Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#932594: rkhunter: SCRIPTWHITELIST change to /usr/bin/egrep causes failure if usrmerge has not been run
196 views
Skip to first unread message
Julian Gilbey
Jul 20, 2019, 9:10:02 PM7/20/19
to
Package: rkhunter
Version: 1.4.6-7
Severity: important
Hi!
Unfortunately the fix for bug #931396 fixes machines which have run
usrmerge. But for those which have not, rkhunter now fails fatally:
erdos:~ # /usr/share/rkhunter/scripts/rkhupd.sh
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/egrep
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/fgrep
erdos:~ #
I don't know whether there is a way of saying "whitelist this script
if it is found, otherwise ignore it". If there is, then this should
be applied to both /usr/bin/egrep and /bin/egrep, and likewise for
fgrep and any other /bin/... scripts. If not, then I don't know what
to suggest.
Best wishes,
Julian
Version: 1.4.6-7
Severity: important
Hi!
Unfortunately the fix for bug #931396 fixes machines which have run
usrmerge. But for those which have not, rkhunter now fails fatally:
erdos:~ # /usr/share/rkhunter/scripts/rkhupd.sh
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/egrep
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/fgrep
erdos:~ #
I don't know whether there is a way of saying "whitelist this script
if it is found, otherwise ignore it". If there is, then this should
be applied to both /usr/bin/egrep and /bin/egrep, and likewise for
fgrep and any other /bin/... scripts. If not, then I don't know what
to suggest.
Best wishes,
Julian
Francois Marier
Jul 29, 2019, 7:50:03 PM7/29/19
to
On 2019-07-21 at 02:00:30, Julian Gilbey wrote:
> I don't know whether there is a way of saying "whitelist this script
> if it is found, otherwise ignore it". If there is, then this should
> be applied to both /usr/bin/egrep and /bin/egrep, and likewise for
> fgrep and any other /bin/... scripts. If not, then I don't know what
> to suggest.
I unfortunately don't know of a way to do that either.
> I don't know whether there is a way of saying "whitelist this script
> if it is found, otherwise ignore it". If there is, then this should
> be applied to both /usr/bin/egrep and /bin/egrep, and likewise for
> fgrep and any other /bin/... scripts. If not, then I don't know what
> to suggest.
As far as I can see, it will either work out-of-the-box for a usrmerged
system or for a classic system, but not both.
Francois
--
https://fmarier.org/
Andrew Ruthven
Dec 15, 2021, 3:40:04 AM12/15/21
to
Hey,
I have just spent a little bit of time digging into this, as I want
rkhunter to work (almost) turnkey, without needing users to have to
customise any configuration files.
In answer to John, sadly EXISTWHITELIST doesn't handle this situation,
it says that the the listed files/directories don't need to exist.
However we need to tell rkhunter that egrep and fgrep are allowed to be
scripts.
My approach has been two fold so far, and this feels really really
ugly, but, oh well.
If we modify /etc/default/rkhunter then it can modify
/etc/rkhunter.conf before we run rkhunter via either cron or apt. So
even if there is a transient change, it'll get picked up and corrected
eventually. I added this to /etc/default/rkhunter.conf (I also made it
handle lwp-request being present, since I hit that as well):
-- BEGIN --
# Okay, this is ugly, modify rkhunter.conf to be able to know where
fgrep and
# egrep are. See https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=932594
if [ -f /bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/usr/bin/egrep" /etc/rkhunter.conf)
then
sed -i
's,^SCRIPTWHITELIST=/usr/bin/fgrep,SCRIPTWHITELIST=/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/usr/bin/egrep,SCRIPTWHITELIST=/bin/egrep,' \
/etc/rkhunter.conf
fi
elif [ -f /usr/bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/bin/egrep" /etc/rkhunter.conf)
then
then
sed -i
's,^SCRIPTWHITELIST=/bin/fgrep,SCRIPTWHITELIST=/usr/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/bin/egrep,SCRIPTWHITELIST=/usr/bin/egrep,' \
/etc/rkhunter.conf
fi
fi
# If lwp-request is present, then we need SCRIPTWHITELIST for it.
if [ -f /usr/bin/lwp-request ]
if $(grep -q "^#SCRIPTWHITELIST=/usr/bin/lwp-request"
/etc/rkhunter.conf)
sed -i 's,^#\(SCRIPTWHITELIST=/usr/bin/lwp-request\),\1,' \
/etc/rkhunter.conf
fi
fi
-- END --
Then in /usr/share/rkhunter/scripts/rkhupd.sh we add near the top:
-- BEGIN --
. /etc/default/rkhunter
-- END --
I'm sorry.
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
I have just spent a little bit of time digging into this, as I want
rkhunter to work (almost) turnkey, without needing users to have to
customise any configuration files.
In answer to John, sadly EXISTWHITELIST doesn't handle this situation,
it says that the the listed files/directories don't need to exist.
However we need to tell rkhunter that egrep and fgrep are allowed to be
scripts.
My approach has been two fold so far, and this feels really really
ugly, but, oh well.
If we modify /etc/default/rkhunter then it can modify
/etc/rkhunter.conf before we run rkhunter via either cron or apt. So
even if there is a transient change, it'll get picked up and corrected
eventually. I added this to /etc/default/rkhunter.conf (I also made it
handle lwp-request being present, since I hit that as well):
-- BEGIN --
# Okay, this is ugly, modify rkhunter.conf to be able to know where
fgrep and
# egrep are. See https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=932594
if [ -f /bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/usr/bin/egrep" /etc/rkhunter.conf)
then
sed -i
's,^SCRIPTWHITELIST=/usr/bin/fgrep,SCRIPTWHITELIST=/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/usr/bin/egrep,SCRIPTWHITELIST=/bin/egrep,' \
/etc/rkhunter.conf
fi
elif [ -f /usr/bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/bin/egrep" /etc/rkhunter.conf)
then
then
sed -i
's,^SCRIPTWHITELIST=/bin/fgrep,SCRIPTWHITELIST=/usr/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/bin/egrep,SCRIPTWHITELIST=/usr/bin/egrep,' \
/etc/rkhunter.conf
fi
fi
# If lwp-request is present, then we need SCRIPTWHITELIST for it.
if [ -f /usr/bin/lwp-request ]
if $(grep -q "^#SCRIPTWHITELIST=/usr/bin/lwp-request"
/etc/rkhunter.conf)
sed -i 's,^#\(SCRIPTWHITELIST=/usr/bin/lwp-request\),\1,' \
/etc/rkhunter.conf
fi
fi
-- END --
Then in /usr/share/rkhunter/scripts/rkhupd.sh we add near the top:
-- BEGIN --
. /etc/default/rkhunter
-- END --
I'm sorry.
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
Richard Lewis
Dec 17, 2021, 7:40:04 PM12/17/21
to
On Wed, 15 Dec 2021 21:29:35 +1300 Andrew Ruthven <and...@etc.gen.nz> wrote:
> I have just spent a little bit of time digging into this, as I want
> rkhunter to work (almost) turnkey, without needing users to have to
> customise any configuration files.
I'm just a fellow user here - when i started using this package a some
> I have just spent a little bit of time digging into this, as I want
> rkhunter to work (almost) turnkey, without needing users to have to
> customise any configuration files.
years ago i thought a turnkey approach would be good, but over time i
have come to take a different view.
Scanning packages like rkhunter (and chkrootkit, checksecurity, tiger,
etc, etc) cant realistically cope with every possible debian system,
and i dont think they should try.
I think there is more benefit from being told that things have changed
from some baseline (expected position), even if the baseline itself
needs adjusting. And that it should not be debian's goal, in my
opinion, to eliminate warnings caused by debian packages (other than
those from essential:yes packages) as long as the warnings can be
silenced - rkhunter does pretty well here.
if grep moves from /usr/bin to /bin or the other way, i want to be
told, not have the scanner adjust itself. If a new lwp-release script
appears i want to be told - even if the explanation is "because that
package got installed" (this does assume there is a reason to check if
lwp-release is a script - im not actually sure this is true given the
automatic updates are now disabled, but that's another story)
(i appreciate that it is entirely reasonable to disagree with this, I
just wanted to share my view)
(personally, i would leave usrmerge the default and close this bug as
you can already edit the rkhunter.conf to say where grep is located)
0 new messages