[SOLVED] msec mails

This forum is dedicated to basic help and support :

Ask here your questions about basic installation and usage of Mageia. For example you may post here all your questions about getting Mageia isos and installing it, configuring your printer, using your word processor etc.

Try to ask your questions in the right sub-forum with as much details as you can gather. the more precise the question will be, the more likely you are to get a useful answer

[SOLVED] msec mails

Postby RagingRaven » Apr 7th, '15, 14:01

Hello Guys,

I'm having an issue with frequent msec mails.
I've forwarded all root mails to my own e-mailaddress and I'm getting a lot of mails from msec (both security and dif checks).

In the diff checks I get a lot of lines about added and removed processes with open ports, but I have no idea what to do with it or if it's an issue.
If there's no issue, why does it keep reporting about it and how do I disable those messages, but not other important messages.

In the security checks I get:
Security Warning: these home directory should not be owned by someone else or writable :
user=avahi-autoipd(496) : home directory is owned by avahi(497).

But in the below link it looks to me like this is a bug that should be fixed?
http://advisories.mageia.org/MGAA-2013-0044.html

I've installed all updates so I guess the above issue shouldn't be there?

Also in the security checks are more mentionings of open ports.

Thanks for your replies.
Last edited by RagingRaven on Apr 8th, '15, 13:51, edited 2 times in total.
User avatar
RagingRaven
 
Posts: 60
Joined: Aug 18th, '14, 16:40
Location: Oud-Beijerland, Near Rotterdam, The Netherlands

Re: msec mails

Postby doktor5000 » Apr 7th, '15, 20:39

For one, if you can't determine yourself if the points shown in the report are an issue for your system or not, the reports are pretty much meaningless then and should be disabled.
You should probably simply disable the mail to root as shown in the second screenshot at http://doc.mageia.org/mcc/4/en/content/msecgui.html (checkbox in second-to-last line).

For the avahi home directory, thanks for pointing that out. Yes, that was fixed, but only for Mageia 3 and the fix was never applied to the Mageia development version, hence it still exists.
I've cloned that report into a new one so you can follow: https://bugs.mageia.org/show_bug.cgi?id=15650
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: msec mails

Postby martinw » Apr 7th, '15, 23:14

I guess the reason open ports are reported is that if you did get a bit of malware that opened up a connection to the outside world, it would show up in that report. But it's only really useful if you leave your computer running all the time, otherwise you get a diff report every time you reboot, and just get into the habit of ignoring it. Personally I rely on my firewall to protect me from such things.

You can enable/disable specific msec checks in the "Period Checks" tab of the msec GUI, as described in the documentation doktor5000 linked to.
martinw
 
Posts: 609
Joined: May 14th, '11, 10:59

Re: msec mails

Postby RagingRaven » Apr 8th, '15, 09:33

@doktor I get that the report should show issues and I do understand that open ports could be an issue, thats not what I was confused about.
The thing I was confused about is that it was reporting about this every day and that it kept saying that some processes were added and removed with open ports.
For instance in the first few lines it says it added a process with an open port (netbios) and a few lines further it says it got removed again.
What I was wondering was why this happens and if this is normal behavior why it gets reported.
In the meantime I had allready figured out you can change the daily reporting in msecgui, so it's not really an issue for me anymore, but to me it seems strange to report the same thing over and over again every day (with default settings).

Good to know it's a bug and not something I did wrong, thanks for reporting it!

@martin as said I understand open ports could mean something is wrong and could pose a serious issue, but I thought it strange that the same ports got 'added and removed' in the same report. Perhaps I wasn't really clear on that.
It might be normal behaviour, but I'm not sure if it is, I just found it strange that I got the same info over and over again.

Thanks for answering though!
User avatar
RagingRaven
 
Posts: 60
Joined: Aug 18th, '14, 16:40
Location: Oud-Beijerland, Near Rotterdam, The Netherlands

Re: msec mails

Postby martinw » Apr 8th, '15, 09:52

RagingRaven wrote:but I thought it strange that the same ports got 'added and removed' in the same report. Perhaps I wasn't really clear on that.
It might be normal behaviour, but I'm not sure if it is, I just found it strange that I got the same info over and over again.

Do you leave your machine running all the time, or do you shut it down overnight? If the latter, then although the list of open ports and the names of the processes using those ports may be the same, the process ID numbers will change, and that's why msec reports a difference. So, perfectly normal behaviour if you reboot your machine for any reason or restart any of the listed services.
martinw
 
Posts: 609
Joined: May 14th, '11, 10:59

Re: msec mails

Postby RagingRaven » Apr 8th, '15, 13:49

I shut it down at the moment, but it will run continuously in the future, so I guess it shouldn't then be a problem.

At least you have explained this behaviour for me and now I know why it reports it as both removed and added (old ID gets removed, new ID gets added; even though it's the same service/port).
Thanks!!!

P.S. I couldn't find a 'mark as solved' option, so I just edited the topic title.
User avatar
RagingRaven
 
Posts: 60
Joined: Aug 18th, '14, 16:40
Location: Oud-Beijerland, Near Rotterdam, The Netherlands

Re: [SOLVED] msec mails

Postby isadora » Apr 8th, '15, 14:33

You can do so, by editing the subject/title in the first message in this topic.
Write [SOLVED] to the left of subject/title, thanks ahead. ;)
..........bird from paradise..........

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
—Antoine de Saint-Exupéry
User avatar
isadora
 
Posts: 2742
Joined: Mar 25th, '11, 16:03
Location: Netherlands


Return to Basic support

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron