't been running for over a week

hi,

What's happened in our rawhide boot sequence that cause selinux to not be
running anymore? Selinux is not disabled in the grub.conf kernel line and
sestatus shows its disabled. There is nothing in the system logs saying that
there was a problem.

If selinux is not disabled and it does not become permissive or enforcing, it
has to get logged and optionally shutdown the system.

Aside from no logging, any ideas why selinux no longer works?

Thanks,
-Steve

soname number bump for audit-libs

Hello,

I wanted to let everyone know that I will be pushing audit-2.0 into rawhide in
the next day or two. It will change the version number of libaudit.

Lower Process Capabilities

Hello,

I wanted to send an email to give everyone a heads up about a project I'm
working on. You can find the write-up here:

<a href="https://fedoraproject.org/wiki/Features/LowerProcessCapabilities" title="https://fedoraproject.org/wiki/Features/LowerProcessCapabilities">https://fedoraproject.org/wiki/Features/LowerProcessCapabilities</a>

The basic idea goes something like this: We would like to do something to
prevent priv escalation for processes running as root. For this example, lets
take cupsd to be a good case in point. If the attacker can find a vuln with
cupsd, then they can have root privs and all that goes with it.

Maintainer Responsibilities

Hello,

I don't want to start a long thread, but just to ask a couple questions for my
own clarification. Does a maintainer's responsibilities end with packaging
bugs? IOW, if there is a problem in the package that is _broken code_ do they
need to do something about it or is it acceptable for them to close the bug
and say talk to upstream? Do we want those bugs open to track when the bug is
fixed in the distro? I'll accept whatever the answer is, I'm just curious.

Thanks,
-Steve

No way to shut down from, gdm in F-10

Hi,

I booted F-10 up into run level 3. Logged in as root. Did some things and ran
init 5. After I was done using the computer, I wanted to shut it down. There
is absolutely nothing that I can click on that will let me shutdown the
computer. (Try it.) What I ended up doing is logging in and opening a terminal
and typing poweroff, but I don't think that is the right way for a gdm session
to end.

Why are we doing it like this?

-Steve

PolicyKit auditing - was Re: Fedora 11: moving to posix file capabilities?

Which is a problem. We have no way to connect the session ID for the backend
with the frontend. That means we can't make a killall mechanism that nails
everything in a login session.

No...we have a handful of apps that audit changes to trusted databases.
password and adduser are two examples.

I have to be able to tell the audit system to include or exclude events from
certain users. That would mean a user space access control daemon would have
to download and enforce audit policy.

rpmbuild post install checks

Hi,

I have tarred up my post install build checks that found the /bin /sbin linked
to /usr problems. It can be downloaded from:

<a href="http://people.redhat.com/sgrubb/files/rpmbuild-checks.tar.gz" title="http://people.redhat.com/sgrubb/files/rpmbuild-checks.tar.gz">http://people.redhat.com/sgrubb/files/rpmbuild-checks.tar.gz</a>

The tarball has installation instructions in the README file. If any test
fails, it stops the build and rpms are not written. I have about 10 checks
and would like to add more. I would also like to take any contributions that
can look for problems at build time.

Do we care about /sbin /bin linked to /usr/lib ?

Hi,

I wrote a utility that checks all apps in /bin & /sbin to see if they link
against anything in /usr.