commit rpmlint-mini for openSUSE:Factory

Mon, 16 Dec 2019 06:19:13 -0800 

Hello community,

here is the log from the commit of package rpmlint-mini for openSUSE:Factory 
checked in at 2019-12-16 15:19:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rpmlint-mini (Old)
 and      /work/SRC/openSUSE:Factory/.rpmlint-mini.new.4691 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rpmlint-mini"

Mon Dec 16 15:19:06 2019 rev:95 rq:756805 version:1.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/rpmlint-mini/rpmlint-mini.changes        
2019-12-11 12:04:44.400750074 +0100
+++ /work/SRC/openSUSE:Factory/.rpmlint-mini.new.4691/rpmlint-mini.changes      
2019-12-16 15:19:07.583170201 +0100
@@ -0,0 +1,6 @@
+Tue Dec 10 14:50:26 UTC 2019 - matthias.gerst...@suse.com
+
+- Update to version master:
+  * add _servicedata which I forgot previously when adding the new
+    rpmlnit-security-whitelistings.
+
@@ -12 +17,0 @@
-

New:
----
  _servicedata

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ _servicedata ++++++
<servicedata>
<service name="tar_scm">
                <param 
name="url">https://github.com/openSUSE/rpmlint-security-whitelistings</param>
              <param 
name="changesrevision">17823647a36e556ed27d389e9293900c370ca0d7</param></service></servicedata>++++++
 rpmlint-security-whitelistings-master.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/rpmlint-security-whitelistings-master/README.md 
new/rpmlint-security-whitelistings-master/README.md
--- old/rpmlint-security-whitelistings-master/README.md 2019-11-19 
13:00:51.000000000 +0100
+++ new/rpmlint-security-whitelistings-master/README.md 2019-11-22 
15:12:53.000000000 +0100
@@ -7,7 +7,7 @@
 team](https://www.suse.com/support/security/).
 
 This repository here is used to administer whitelisting information consumed
-by the rpmlint-mini package to actually implement whitelisting restriction on
+by the rpmlint-mini package to actually implement whitelisting restrictions on
 certain packaging features.
 
 The maintainer of this repository is the SUSE [security
@@ -22,27 +22,73 @@
 explicit "comment" field is supported for each audit entry.
 
 Most of the whitelisting files should be self-explanatory by looking at them.
-For each package and whitelisted file a single entry is present in the
-whitelist. To be extra prudent the whitelisting usually also checks file
-contents by keeping tracking of the sha256 digests of the whitelisted files.
-If the content changes then a follow-up review by the security team becomes
-necessary. Therefore a list of related audits is maintained for each
-whitelisting entry complete with Bugzilla reference, file digest and an
-optional whitelisting comment.
-
-Since in some cases the cron job file is only a small wrapper around the
-actual program, the whitelisting format also supports a `related` dictionary
-for each audit entry. This can list additional files that are related to the
-whitelisting and which should be checked for changes.
+For each package a single entry is present in the whitelist. To be extra
+prudent the whitelisting usually also checks file contents by keeping track of
+the sha256 digests of the whitelisted files. If the packaged file content
+changes then a follow-up review by the security team becomes necessary.
+Therefore a list of related audits is maintained for each whitelisting entry
+complete with Bugzilla reference, file digests and an optional whitelisting
+comment.
 
 Types of Whitelistings
 ----------------------
 
-=== Cron Jobs
+### Cron Jobs
 
 The file `cron-whitelist.json` contains whitelisting entries for files
 installed in one of the directories in 
/etc/cron.{d,daily,hourly,montly,weekly}.
-Cron jobs often run as the `root` user and efault-enabled cron jobs are high
+Cron jobs often run as the `root` user and default-enabled cron jobs are high
 risk candidates for security issues. Therefore the security team puts
 restrictions on the introduction of new cron jobs or changes to existing cron
 jobs.
+
+Whitelisting Examples
+---------------------
+
+In the following example, comment lines introduced with '#' are embedded for
+being able to more easily document the data structure. The actual JSON format
+does *not* support such comments, however.
+
+<pre>
+{
+    # the package name
+    "atop-daemon": {
+
+        # a dictionary containing all the audits and related
+        # whitelistings done so far
+        "audits": {
+
+            # the key is the SUSE Bugzilla bug number where the # Audit of the
+            # package's security features has been performed.
+            # The value is another dictionary.
+            "bsc#1150533": {
+
+                # This comment is for documentation purposes and is not
+                # further used in whitelisting checks.
+                "comment": "Performs maintenance and (re)starting of the atop 
daemon",
+
+                # This contains another dictionary listing the files for which
+                # restrictions apply. The whitelisting restriction is not
+                # limited to the file causing the whitelisting check to
+                # trigger in the first place (like a cron job) but may also
+                # list related files that are involved and may cause security
+                # issues.
+                "digests": {
+
+                    # the keys are the absolute file paths # that are subject
+                    # of the whitelisting
+                    #
+                    # the values are of the form <alg>:<digest>, where <alg>
+                    # is a hash algorithm supported by the Python hashlib.
+                    "/etc/cron.d/atop": 
"sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430"
+
+                    # it is also possible to explicitly whitelist a file with
+                    # arbirary content for special cases where the content of
+                    # the whitelisted file isn't fixed for some reason
+                    "/usr/share/atop/atop.daily": "skip:<none>",
+                }
+            }
+        }
+    }
+}
+</pre>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/rpmlint-security-whitelistings-master/cron-whitelist.json 
new/rpmlint-security-whitelistings-master/cron-whitelist.json
--- old/rpmlint-security-whitelistings-master/cron-whitelist.json       
2019-11-19 13:00:51.000000000 +0100
+++ new/rpmlint-security-whitelistings-master/cron-whitelist.json       
2019-11-22 15:12:53.000000000 +0100
@@ -1,16 +1,13 @@
-[
-       {
-               "package": "atop-daemon",
-               "path": "/etc/cron.d/atop",
-               "audits": [
-                       {
-                               "bug": "bsc#1150533",
+{
+       "atop-daemon": {
+               "audits": {
+                       "bsc#1150533": {
                                "comment": "Performs maintenance and 
(re)starting of the atop daemon",
-                               "digest": 
"sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430",
-                               "related": {
-                                       "/usr/share/atop/atop.daily": 
"sha256:298a6e86b0862a1f2492b11b3af327850ba8c58232ef99753e8c6606548aa5cd"
+                               "digests": {
+                                       "/usr/share/atop/atop.daily": 
"sha256:298a6e86b0862a1f2492b11b3af327850ba8c58232ef99753e8c6606548aa5cd",
+                                       "/etc/cron.d/atop": 
"sha256:d8b23c4f9bda803bc8627c23361635a876bc49fc0ace0d98fcd92c7fb33ac430"
                                }
                        }
-               ]
+               }
        }
-]
+}

Reply via email to