Bug#887210: rkhunter should depend on e2fsprogs explicitly
Andreas Henriksson
andreas at fatal.se
Sun Jan 21 14:29:53 UTC 2018
Control: severity -1 minor
On Sun, Jan 14, 2018 at 08:10:53PM +0100, Helmut Grohne wrote:
> Package: rkhunter
[...]
> /usr/bin/rkhunter contains chattr and lsattr. According to file it is a POSIX shell script, ASCII text executable, with very long lines, with escape sequences
> /var/lib/rkhunter/db/i18n/cn contains lsattr. According to file it is a UTF-8 Unicode text
[...]
I've ignored /var/lib/rkhunter/db/i18n/* as false positives since they
seem to simply be translations.
Looking at rkhunter it seems chattr is a false positive match.
There are a few false positive matches for lsattr as well, but
one of them is interesting.
lsattr is part of the list of commands stored in CMDLIST variable.
Here's a code comment from rkhunter check_commands function about CMDLIST:
# We check for some commands used in the tests. If the command
# is found then a variable including the command name is set.
# These commands are not 'required', so nothing happens if the
# command is not found. The commands can be defined in the
# configuration file, and a value of 'DISABLED' will cause a
# command to not exist. A value of 'BUILTIN' may be used for
# the 'stat' and 'readlink' commands, to indicate that the
# supplied scripts should be used. We have to handle the 'stat'
# command in a special way so that the perl module does not get
# used if the command is to be disabled.
You can indeed that the lsattr command is not strictly necessary
by searching for LSATTR_CMD and seeing how it's only conditionally
executed if available.
Thus I'd say at most a Suggests or possibly Recommends is warrented, but
not a Depends. Even just closing this bug report without a Suggests might
be an option. I'll leave that up to the maintainer to decide.
Would be great to hear from maintainer on this....
Regards,
Andreas Henriksson
More information about the forensics-devel
mailing list