LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter warning about 'old'versions (https://www.linuxquestions.org/questions/linux-security-4/rkhunter-warning-about-oldversions-772598/)

EricTRA 12-01-2009 01:07 AM
rkhunter warning about 'old'versions
 
Hi all,

I have an issue with rkhunter on my servers. Yesterday I installed the newest version 1.3.6 on a testserver and noticed that I got warnings for several programs that appear to be old versions according to rkhunter. This while the server in question is fully updated with apt-get. I was looking into that yesterday.

Today when rkhunter got it's updates all of a sudden I'm getting the same warning from version 1.3.4:
Code:
Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Versions available on the web for example:
gpg -> 1.4.10
openssl -> 0.9.8l

I've checked the web and there are indeed newer versions (non major) available but apparently not yet in the repositories used by apt-get on my Debian Lenny servers.

How do I handle this? I'm relying on apt-get to keep my servers up to date so a little strange if I have to start updating manually because rkhunter complains.

Kind regards,

Eric

win32sux 12-01-2009 01:25 AM
There's this in the Rootkit Hunter FAQ:
Quote:
3.2) Rootkit Hunter tells me that I have an out-of-date or unsecure
application installed. But I have fully patched my server!
How is this possible?

A. Some distributions, for example Red Hat and OpenBSD, do patch
old versions of software. However, Rootkit Hunter thinks it is
an old version, and so sees it as being unsecure.

It is possible to whitelist specific applications, or specific
versions of an application. The configuration file contains more
details about this.

If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter configuration file.

EricTRA 12-01-2009 01:32 AM
Hi win32sux,

I've noticed that too, and know that I can whitelist and/or disable the application check. But what's the use of a program's functionality if you have to disable parts of it? The versions I'm running are pretty good up to date according to the repositories, so I really wouldn't like to disable the checks or whitelist the programs that have 'old' versions.

If I disable the option I'll have to enable again when the newest versions are available in the repositories or delete them from the whitelist.

My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?

Kind regards,

Eric

unSpawn 12-01-2009 03:04 AM
Quote:
Originally Posted by EricTRA (Post 3775320)
My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?
Whitelisting works just like win32sux indicated and the same will be confirmed in recent posts to the rkhunter-users mailing list. I don't deal with opinions in cases like these so if you think RKH is not doing it's job then by all means submit your ideas to the rkhunter-users mailing list and attach your improvement patches to a bug tracker ticket, TIA.

EricTRA 12-01-2009 03:19 AM
Hi unSpawn,

I didn't mean to offend you, just was stating an opinion. My apologies.

Kind regards,

Eric

unSpawn 12-01-2009 01:00 PM
I'm not offended at all and no apologies are necessary. If you think it needs improvement then you're more than welcome to do something about it.

tredegar 12-01-2009 04:10 PM
It seems to me that rkhunter is very up-to-date. That is why it is (correctly) complaining that some of your software is "out of date". This is, of course, the way it should be.

apt-get (So I guess you are running Debian, or a derivative) always lags for me. The versions it offers are rarely the latest.

The problem boils down to: Do you want "Bleeding edge", "Cutting edge" or just "Stable"?

If you want:

- "Bleeding edge" you might have to update (and perhaps recompile) hourly, and there may well be problems.
- "Cutting edge" once every few days and there still may be problems.
- "Stable" once every few months, and it'll probably be OK from the functionality aspect, but your security may be out of date. That said, most distros post important security updates very quickly.

There's a two way balancing act here: Security and / or Stability.

It is a difficult choice.

EricTRA 12-02-2009 12:04 AM
Hello,

Thanks for the thorough explication. Yes, I'm using Debian as server for it's stability. I know that the security patches are available quite fast. Because of our production environment I have to give preference to stability and thus will whitelist the applications in RKHUNTER.

Thanks all for the advice and input.

Kind regards,

Eric


All times are GMT -5. The time now is 08:32 AM.