The day after rkhunter 1.4.2 was released, I got a really
opaque and somewhat scary email message from cron:
"Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PROMISC_NO_IP"
It took some digging to realize this basically just meant:
"Error: Unable to find the 'en' translation for the NETWORK_PROMISC_NO_IP
message, with priority INFO. Perhaps you need to upgrade rkhunter,
and/or run rkhunter --update."
And that this was apparently caused by the removal of
NETWORK_PROMISC_NO_IP from the auto-updated DB file to correspond
to the not-auto-upgraded version of rkhunter that was just
released.
This prompts me to make some possible suggestions to make
the upgrade situation a little more user friendly in the future:
Include a versioning scheme with the files that are updated
by rkhunter --update. rkhunter should issue a version warning
if the version(s) in the file are not supported (too new
or too old). Perhaps just a single version (simplest), or to
allow for multiple supported versions, the version data in the
files could be a list of acceptable versions of rkhunter,
or something else (e.g. distinguish major vs minor parts of
version number...)
Improve the missing-translation error message. See one
suggestion above. Also consider maybe outputing it the same way
as a successfull message output, instead of stderr where even an
unimportant message will be forwarded by a cronjob that
is not expected to send anything except on a compromised
machine...
Perhaps next time a translation phrase becomes obsolete, it
might be handy to wait at least a few days after a new release
before removing it from the auto-updated i18n file? Give
distributions some time to package up the new version, and
system administrators time to install it...
No argument from me, valid points indeed. Are you interested in backing your suggestions up with code? Would be appreciated.
Attachment 0001-clarify...: Try to make the error message for a missing i18n message more comprehensible for someone who hasn't studied rkhunter enough to know that "display" is the internal function name for displaying i18n messages.
Attachment 0002-auto-check: Automatically check for consistency of rkhunter with db files. Will require including (and managing) the new file (supported_versions.dat) in the mirror site.
Also:
* I'm not sure about best logging levels for "not the latest version" and "totally not supported" cases, but this should provide a framework to detect those cases, at least.
* This is doing something sort-of similar to the --versioncheck command line option, automatically. Except this just uses whatever the local supported_versions.dat file is, instead of temporarily auto-downloading the latest version of rkhunter.vc. Not sure if --versioncheck should be adjusted in some way; I just left it as-is.
Last edit: Matthew M. Ogilvie 2014-05-04