/etc/apt/apt.conf.d/90rkhunter security loss
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rkhunter (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 14.04.2 LTS
rkhunter 1.4.0-3
Hello:
rkhunter installs file /etc/apt/
rkhunter --propupd --nolog.
It should better run
rkhunter --propupd <package name> --nolog,
where <package name> is the base name of the concerned package.
Reason:
Let's consider the situation if the last run of rkhunter --propupd was based on a unmanipulated system => the database contains what is expected.
Now the system is attacked and some software is exchanged.
Before the next check of rkhunter the administrator installs, deinstalls, or updates a particular package => /usr/share/
Solution:
Only the concerned package's data should be updated in rkhunter's database.
Best regards, Th.
information type: | Private Security → Public |
I'm not sure whether or not this is technically possible.
The manpage for "apt.conf" doesn't mention any parameters (such as the package names) that can passed to the "DPkg::Post-Invoke" hook.
If someone can find a clean way to do it, I think it's a good idea.