For installation geeks:
Just some comments on using zypper to upgrade from Leap 42.2 to 42.3 and using the Lynis security scan to check for system security after upgrading in order to possibly improve Leap 42.3 (or future releases)
I hit 2 glitches during the “%sudo zypper dup” upgrade, when zypper hit the gconf2 command, the system hung up and had to be terminated. Later on I found out that gconf was removed and libiverb substituted in place.
After rerunning zypper dup again, near the end of the run, the Adobe font upgrader program kicked in, it ran all night, and when I got to the system in the memory, nearly all physical memory was used up, and the system was almost totally unresponsive. I had to do a hard manual reset.
Finally, the zypper dup command successfully completed, and I decided to use Lynis to check the system security. There were some sysctl values which needed to be changed:
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) OK ]
- fs.protected_symlinks (exp: 1) OK ]
- fs.suid_dumpable (exp: 0) OK ]
- kernel.core_uses_pid (exp: 1) DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) OK ]
- kernel.dmesg_restrict (exp: 1) DIFFERENT ]
- kernel.kptr_restrict (exp: 2) DIFFERENT ]
- kernel.randomize_va_space (exp: 2) OK ]
- kernel.suid_dumpable (exp: 0) OK ]
- kernel.sysrq (exp: 0) OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) OK ]
- net.ipv4.conf.all.forwarding (exp: 0) OK ]
- net.ipv4.conf.all.log_martians (exp: 1) OK ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) OK ]
- net.ipv4.conf.default.log_martians (exp: 1) OK ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) OK ]
- net.ipv4.tcp_syncookies (exp: 1) OK ]
- net.ipv4.tcp_timestamps (exp: 0) DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) OK ]
I also had to use Yast to add an ARP monitoring tool, a file intergrity tool, and a malware scanner, to make Lynis happy.
Lynis insisted on checking yum, as it was found (to my surprise, since zypper seems the system management tool of openSuse choice), but I finally had to remove ALL yum files.
Lynis also discovered that some loaded kernel modules seemed to be unnecessary and suggested that they be removed. The security audit found 135 loaded kernel modules.
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Are these really necessary?
The reason I have posted the comments about the security scan is to make suggestions for some tweaks in the install program for Leap 42.3, in particular, the sysctl net.ipv4 and net.ipv6 settings. (particularly redirecting packets)
Thanks for your patience and time.