Bug#765902: rkhunter: please document how Recommends/Suggests are used by rkhunter

Christoph Anton Mitterer calestyo at scientia.net
Sun Oct 19 02:04:27 UTC 2014 

Package: rkhunter
Version: 1.4.2-0.1
Severity: wishlist


Hi.

I always found it useful when packages which have a lot of Recommended/Suggested
packages, for which it is not obviously clear how they are used, describe this
in their package description.
A good example for this would be the devscripts package.


If you agree, than I've already tried to set up a list:


Suggests:

bsd-mailx | mailutils | heirloom-mailx | mailx
=> I'd guess the "mail" program is contained in all these, which is used by
   rkhunter for sending warning mails as specified in the MAIL_CMD option.

libdigest-whirlpool-perl
=> I'd guess this has been used as an alternative hash algorithm in the
   HASH_CMD option (or the former HASH_FUNC).
   Since it's no longer documented there as an example, we can probably
   remove it?

liburi-perl
libwww-perl
=> no idea about those two? perhaps the update functions?

powermgmt-base
=> for the RUN_CHECK_ON_BATTERY option from /etc/default/rkhunter, to
   check whether the system is on AC or not.

tripwire
=> the only thing I could find in the rkhunter code, was that it checks
   the tripwire log files (if present) whether tripwire segfaulted.
   Thus I don't think we should suggest it at all,... not even an
   Enhances is IMHO justified




Recommends:

default-mta | mail-transport-agent
=> guess this is needed together with mail above, since mail alone
   cannot speak SMTP and connect to some MTA for sending mails
   Thus I think *both* should be either Suggests or Recommends.

iproute
=> not sure how this is actually used:
   ip seems to be only maybe used somehow(?) in rkhunter's
   do_network_interface_checks() function
   sockstat is used on BSDs, but it seems this is not equal to
   iproute2's ss command.
   Anyway, if it's really used see als bug #753717

lsof
=> required if PORT_WHITELIST and/or PORT_PATH_WHITELIST is used (in some cases)
   also for the deleted_files and running_procs test, AFAICS
   lsof | netstat is required in ports and hidden_ports test
   => maybe this qualifies lsof to be a Depends, even though rkhunter works
      gracefully if it's not there but a lot seems missing

unhide.rb
=> for the hidden_procs check

unhide
=> for the hidden_procs check
=> for the hidden_ports check (see #765901)


wget | curl | links | elinks | lynx
=> wget and curl are mentioned in the rkhunter.conf examples
   for the WEB_CMD and the download functionality,...
   but not sure for what links/elinks/lynx could be used
   
   lynx no longer exists and was replaced by lynx-cur
   
   Anyway.... when you accept #765895 and deactivate the
   update functionality in Debian's rkhunter (per default)
   we can perhaps demote this to Suggests? Or even drop it
   altogether.


Cheers,
Chris.

More information about the forensics-devel mailing list