Description of problem: msec searches inappropriate directories, like stuff in /run/media (which are temporarily mounted usbsticks, etc), or /backup directories. And excluding stuff with EXCLUDE_REGEXP simply does not work due to bad regex in msec_find. This increases the size of /var/log/security and the mails and makes them utterly useless. (eg you have a usb drive plugged in one day, and unplugged the next, and the search function will have HUGE numbers of changes listed. Also, in /usr/share/function, since /proc/mounts now has a huge number of new types of mount types, it lists inappropriate locations to search a) EXCLUDE_REGEX is using the basic Regular experssions ( flag type 0 in msec_find/find.c source regcomp(&exclude_regexp, env, 0) ) which means a basic regex which does not allow one to do concatenation, as far as I can determine and makes this option pretty useless). b)In /usr/share/msec/functions the line EXCLUDEDIR=`awk '$3 ~ /'$TYPE_FILTER'/ || $2 ~ /'$MOUNTPOINT_FILTER'/ \ {print $2}' /proc/mounts | uniq` will produce stuff like /sys/fs/cgroup/unified /sys/fs/cgroup/systemd /sys/fs/pstore /sys/fs/bpf /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup/cpuset /sys/fs/cgroup/perf_event /sys/fs/cgroup/hugetlb /sys/fs/cgroup/net_cls /sys/fs/cgroup/blkio /sys/fs/cgroup/pids /sys/fs/cgroup/memory /sys/fs/cgroup/devices /sys/fs/cgroup/rdma /sys/fs/cgroup/freezer /sys/kernel/debug /dev/mqueue /dev/hugepages /local /run/user/1000/gvfs /sys/kernel/debug/tracing /sys/fs/fuse/connections except /local none of these directories should be in the searched directories as far as I can see. Eg, mount types like cgroup, cgroup2, none, pstore,hugetlbfs,systemd-1,debugfs,mqueue,,binfmt_misc, sunrpc,tracefs,and probably gvfsd-fuse should be in TYPE_FILTER And one should not have to edit the /usr/share/msec/ files in order to fine tune the directories being searched. c) Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1. run msec for example after having plugged in a usb stick. 2. 3.
Changing the severity to enhancement. I agree the MOUNTPOINT_FILTER default should be changed to include /run. I think it should also be enchanced to allow a user supplied list of directories for filtering.
CC: (none) => davidwhodginsSeverity: major => enhancement
Created attachment 12033 [details] Patch to add ^/run to MOUNTPOINT_FILTER
I disagree that this is "enhancement". At present msec wanders through a usb connected hard drive (backup) producing very large /var/log/security files, and changes so large they cannot be mailed, and making the security logs useless as they have generated so much noise, genuine security issues are buried. It is a failure of msec doing what it should do.
Created attachment 12034 [details] Patch to add /run to MOUNTPOINT_FILTER and to add a whole list to TYPE_FILTER diff between old /usr/share/msec/functions.sh and new version containing a whole variety of other partition types which have come in with systemd
Created attachment 12036 [details] Patch to add ^\/run to MOUNTPOINT_FILTER
Attachment 12033 is obsolete: 0 => 1
Hi, thanks for reporting this bug. Assigned to maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => mageiatools
Created attachment 12042 [details] Patch to add /run to MOUNTPOINT_FILTER and to add systemd types to TYPE_FILTER
Attachment 12034 is obsolete: 0 => 1 Attachment 12036 is obsolete: 0 => 1
Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021.
Hi bug reporter and hi assignee and others involved, Please reopen this bug report if it is still valid for Mageia 8 or 9(cauldron), and change "Version:" in the upper left of this report accordingly. This report is being closed as OLD because it was filed against Mageia 7, for which support ended on June 30th 2021. Thanks, Marja
Resolution: (none) => OLDStatus: NEW => RESOLVED