#33 don't warn about "osinfo" changes if using RPM file hashes

main
closed-accepted
John Horne
rkhunter (35)
5
2009-07-18
2009-03-19
Jan Iven
No

Machines switching to/from prelink right after initial installation (which already includes rkhunter) cause lots of false positives, since they "warn" to run --propupd (the rationale is that the stored file hases/properties will be wrong if prelink or OS or arch change, so you get one warning instead of many). Similarly, if an automatic minor OS update comes along that changes the OS version string (e.g. RHEL4.6 to
RHEL4.7), rkhunter becomes hot and excited.

For the specific case of using a package manager anyway for these file properties, we can safely downgrade the warning, the rest of the OS info (hostname etc) is just fluff anyway and can be updated anytime we like.

Discussion

  • Jan Iven
    Jan Iven
    2009-03-19

    patch to update osinfo automatically if RPM is used

     
  • John Horne
    John Horne
    2009-03-22

    Personally I would not be at all happy with this. The main thing that RKH does is to report "something has changed". If prelinking changes, or the host name or the O/S version, then I want to know about it. The fact that RKH gives a lot of warnings is fine (regardless of whether the O/S has just been installed), running RKH with --propupd, once, takes care of it.

     
  • Jan Iven
    Jan Iven
    2009-03-24

    jhorne: I understand your concerns for interactive use (or on a handful of servers), but getting notified on non-malicious changes for a lot of machines drowns out any "legitimate" warning. Is this something where a new config directive ("NOWARNONOSINFO"?) would be acceptable (rkhunter already has a fair bit of these)?

    Alternatively, I would need to find a way to run 'propupd' automatically outside of rkhunter. Given that some changes can be introduced interactively (i.e. hostname change or prelink on/off), and some will come via automatic updates (i.e. minor OS version change), this does not look to be easy - unless I run with 'propupd' on every invocation, which not just is wasteful but also feels "odd".
    Regards

     
  • John Horne
    John Horne
    2009-06-06

    Quick look at the patch you provided, and I see no real problems but, yes, it will become a configurable option.

    I cannot see why you (in effect) ran '--propupd' after the O/S check. If the RPM package manager is being used anyway, then the file properties check results will come from the package manager and not the rkhunter.dat file. (It's late, so I may be wrong and/or maybe I should just test it to see what happens.)

     
  • John Horne
    John Horne
    2009-06-06

    • assigned_to: nobody --> jhorne
     
  • John Horne
    John Horne
    2009-06-27

    Part fixed in CVS.

    The WARN_ON_OS_CHANGE option has been added, and will cause O/S change warnings to be info messages. The option is set by default, so as to have the same effect as before.

     
  • John Horne
    John Horne
    2009-07-18

    Added UPDT_ON_OS_CHANGE option to run the file properties update if the O/S has changed.
    A warning has been put into the config file to warn users that the '--propupd' option must have been
    run at least once to ensure that it works correctty. Without this it is possible that the user could get errors from the update. As with the current '--propupd' option, if prelinking has not run then it may still produce errors.

     
  • John Horne
    John Horne
    2009-07-18

    • status: open --> closed-accepted