rkhunter warning after updating

Andy Blanchard zocalo at gmail.com
Mon Nov 30 23:49:50 UTC 2009


2009/11/30 Kevin Fenzi <kevin at scrye.com>:
> Sure, that works fine if you are willing to keep up to date on security
> updates on those applications and update your config each time one
> changes in fedora.

I did say that I like to know when things change, hence the inclusion
of the version numbers.  That approach also works very well if you
need to keep a package at a certain revision for some reason as
including its specific version in "rkhunter.conf" would provide a
warning should an update ever be applied by mistake, or a default
package be installed instead of a custom build for that matter.
That's definitely not appropriate for a dynamic distribution like
Fedora, although maybe something like Debian Stable or Red Hat where
version numbers don't change much could get away with it.

> For the out of box package that would result in pushing an update to
> rkhunter anytime any of those updated and there could be lag between
> the updates and when someone applied the rkhunter one.

That's a good point about the lag and it would be a problem, but then
again it wouldn't be the only package in Fedora that needed to be
updated in response to changes to another, apparently unrelated one;
Yelp and Firefox for instance.

For a more general package distribution it would definitely be better
to either disable the checks or just push the RKHunter package with a
whitelist of problematic applications without the version numbers, for
instance:

APP_WHITELIST="gpg httpd named sshd..."

I don't think it would actually be that hard to manage the list as
RKHunter currently only check the versions of nine key packages -
presumably to the author of RKHunter since Exim and ProFTP are checked
while Fedora's defaults of Sendmail and VSFTP are not.  All that would
be required would be to monitor Fedora "testing" for version number
changes to the tested packages and proactively push a new version of
the RKHunter package with an updated config before the move to
"updates".

> But sure, if you want to maintain a list locally, feel free.

Well, since I'm not the Fedora RKHunter packager, that's one of the
benefits of Open Source that I might be taking advantage off - the
other being to poke around in the source and figure out how to test
the versions of some other applications.  :)

-- 
Andy

The only person to have all his work done by Friday was Robinson Crusoe




More information about the fedora-list mailing list