Bug 115128 - Few comments to the "rkhunter" package
Summary: Few comments to the "rkhunter" package
Status: RESOLVED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Security (show other bugs)
Version: Final
Hardware: Other SUSE Other
: P5 - None : Enhancement
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-03 09:49 UTC by Balazs Melikant
Modified: 2005-12-01 16:42 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
My config-patch. (699 bytes, application/x-bzip2)
2005-09-03 09:50 UTC, Balazs Melikant 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Balazs Melikant 2005-09-03 09:49:12 UTC 
1. In the description of the package (before MD5) there is at least one newline
missing:
> Rootkit scanner is scanning tool to ensure you for about 99.9%
>    you're clean of nasty tools. This tool scans for rootkits,
>    backdoors and local exploits by running tests like: - MD5 hash
>    compare
> 
> - Look for default files used by rootkits

2. If I'm not wrong, the filename "/etc/cron.daily/01-rkhunter" was copy&pasted
from P. Shanahan's own spec, but I didn't see his (nick-)name mentioned.
By the way I think the "01-" part could be skipped from SUSE's variant and I
would put it into the cron.weekly folder...

3. System/Monitoring, shouldn't be System/Security ?!

4. I patched my own 'variant' against other hidden files/folders as well; I will
attach the complete patch.
Anyway, how your config file looks, would also strongly suggest, "where it came
from"; would it not better to separate the "header lines" in it, e.g. as I have it?
Comment 1 Balazs Melikant 2005-09-03 09:50:41 UTC 
Created attachment 48690 [details]
My config-patch.
Comment 2 Thomas Biege 2005-09-05 07:59:26 UTC 
reassigned to Marcus.
Comment 3 Marcus Meissner 2005-09-07 08:42:07 UTC 
1. i tried to adapt it. looked fine here.    
2. Why weekly and not daily? 
   And yes, i used the sample .spec file.   
 
3. there is no System/Security group in our distro.   
4.  Your patch is wrong, some of those are just files , some are dirs.  
    
+ALLOWHIDDENDIR=/dev/.udevdb  
+ALLOWHIDDENDIR=/etc/.java  
+ALLOWHIDDENFILE=/etc/.pwd.lock  
  
your patch confuses them a bit.
Comment 4 Balazs Melikant 2005-09-07 17:42:07 UTC 
I'm glad to hear your feedback:) I really forgot to fix this issue in my spec,
which was needed by an earlier rkhunter version.
It gave dummy error-messages, so played with it so long, until all of them were
away:) and reported it to the original author.
You are right, they are confusing/confused and the newest version doesn't need
them. I will probably fix it in my version this weekend or alternatively build
your src.rpm for my SUSE 9.1 as well...
Comment 5 Balazs Melikant 2005-10-26 19:11:24 UTC 
I'm sorry for reopening this bug for such a minor issue, but please consider the following.
To avoid confusion concerning the rkhunter.conf file, as we just discussed earlier, the "ALLOWHIDDENFILE=/etc/.pwd.lock" line should be put, where it belongs: to the next paragraph.

--->>> portion of the rkhunter.conf file of SUSE 10.0 GM --->>>

# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENFILE=/etc/.pwd.lock

# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
#
#ALLOWHIDDENFILE=/etc/.java

--->>> In my opinion it should be --->>>

# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/etc/.java

# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
#
#ALLOWHIDDENFILE=/etc/.java
ALLOWHIDDENFILE=/etc/.pwd.lock
Comment 6 Marcus Meissner 2005-12-01 16:42:05 UTC 
i made this beauty fixup for the next prodzuct.