Package: tiger Version: 3.2.2-11 Severity: normal Tags: patch According to /usr/share/doc/tiger/README.ignore and TIGER(8) the lines in /etc/tiger/tiger.ignore will be interpreted as extended regular expressions. As such, two of the rules coming with tiger on Debian are incorrect and will never match: The owner of /var/log/wtmp should be root (owned by utmp). The owner of /var/log/utmp should be root (owned by utmp). The parantheses will be considered a group of patterns.
Additionally, many of these rules contain unescaped dots, which will match any character instead of just a literal dot. Finally, since regular expressions are used, it will decrease processing time to combine similar rules and use grouping. The following patch should fix all of these issues. If the format of this patch is undesirable, the patch goes too far or there is something else not perfectly fine about it, please let me know and I will follow up with a more adequate patch. While I have not verified this, I assume this patch will also apply to the versions currently found in testing and stable. Thanks in advance, Moritz diff -Naur tiger.orig/tiger.ignore tiger/tiger.ignore --- tiger.orig/tiger.ignore 2009-05-21 02:54:22.000000000 +0200 +++ tiger/tiger.ignore 2009-10-10 19:22:36.000000000 +0200 @@ -1,35 +1,18 @@ Login ID nobody is disabled, but still has a valid shell \(/bin/sh\) -Login ID mail's home directory \(/var/mail\) has group `mail' write access. -Login ID \w+'s parent directory \(/home\) has group `staff' write access. -Log file /var/log/wtmp permission should be 644 -Log file /var/log/btmp does not exist -Log file /var/run/utmp permission should be 644 -Log file /var/log/loginlog does not exist +Login ID mail's home directory \(/var/mail\) has group `mail' write access\. +Login ID \w+'s parent directory \(/home\) has group `staff' write access\. +Log file /var/log/[uw]tmp permission should be 644 Log file /var/log/messages permission should be 640 -The owner of /var/log/wtmp should be root (owned by utmp). -/var/log/wtmp should not have group write. -The owner of /var/run/utmp should be root (owned by utmp). -/var/run/utmp should not have group write. -/var/log/XFree86.0.log should not have world read. -/etc/fstab should not have group read. -/etc/fstab should not have world read. -/etc/inetd.conf should not have group read. -/etc/inetd.conf should not have world read. -/etc/pam.d/sudo should not have world read. -The directory /dev/ataraid resides in a device directory. -The directory /dev/cciss resides in a device directory. -The directory /dev/fd resides in a device directory. -The directory /dev/input resides in a device directory. -The directory /dev/pts resides in a device directory. -The directory /dev/rd resides in a device directory. -The directory /dev/usb resides in a device directory. -The directory /dev/ida resides in a device directory. -/dev/null has world permissions -/dev/ptmx has world permissions -/dev/gpmctl has world permissions -/dev/gpmdata has world permissions -/dev/log has world permissions -File ".fetchmail-UIDL-cache" in the mail spool, owned by "fetchmail". -/dev/.udev/.* is a dangling symlink. -The umask setting in /etc/csh.login for the init scripts is insecure -There are no umask entries in /etc/csh.login +Log file /var/log/(btmp|loginlog) does not exist +The owner of /var/run/[uw]tmp should be root \(owned by utmp\)\. +/var/run/[uw]tmp should not have group write\. +/var/log/XFree86\.0\.log should not have world read\. +/etc/fstab should not have (group|world) read\. +/etc/inetd\.conf should not have (group|world) read\. +/etc/pam\.d/sudo should not have world read\. +The directory /dev/(ataraid|cciss|fd|input|pts|rd|usb|ida) resides in a device directory\. +/dev/(null|ptmx|gpmctl|gpmdata|log) has world permissions +File "\.fetchmail-UIDL-cache" in the mail spool, owned by "fetchmail"\. +/dev/\.udev/.* is a dangling symlink\. +The umask setting in /etc/csh\.login for the init scripts is insecure +There are no umask entries in /etc/csh\.login -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
