/etc/apt/apt.conf.d/90rkhunter security loss

Bug #1451477 reported by Thomas Finteis on 2015-05-04
This bug affects 2 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)

Bug Description

Ubuntu 14.04.2 LTS
rkhunter 1.4.0-3

rkhunter installs file /etc/apt/apt.conf.d/90rkhunter. This file is run after an installation, deinstallation, and update of a package and calls /usr/share/rkhunter/scripts/rkhupd.sh. The latter runs
   rkhunter --propupd --nolog.
It should better run
    rkhunter --propupd <package name> --nolog,
where <package name> is the base name of the concerned package.

Let's consider the situation if the last run of rkhunter --propupd was based on a unmanipulated system => the database contains what is expected.
Now the system is attacked and some software is exchanged.
Before the next check of rkhunter the administrator installs, deinstalls, or updates a particular package => /usr/share/rkhunter/scripts/rkhupd.sh builds a new database of all installed packages, also the manipulated ones => the attack will not be discovered by the next run of rkhunter.

Only the concerned package's data should be updated in rkhunter's database.

Best regards, Th.

Thomas Finteis (finteis) on 2015-05-04
information type: Private Security → Public
François Marier (fmarier) wrote :

I'm not sure whether or not this is technically possible.

The manpage for "apt.conf" doesn't mention any parameters (such as the package names) that can passed to the "DPkg::Post-Invoke" hook.

If someone can find a clean way to do it, I think it's a good idea.

Getting the automatic update to be restricted to only the files actually part of the upgraded package certainly makes sense.

However, when I experimented with this I found the <package name> option only works if the rkhunter.dat file was originally built using the DPKG value for the --pkgmgr, which isn't the default configuration for the Ubuntu package. (In fact, the rkhunter.conf file specifically explains "NONE is the default for Debian as well, as running --propupd takes about 4 times longer when it's set to DPKG".) Additionally, I noticed that switching to a --pkgmgr DPKG database means that the file hash is also changed from the default of sha1 to using md5 instead.

However, for what it's worth, if I found that given the name of the package that has been updated I can build a command line explicitly listing the files that rkhunter should include in it's --propupd run, thus (hopefully) accomplishing the same goal without relying on the --pkgmgr function.

I did this by first finding a list of all the file names that are found in both the package and the rkhunter database, then replacing the spaces in the space-separated list with commas to get the command line that rkhunter expects. So, for example, after updating the coreutils package, I ran:

  # FILELIST="$(cat /var/lib/dpkg/info/coreutils.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"
  # FILELIST="echo $FILELIST| sed -e "s/ /,/g"
  # rkhunter --propupd $FILELIST
  [ Rootkit Hunter version 1.3.6 ]
  File updated: searched for 162 files, found 41 of 136

(If more than one package was updated, the first line above can be replaced with:
  # FILELIST=""; for P in bsd-mailx binutils sudo dpkg ; do FILELIST="$FILELIST $(cat /var/lib/dpkg/info/$P.list /var/lib/rkhunter/db/rkhunter_prop_list.dat | sort | uniq -d)"; done
to get a combined list.)

> The manpage for "apt.conf" doesn't mention any parameters (such as the package names) that can passed to the "DPkg::Post-Invoke" hook.

Yeah, I agree that the DPkg::Post-Invoke hook doesn't seem to be passed any useful info....

I see that there is a Pre-Install-Pkgs hook, which is passed the list of deb files to be upgraded on stdin. It would be a pain but perhaps rkhunter could record the list of packages somewhere under /var/lib/rkhunter from that hook, and then use that list in the Post-Invoke hook to generate the necessary --propupd command line....

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rkhunter (Ubuntu):
status: New → Confirmed

(One thing not handled by the "cat /var/lib/dpkg/info/$P.list" approach described above is symlinks, e.g. /usr/bin/mail. These don't appear in the dpkg .list file [as the actual executable files do], but when the target of the symlink is changed then rkhunter will detect that as a property mismatch on the symlink entry in rkhunter.dat as well as the entry for the target.

I may be missing an easier approach, but one solution might be for the post-invoke hook to check the rkhunter.dat file for other entries that have the same hash value as the lines that it is planning to update, and go ahead and add the file-paths for those entries to the --propupd line as well.)

Thomas Finteis (finteis) wrote :

    rkhunter --enable properties && rkhunter --propupd
as substitute for /usr/share/rkhunter/scripts/rkhupd.sh be a reasonable workaround?
It would run the database update only in case the concerned binaries were not manipulated in the meantime.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers