Comments on zypper upgrade and Lynis security scan to improve release quality

For installation geeks:

Just some comments on using zypper to upgrade from Leap 42.2 to 42.3 and using the Lynis security scan to check for system security after upgrading in order to possibly improve Leap 42.3 (or future releases)

I hit 2 glitches during the “%sudo zypper dup” upgrade, when zypper hit the gconf2 command, the system hung up and had to be terminated. Later on I found out that gconf was removed and libiverb substituted in place.

After rerunning zypper dup again, near the end of the run, the Adobe font upgrader program kicked in, it ran all night, and when I got to the system in the memory, nearly all physical memory was used up, and the system was almost totally unresponsive. I had to do a hard manual reset.

Finally, the zypper dup command successfully completed, and I decided to use Lynis to check the system security. There were some sysctl values which needed to be changed:

+] Kernel Hardening

  • Comparing sysctl key pairs with scan profile
    • fs.protected_hardlinks (exp: 1) OK ]
    • fs.protected_symlinks (exp: 1) OK ]
    • fs.suid_dumpable (exp: 0) OK ]
    • kernel.core_uses_pid (exp: 1) DIFFERENT ]
    • kernel.ctrl-alt-del (exp: 0) OK ]
    • kernel.dmesg_restrict (exp: 1) DIFFERENT ]
    • kernel.kptr_restrict (exp: 2) DIFFERENT ]
    • kernel.randomize_va_space (exp: 2) OK ]
    • kernel.suid_dumpable (exp: 0) OK ]
    • kernel.sysrq (exp: 0) OK ]
    • net.ipv4.conf.all.accept_redirects (exp: 0) DIFFERENT ]
    • net.ipv4.conf.all.accept_source_route (exp: 0) OK ]
    • net.ipv4.conf.all.bootp_relay (exp: 0) OK ]
    • net.ipv4.conf.all.forwarding (exp: 0) OK ]
    • net.ipv4.conf.all.log_martians (exp: 1) OK ]
    • net.ipv4.conf.all.mc_forwarding (exp: 0) OK ]
    • net.ipv4.conf.all.proxy_arp (exp: 0) OK ]
    • net.ipv4.conf.all.rp_filter (exp: 1) OK ]
    • net.ipv4.conf.all.send_redirects (exp: 0) DIFFERENT ]
    • net.ipv4.conf.default.accept_redirects (exp: 0) DIFFERENT ]
    • net.ipv4.conf.default.accept_source_route (exp: 0) OK ]
    • net.ipv4.conf.default.log_martians (exp: 1) OK ]
    • net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) OK ]
    • net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) OK ]
    • net.ipv4.tcp_syncookies (exp: 1) OK ]
    • net.ipv4.tcp_timestamps (exp: 0) DIFFERENT ]
    • net.ipv6.conf.all.accept_redirects (exp: 0) DIFFERENT ]
    • net.ipv6.conf.all.accept_source_route (exp: 0) OK ]
    • net.ipv6.conf.default.accept_redirects (exp: 0) DIFFERENT ]
    • net.ipv6.conf.default.accept_source_route (exp: 0) OK ]

I also had to use Yast to add an ARP monitoring tool, a file intergrity tool, and a malware scanner, to make Lynis happy.

Lynis insisted on checking yum, as it was found (to my surprise, since zypper seems the system management tool of openSuse choice), but I finally had to remove ALL yum files.

Lynis also discovered that some loaded kernel modules seemed to be unnecessary and suggested that they be removed. The security audit found 135 loaded kernel modules.

Lynis suggested:

  • Disable kernel support of some filesystems
    • Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 squashfs udf

Are these really necessary?

The reason I have posted the comments about the security scan is to make suggestions for some tweaks in the install program for Leap 42.3, in particular, the sysctl net.ipv4 and net.ipv6 settings. (particularly redirecting packets)

Thanks for your patience and time.

You shouldn’t change parameters you don’t understand - for example disabling accept_redirects can actually be a positive thing which the Lynis author simple doesn’t give a <cuss> about because placebo security, tcp_timestamps can reduce throughput and so forth.

All this in the name of gaining literally no security at all.

That should say “Not disabling” can be a positive thing. Many of the suggestions Lynis gives makes little to no sense because it’s like cutting off your own leg because you got a cut on it and it might turn into something worse later on.