Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an issue with rkhunter on my servers. Yesterday I installed the newest version 1.3.6 on a testserver and noticed that I got warnings for several programs that appear to be old versions according to rkhunter. This while the server in question is fully updated with apt-get. I was looking into that yesterday.
Today when rkhunter got it's updates all of a sudden I'm getting the same warning from version 1.3.4:
Code:
Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Versions available on the web for example:
gpg -> 1.4.10
openssl -> 0.9.8l
I've checked the web and there are indeed newer versions (non major) available but apparently not yet in the repositories used by apt-get on my Debian Lenny servers.
How do I handle this? I'm relying on apt-get to keep my servers up to date so a little strange if I have to start updating manually because rkhunter complains.
3.2) Rootkit Hunter tells me that I have an out-of-date or unsecure
application installed. But I have fully patched my server!
How is this possible?
A. Some distributions, for example Red Hat and OpenBSD, do patch
old versions of software. However, Rootkit Hunter thinks it is
an old version, and so sees it as being unsecure.
It is possible to whitelist specific applications, or specific
versions of an application. The configuration file contains more
details about this.
If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter configuration file.
I've noticed that too, and know that I can whitelist and/or disable the application check. But what's the use of a program's functionality if you have to disable parts of it? The versions I'm running are pretty good up to date according to the repositories, so I really wouldn't like to disable the checks or whitelist the programs that have 'old' versions.
If I disable the option I'll have to enable again when the newest versions are available in the repositories or delete them from the whitelist.
My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?
My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?
Whitelisting works just like win32sux indicated and the same will be confirmed in recent posts to the rkhunter-users mailing list. I don't deal with opinions in cases like these so if you think RKH is not doing it's job then by all means submit your ideas to the rkhunter-users mailing list and attach your improvement patches to a bug tracker ticket, TIA.
It seems to me that rkhunter is very up-to-date. That is why it is (correctly) complaining that some of your software is "out of date". This is, of course, the way it should be.
apt-get (So I guess you are running Debian, or a derivative) always lags for me. The versions it offers are rarely the latest.
The problem boils down to: Do you want "Bleeding edge", "Cutting edge" or just "Stable"?
If you want:
- "Bleeding edge" you might have to update (and perhaps recompile) hourly, and there may well be problems.
- "Cutting edge" once every few days and there still may be problems.
- "Stable" once every few months, and it'll probably be OK from the functionality aspect, but your security may be out of date. That said, most distros post important security updates very quickly.
There's a two way balancing act here: Security and / or Stability.
Thanks for the thorough explication. Yes, I'm using Debian as server for it's stability. I know that the security patches are available quite fast. Because of our production environment I have to give preference to stability and thus will whitelist the applications in RKHUNTER.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.