Re: rkhunter warning after updating
Andy Blanchard wrote: 2009/11/30 Kevin Fenzi ke...@scrye.com: Sure, that works fine if you are willing to keep up to date on security updates on those applications and update your config each time one changes in fedora. I did say that I like to know when things change, hence the inclusion of the version numbers. That approach also works very well if you need to keep a package at a certain revision for some reason as including its specific version in rkhunter.conf would provide a warning should an update ever be applied by mistake, or a default package be installed instead of a custom build for that matter. That's definitely not appropriate for a dynamic distribution like Fedora, although maybe something like Debian Stable or Red Hat where version numbers don't change much could get away with it. For the out of box package that would result in pushing an update to rkhunter anytime any of those updated and there could be lag between the updates and when someone applied the rkhunter one. That's a good point about the lag and it would be a problem, but then again it wouldn't be the only package in Fedora that needed to be updated in response to changes to another, apparently unrelated one; Yelp and Firefox for instance. For a more general package distribution it would definitely be better to either disable the checks or just push the RKHunter package with a whitelist of problematic applications without the version numbers, for instance: APP_WHITELIST=gpg httpd named sshd... Wow, a list of things I really don't want to change and an evil doer might like to change. Whitelisting is kind of like taking the battery out of the smoke detector, it stops the noise but loses the warning. Short term I'd rather manually verify the checksums of the new packages, and long term, if Kevin doesn't push a new list, you can build it yourself. -- Bill Davidsen david...@tmr.com We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
2009/12/2 Bill Davidsen david...@tmr.com: Wow, a list of things I really don't want to change and an evil doer might like to change. Whitelisting is kind of like taking the battery out of the smoke detector, it stops the noise but loses the warning. Short term I'd rather manually verify the checksums of the new packages, and long term, if Kevin doesn't push a new list, you can build it yourself. I agree entirely. That's why I've got mine configured to ignore just the specific versions of the applications that I have currently installed that RKHunter complains about - if the version changes, RKHunter will complain and I'll know about it. Of course, to tamper with the RKHunter files as installed by the package an attacker would already need to be root so I'm not too concerned about that aspect, and I run rpm --checksig on all new or updated packages before installation anyway. However, Kevin made some valid points about managing the version number updates, even though we're only talking about nine applications here. I had a look into the mechanism used by RKHunter last night with a view to checking other applications, and it's something of a dog to say the least, so I can understand why Kevin didn't really want to touch it. Essentially there are two ASCII files in /var/lib/rkhunter/db/, programs_bad.dat and programs_good.dat, that contain lists of known bad and good application versions respectively for each application being checked and, as you might imagine, some of those lists are rather long... It was RKHunter's downloading of an updated version of programs_bad.dat during its initialisation update check that caused the warnings over the weekend, so simply amending the dat file isn't a solution unless you also ensure it that won't get overwritten by RKHunter's update mechanism. How to best prevent similar false alarms in future without requiring end-user involvement, I don't know. The only approaches I can think of are to disable the apps test, which Kevin suggested, or to watch testing for new updates to the checked applications then proactively update the whitelist in rkhunter.conf and push an updated RKHunter package. An easier option might be to update the remote version of programs_bad.dat file, but I'm assuming that is outside of Fedora's control since it wasn't the only distro to experience the problem. -- Andy The only person to have all his work done by Friday was Robinson Crusoe -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
rkhunter warning after updating
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bonjour, I updated my f10 this week-end (last update before f10 desappearing...) and today rkhunter sends these warnings: Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk. Warning: Application 'named', version '9.5.2', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. ??? What can I do else? Upgrade to f12? I don't want to do this now. Are f10 packages so obsolete? Thanks for lights. - -- François Patte UFR de mathématiques et informatique Université Paris Descartes 45, rue des Saints Pères F-75270 Paris Cedex 06 Tél. +33 (0)1 4286 2145 http://www.math-info.univ-paris5.fr/~patte -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksTi8YACgkQdE6C2dhV2JXR1gCeOYqQ+NaLbPTMSdGDJm7YqRaV TMUAn2QUKtpljcXQlVg7cPt0KPAL2R/U =16kj -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
On Mon, 30 Nov 2009 10:09:26 +0100 François Patte francois.pa...@mi.parisdescartes.fr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bonjour, I updated my f10 this week-end (last update before f10 desappearing...) and today rkhunter sends these warnings: Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk. Warning: Application 'named', version '9.5.2', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. ??? What can I do else? Upgrade to f12? I don't want to do this now. Are f10 packages so obsolete? Disable the application checks. I am going to likely push out a new rkhunter package that does this soon. The problem is that upstream pushes out a dat file with the versions of those packages that are up to date and proof against known security issues. Fedora often backports fixes for stable releases, so the version isn't very good as an indicator when you are safe or not. kevin signature.asc Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
2009/11/30 Kevin Fenzi ke...@scrye.com: On Mon, 30 Nov 2009 10:09:26 +0100 François Patte francois.pa...@mi.parisdescartes.fr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bonjour, I updated my f10 this week-end (last update before f10 desappearing...) and today rkhunter sends these warnings: Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'httpd', version '2.2.11', is out of date, and possibly a security risk. Warning: Application 'named', version '9.5.2', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.9', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. ??? What can I do else? Upgrade to f12? I don't want to do this now. Are f10 packages so obsolete? Disable the application checks. I am going to likely push out a new rkhunter package that does this soon. The problem is that upstream pushes out a dat file with the versions of those packages that are up to date and proof against known security issues. Fedora often backports fixes for stable releases, so the version isn't very good as an indicator when you are safe or not. That's good info. I had a customer today who suddenly got these warnings from his rkhunter install (on RHEL) - so I'm guessing this is a recent dat file upgrade. I might tell him to disable the application checks too ;o) -- Sam -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
2009/11/30 Kevin Fenzi ke...@scrye.com: Disable the application checks. I am going to likely push out a new rkhunter package that does this soon. The problem is that upstream pushes out a dat file with the versions of those packages that are up to date and proof against known security issues. Fedora often backports fixes for stable releases, so the version isn't very good as an indicator when you are safe or not. I'm not sure that disabling the application checks is the best approach. There is a mechanism in rkhunter.conf to whitelist specific applications (APP_WHITELIST), either by name or name and version. I'd rather know about it when things change, so I've put the version numbers in as well since it's a quick update if and when Fedora updates the release instead of back-porting patches. The line in my rkhunter.conf on F11 is as follows: APP_WHITELIST=gpg:1.4.0 httpd:2.2.13 named:9.6.1 sshd:5.2p1 You'd need to adapt the version numbers per Fedora release of course (or forego them entirely) but IMHO it's still preferable to disabling the application checks entirely. -- Andy The only person to have all his work done by Friday was Robinson Crusoe -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
On Mon, 30 Nov 2009 22:24:11 + Andy Blanchard zoc...@gmail.com wrote: I'm not sure that disabling the application checks is the best approach. There is a mechanism in rkhunter.conf to whitelist specific applications (APP_WHITELIST), either by name or name and version. I'd rather know about it when things change, so I've put the version numbers in as well since it's a quick update if and when Fedora updates the release instead of back-porting patches. The line in my rkhunter.conf on F11 is as follows: APP_WHITELIST=gpg:1.4.0 httpd:2.2.13 named:9.6.1 sshd:5.2p1 You'd need to adapt the version numbers per Fedora release of course (or forego them entirely) but IMHO it's still preferable to disabling the application checks entirely. Sure, that works fine if you are willing to keep up to date on security updates on those applications and update your config each time one changes in fedora. For the out of box package that would result in pushing an update to rkhunter anytime any of those updated and there could be lag between the updates and when someone applied the rkhunter one. I fear it would lead to more confusion... But sure, if you want to maintain a list locally, feel free. kevin signature.asc Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
2009/11/30 Kevin Fenzi ke...@scrye.com: Sure, that works fine if you are willing to keep up to date on security updates on those applications and update your config each time one changes in fedora. I did say that I like to know when things change, hence the inclusion of the version numbers. That approach also works very well if you need to keep a package at a certain revision for some reason as including its specific version in rkhunter.conf would provide a warning should an update ever be applied by mistake, or a default package be installed instead of a custom build for that matter. That's definitely not appropriate for a dynamic distribution like Fedora, although maybe something like Debian Stable or Red Hat where version numbers don't change much could get away with it. For the out of box package that would result in pushing an update to rkhunter anytime any of those updated and there could be lag between the updates and when someone applied the rkhunter one. That's a good point about the lag and it would be a problem, but then again it wouldn't be the only package in Fedora that needed to be updated in response to changes to another, apparently unrelated one; Yelp and Firefox for instance. For a more general package distribution it would definitely be better to either disable the checks or just push the RKHunter package with a whitelist of problematic applications without the version numbers, for instance: APP_WHITELIST=gpg httpd named sshd... I don't think it would actually be that hard to manage the list as RKHunter currently only check the versions of nine key packages - presumably to the author of RKHunter since Exim and ProFTP are checked while Fedora's defaults of Sendmail and VSFTP are not. All that would be required would be to monitor Fedora testing for version number changes to the tested packages and proactively push a new version of the RKHunter package with an updated config before the move to updates. But sure, if you want to maintain a list locally, feel free. Well, since I'm not the Fedora RKHunter packager, that's one of the benefits of Open Source that I might be taking advantage off - the other being to poke around in the source and figure out how to test the versions of some other applications. :) -- Andy The only person to have all his work done by Friday was Robinson Crusoe -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: rkhunter warning after updating
On Mon, 2009-11-30 at 23:49 +, Andy Blanchard wrote: APP_WHITELIST=gpg httpd named sshd... I don't think it would actually be that hard to manage the list as RKHunter currently only check the versions of nine key packages - presumably to the author of RKHunter since Exim and ProFTP are checked while Fedora's defaults of Sendmail and VSFTP are not. The 'apps' test was a legacy from previous versions when RKH was maintained by Michael Boelen. The test has been discussed, and we would rather get rid of it. As mentioned it only checks a handful of apps, and trying to maintain the version numbers is not really possible. Whilst the app itself may change its version number, a distro such as RHEL/Fedora etc may just patch their version and alter the patch level number, not the actual version number. So the warnings may well be false-positives. The latest release of RKH (1.3.6 came out yesterday) caused the updated app version file to be pushed out as well. Hence the sudden flurry of warnings for all 1.3 versions of RKH. Personally I disable the test. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines