Bug#932594: Handle /usr/bin/egrep etc

Wed, 15 Dec 2021 00:39:19 -0800 

Hey,

I have just spent a little bit of time digging into this, as I want
rkhunter to work (almost) turnkey, without needing users to have to
customise any configuration files.

In answer to John, sadly EXISTWHITELIST doesn't handle this situation,
it says that the the listed files/directories don't need to exist.
However we need to tell rkhunter that egrep and fgrep are allowed to be
scripts.

My approach has been two fold so far, and this feels really really
ugly, but, oh well.

If we modify /etc/default/rkhunter then it can modify
/etc/rkhunter.conf before we run rkhunter via either cron or apt. So
even if there is a transient change, it'll get picked up and corrected
eventually. I added this to /etc/default/rkhunter.conf (I also made it
handle lwp-request being present, since I hit that as well):

-- BEGIN --
# Okay, this is ugly, modify rkhunter.conf to be able to know where
fgrep and
# egrep are. See https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=932594
if [ -f /bin/fgrep ]
then
    if $(grep -q "SCRIPTWHITELIST=/usr/bin/egrep" /etc/rkhunter.conf)
    then
        sed -i
's,^SCRIPTWHITELIST=/usr/bin/fgrep,SCRIPTWHITELIST=/bin/fgrep,' \
            /etc/rkhunter.conf
        sed -i
's,^SCRIPTWHITELIST=/usr/bin/egrep,SCRIPTWHITELIST=/bin/egrep,' \
            /etc/rkhunter.conf
    fi
elif [ -f /usr/bin/fgrep ]
then
    if $(grep -q "SCRIPTWHITELIST=/bin/egrep" /etc/rkhunter.conf)
    then
    then
        sed -i
's,^SCRIPTWHITELIST=/bin/fgrep,SCRIPTWHITELIST=/usr/bin/fgrep,' \
            /etc/rkhunter.conf
        sed -i
's,^SCRIPTWHITELIST=/bin/egrep,SCRIPTWHITELIST=/usr/bin/egrep,' \
            /etc/rkhunter.conf
    fi
fi

# If lwp-request is present, then we need SCRIPTWHITELIST for it.
if [ -f /usr/bin/lwp-request ]
    if $(grep -q "^#SCRIPTWHITELIST=/usr/bin/lwp-request"
/etc/rkhunter.conf)
        sed -i 's,^#\(SCRIPTWHITELIST=/usr/bin/lwp-request\),\1,' \
            /etc/rkhunter.conf
    fi
fi
-- END --

Then in /usr/share/rkhunter/scripts/rkhupd.sh we add near the top:

-- BEGIN --
. /etc/default/rkhunter
-- END --

I'm sorry.
-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz         |
Catalyst Cloud:           | This space intentionally left blank
 https://catalystcloud.nz |

Reply via email to