Hi Stuart, Stuart Henderson wrote on Sun, Apr 10, 2016 at 09:27:06PM +0100:
> Between that, a few files where I have slightly wider read > permissions for operational reasons, Which are those? Would it maybe make sense to weaken these checks for everybody? If those permissions make sense for you, maybe they are not insanely dangerous in general? > and the check on the DNSSEC root key in /var/unbound/db/root.key > (where the timestamp in a comment is updated twice a day in normal > operations), Hum, neither unbound(8) nor unbound.conf(5) teach me anything about that file. Whatever program may be changing that file, is there no way to fix it such that it keeps the comment constant? Even if time information is interesting for some reason, isn't that already available from the file write access date? > I divert those mails from many systems to a rarely read folder.. That seems unfortunate indeed. I spent some work to get daily(8) silent by default with VERBOSESTATUS=0 (which i would still like to make the default, but that's maybe a seperate matter). > I'd be much more likely to read these if it only reported when there > are *differences* in the mtree output. I fear i don't understand that remark. The security(8) script is not producing any mtree(1) output. It runs mtree(1) in the default checking mode (with -el), not in -c mode. But tracking down and fixing whatever is spammy in sane configurations seems worthwhile to me. Yours, Ingo
