Menu

#121 security of files copied by rkhunter

main
pending
unSpawn
None
5
2016-11-15
2014-10-18
Cálestyo
No

Hi.

I've had a discussion about this a while ago with the Debian maintainer for rkhunter but nothing specific came out in the end, please have a look there:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593120

The main issue is basically, that I think rkhunter should do the following:

1) Especially the temporary directory (i.e. /var/lib/rkhunter/tmp/) should not be group accessible.

We have no idea, to which extent the root group is used on a system. People may have set up their system, so that root membership isn't equal to being root, but just gives a few "superpowers".
If rkhunter however copies sensitive files into a location accessible by the root group, other security measurements may be bypassed by an attacker.

2) I think all files that are copied by rkhunter, should be copied with cp's "-a" option.
The important part here is not to miss ACLs, XATTRs and SELinux security contexts, which again may be security relevant when copying a file, even(!) if (1) above would be fulfilled and only root user (but not group) could access the tmp dir.

Cheers,
Chris.

btw: marking this priority 1, since I think it's security critical.

Discussion

  • Cálestyo

    Cálestyo - 2014-10-18

    Even more actually:

    3) The copying of files a long is in principle already a problem, since
    they may e.g. be copied from encrypted disks to unencrypted disks,...
    thereby being recoverable via digital forensics.

    For that reason, I think, a files should only be copied to a tmpfs which
    is mounted by rkhunter upon /var/lib/rkhunter/tmp/

     

  • Cálestyo

    Cálestyo - 2014-10-18

    Oh and everything I've said for /var/lib/rkhunter/tmp/ applies of course as well for the SUSPSCAN_TEMP dir.

    Actually that one is per default world-readable so it's even more important to give proper protections,... all files should be in a completely inacessible subdir (i.e. u=rwx,go=), so that an attacker cannot even see which files are copied/there.

     

  • unSpawn

    unSpawn - 2016-11-15
    • status: open --> pending
    • assigned_to: unSpawn
    • Priority: 1 --> 5
     

  • unSpawn

    unSpawn - 2016-11-15

    Access rights of /var/lib/rkhunter/tmp and /dev/shm I agree with, the latter will have to become /dev/shm/.suspscan as I won't touch the parent directory. (I doubt root group usage as described is widespread though.) cp args "-d --preserve=all" I agree with though I have to find out if this works similarly across all common OSes. And I probably won't make /var/lib/rkhunter/tmp a tmpfs type in this release as Unices, derivatives and Linux all have their own way of creating it.

     

Log in to post a comment.