rkhunter reports openssl and sshd versions out of date

About the colons, look in /var/log/rkhunter, and it'll tell you exactly what to whitelist. For named, I had to use "named:9.4.2".

Still, it seems silly that I have to whitelist apps that are in Ubuntu because of a root-kit checker that is in Ubuntu. I would have hoped that the distro would be more internally consistent.

As it stands, I have spent a little time this morning to make sure that I do not get a bunch of false-positive emails from all of my servers. Those got old very quickly.

Alan

An easier way to bypass this than white listing (at least for cron jobs) is to simply have it skip the application check. Just set the environment variable $RK_OPT to '--skip-version-check'. The rkhunter cron job automatically adds the contents of $RK_OPT to the rkhunter command line.

My apologies, it appears that the --skip-application-check flag doesn't work after all.

It does appear that adding 'apps' to the DISABLE_TESTS option in /etc/rkhunter.conf does work.

On Wed, Dec 16, 2009 at 12:45 PM, Andrew Cholakian <email address hidden> wrote:
> It does appear that adding 'apps' to the DISABLE_TESTS option in
> /etc/rkhunter.conf does work.

Sure, but wouldn't it be better to only whitelist certain versions
rather than skipping them altogether? Keep the whitelist as tight as
possible rather than skipping the checks all together

furicle,

It looks to me that every security release would require an update to the white list unless I'm mistaken. I just don't see this happening. Flat out skipping the apps check will likely be more practical for rkhunter's maintainer. It's been about a week since this was reported, and the package still hasn't gotten the love it needs. I don't see Ubuntu maintaining an up to date white list as something that, for better or worse, is likely to happen. My thinking is, if the white list regularly goes out of sync people will just get irritated by the false positives and either disable apps checking themselves, uninstall rkhunter, or just ignore all positives.

On Thu, Dec 17, 2009 at 12:23 PM, Andrew Cholakian <email address hidden> wrote:
> furicle,
>
> It looks to me that every security release would require an update to
> the white list unless I'm mistaken.

I don't so. The problem is because they (Debian based distros like
Ubuntu) PATCH the current version INSTEAD of updating.
So the version number never changes. The .deb gets updated, but the
base version number is static.

The config file would change for every release - but it does anyway
because they package the new version for every release.
It's not any more work than currently *as I understand the process*

Brian

furicle, while it is true that Ubuntu backports fixes from upstream versions its incorrect to say that the version number doesn't change. For instance, on Hardy at the moment the current version of PHP is PHP 5.2.4-2ubuntu5.9 , Ubuntu doesn't increment the 5.2.4-2 part, but it does increment the ubuntu5.9 part. For the white list scheme to work, every Ubuntu package rkhunter looks at would have to synchronize its releases with concurrent updates of the rkhunter white list. That hardly seems worth it to me.

Additionally, since those applications would be white listed, the user wouldn't even know they were vulnerable unless they somehow updated rkhunter with updating any other packages (since those other packages would presumably already be patched). The white list just doesn't make sense with Ubuntu packages.

The only real solution is to maintain a separate version of rkhunter's bad package database, and I don't see anyone volunteering to do that. I personally hardly think its worth it.

On Thu, Dec 17, 2009 at 7:52 PM, Andrew Cholakian <email address hidden> wrote:
> furicle, while it is true that Ubuntu backports fixes from upstream
> versions its incorrect to say that the version number doesn't change.
> For instance, on Hardy at the moment the current version of PHP is PHP
> 5.2.4-2ubuntu5.9 , Ubuntu doesn't increment the 5.2.4-2 part, but it
> does increment the ubuntu5.9 part. For the white list scheme to work,
> every Ubuntu package rkhunter looks at would have to synchronize its
> releases with concurrent updates of the rkhunter white list. That hardly
> seems worth it to me.

But rkhunter does not check the packaging version number with the appcheck - just the 'upstream' version number. That doesn't change.

It's only a handful of packages, once every six months. It's really not a big deal. That line I provided is all it takes.

The packaging changes are covered via the apt system in a different way.
That's why apt is hooked to run rkhunter --propupd when you install/upgrade.

Please note: One has to have a blank at the start and the end of the APP_WHITELIST in rkhunter.conf. Like

APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "

otherwise first and last entry will never match, as the test used is

if [ -n "`echo \"${APP_WHITELIST}\" | grep \" ${APPLICATION}:${RKHTMPVAR} \"`" ]; then
 ...

:-( Hope this saves others some time.