Bug#765898: rkhunter: default values of file/command/pathname exceptions

Francois Marier francois at fmarier.org
Wed Apr 29 01:39:24 UTC 2015

On 2015-04-29 11:15, Christoph Anton Mitterer wrote:
>> #SYSLOG_CONFIG_FILE=/etc/syslog.conf
>> => while rkhunter will determine this automatically, it may still be 
>> nice to
>>    set it to /etc/rsyslog.conf on Debian, since rsyslog is the default

I'm not sure I enough about this (since it's working) to patch the 
upstream source further.

>> SCRIPTWHITELIST=/usr/bin/unhide.rb
>> => maybe it makes also sense un-comment from that line, since rkhunter
>>    Recommneds unhide.rb and it's likely to be installed
>>    See als bug #.

That's going to lead to a failure on machines that don't have it 
unfortunately. At least until
http://sourceforge.net/p/rkhunter/feature-requests/41/ is fixed.

>> => which isn't contained in the upstream default rkhunter.conf.
>>    Is this perhaps just a leftover?

It could very well be. We'd have to test with and without.

> For the following, I'm not really sure why I didn't suggest sha512
> instead of sha256:
>> => As part of crypto strengthening, I'd probably suggest to set this 
>> to:
>>    HASH_CMD=sha512sum

Isn't sha512sum slower than sha256sum? As long as sha256 is considered 
strong, I would favour the more efficient tool.

> Further, I've seen you commented:
>> #SCRIPTWHITELIST=/usr/bin/lwp-request
> It's also suggested by rkhunter... so similarly to unhide.rb,... it
> *may* make sense to have this enabled per default.
> But I have no strong opinion on either of the two.

See above comment.


More information about the forensics-devel mailing list