Bug#765898: rkhunter: default values of file/command/pathname exceptions
Christoph Anton Mitterer
calestyo at scientia.net
Sun Oct 19 01:10:19 UTC 2014
Package: rkhunter
Version: 1.4.2-0.1
Severity: normal
Hi.
Regarding the defaults/example for pathnames/file/command exceptions you ship:
SCRIPTWHITELIST=/usr/bin/groups
=> is no longer a script
SCRIPTWHITELIST=/usr/sbin/prelink
=> maybe disable this, since it's not installed per default on debian systems
and leads to an error in rkhunter
ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
=> this is just a symlink in debian to: /usr/lib/iceweasel/iceweaselo
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
=> while rkhunter will determine this automatically, it may still be nice to
set it to /etc/rsyslog.conf on Debian, since rsyslog is the default
Please consider to add:
#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
=> part of the krb5-doc package
SCRIPTWHITELIST=/usr/bin/unhide.rb
=> maybe it makes also sense un-comment from that line, since rkhunter
Recommneds unhide.rb and it's likely to be installed
See als bug #.
The following don't stricly fit to this bug, but since it's also about
the config file values and defaults:
INSTALLDIR=/usr
=> which isn't contained in the upstream default rkhunter.conf.
Is this perhaps just a leftover?
MAIL-ON-WARNING, USE_SYSLOG
=> I probably would suggest to set these to:
MAIL-ON-WARNING=root
USE_SYSLOG=authpriv.warning
so that people get better informed about any warnings found by rkhunter
HASH_CMD
=> As part of crypto strengthening, I'd probably suggest to set this to:
HASH_CMD=sha512sum
Sure, SHA1 isn't broken yet... but it doesn't really cost us anything
to use something which is likely safer than it.
There's also an upstream bug about this, though:
https://sourceforge.net/p/rkhunter/bugs/118/
Cheers,
Chris.
More information about the forensics-devel
mailing list