rkhunter warning after updating

Bill Davidsen davidsen at tmr.com
Wed Dec 2 14:03:44 UTC 2009 

Andy Blanchard wrote:
> 2009/11/30 Kevin Fenzi <kevin at scrye.com>:
>> Sure, that works fine if you are willing to keep up to date on security
>> updates on those applications and update your config each time one
>> changes in fedora.
> 
> I did say that I like to know when things change, hence the inclusion
> of the version numbers.  That approach also works very well if you
> need to keep a package at a certain revision for some reason as
> including its specific version in "rkhunter.conf" would provide a
> warning should an update ever be applied by mistake, or a default
> package be installed instead of a custom build for that matter.
> That's definitely not appropriate for a dynamic distribution like
> Fedora, although maybe something like Debian Stable or Red Hat where
> version numbers don't change much could get away with it.
> 
>> For the out of box package that would result in pushing an update to
>> rkhunter anytime any of those updated and there could be lag between
>> the updates and when someone applied the rkhunter one.
> 
> That's a good point about the lag and it would be a problem, but then
> again it wouldn't be the only package in Fedora that needed to be
> updated in response to changes to another, apparently unrelated one;
> Yelp and Firefox for instance.
> 
> For a more general package distribution it would definitely be better
> to either disable the checks or just push the RKHunter package with a
> whitelist of problematic applications without the version numbers, for
> instance:
> 
> APP_WHITELIST="gpg httpd named sshd..."
> 
Wow, a list of things I really don't want to change and an evil doer might like 
to change.

Whitelisting is kind of like taking the battery out of the smoke detector, it 
stops the noise but loses the warning. Short term I'd rather manually verify the 
checksums of the new packages, and long term, if Kevin doesn't push a new list, 
you can build it yourself.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list