LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-01-2009, 01:07 AM   #1
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
rkhunter warning about 'old'versions


Hi all,

I have an issue with rkhunter on my servers. Yesterday I installed the newest version 1.3.6 on a testserver and noticed that I got warnings for several programs that appear to be old versions according to rkhunter. This while the server in question is fully updated with apt-get. I was looking into that yesterday.

Today when rkhunter got it's updates all of a sudden I'm getting the same warning from version 1.3.4:
Code:
Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.2.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Versions available on the web for example:
gpg -> 1.4.10
openssl -> 0.9.8l

I've checked the web and there are indeed newer versions (non major) available but apparently not yet in the repositories used by apt-get on my Debian Lenny servers.

How do I handle this? I'm relying on apt-get to keep my servers up to date so a little strange if I have to start updating manually because rkhunter complains.

Kind regards,

Eric
 
Old 12-01-2009, 01:25 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
There's this in the Rootkit Hunter FAQ:
Quote:
3.2) Rootkit Hunter tells me that I have an out-of-date or unsecure
application installed. But I have fully patched my server!
How is this possible?

A. Some distributions, for example Red Hat and OpenBSD, do patch
old versions of software. However, Rootkit Hunter thinks it is
an old version, and so sees it as being unsecure.

It is possible to whitelist specific applications, or specific
versions of an application. The configuration file contains more
details about this.

If you wish you can skip the application version check completely
by adding the 'apps' test name to the DISABLE_TESTS option in your
rkhunter configuration file.
 
Old 12-01-2009, 01:32 AM   #3
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805

Original Poster
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Hi win32sux,

I've noticed that too, and know that I can whitelist and/or disable the application check. But what's the use of a program's functionality if you have to disable parts of it? The versions I'm running are pretty good up to date according to the repositories, so I really wouldn't like to disable the checks or whitelist the programs that have 'old' versions.

If I disable the option I'll have to enable again when the newest versions are available in the repositories or delete them from the whitelist.

My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?

Kind regards,

Eric
 
Old 12-01-2009, 03:04 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by EricTRA View Post
My update/upgrade with apt-get is working good and in my opinion so should the rkhunter tool. There's no use for an 'automated' utility when you have to drop down to manual administration for parts of it. Or am I seeing this wrong?
Whitelisting works just like win32sux indicated and the same will be confirmed in recent posts to the rkhunter-users mailing list. I don't deal with opinions in cases like these so if you think RKH is not doing it's job then by all means submit your ideas to the rkhunter-users mailing list and attach your improvement patches to a bug tracker ticket, TIA.
 
Old 12-01-2009, 03:19 AM   #5
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805

Original Poster
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Hi unSpawn,

I didn't mean to offend you, just was stating an opinion. My apologies.

Kind regards,

Eric
 
Old 12-01-2009, 01:00 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm not offended at all and no apologies are necessary. If you think it needs improvement then you're more than welcome to do something about it.
 
Old 12-01-2009, 04:10 PM   #7
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Fedora38
Posts: 6,147

Rep: Reputation: 435Reputation: 435Reputation: 435Reputation: 435Reputation: 435
It seems to me that rkhunter is very up-to-date. That is why it is (correctly) complaining that some of your software is "out of date". This is, of course, the way it should be.

apt-get (So I guess you are running Debian, or a derivative) always lags for me. The versions it offers are rarely the latest.

The problem boils down to: Do you want "Bleeding edge", "Cutting edge" or just "Stable"?

If you want:

- "Bleeding edge" you might have to update (and perhaps recompile) hourly, and there may well be problems.
- "Cutting edge" once every few days and there still may be problems.
- "Stable" once every few months, and it'll probably be OK from the functionality aspect, but your security may be out of date. That said, most distros post important security updates very quickly.

There's a two way balancing act here: Security and / or Stability.

It is a difficult choice.
 
1 members found this post helpful.
Old 12-02-2009, 12:04 AM   #8
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805

Original Poster
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Hello,

Thanks for the thorough explication. Yes, I'm using Debian as server for it's stability. I know that the security patches are available quite fast. Because of our production environment I have to give preference to stability and thus will whitelist the applications in RKHUNTER.

Thanks all for the advice and input.

Kind regards,

Eric
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter gives warning on LD_LIBRARY_PATH EricTRA Linux - Security 9 11-10-2009 12:56 PM
rkhunter: "/usr/bin/rpm warning"?!!! Hungry ghost Linux - Security 8 11-05-2007 10:54 AM
RKhunter warning about hidden files. gonus Linux - Security 3 05-03-2007 10:27 AM
rkhunter displaying warning message Michael_aust Linux - Newbie 4 04-30-2006 05:24 PM
Getting Warning during rkhunter? BajaNick Linux - Security 8 09-12-2004 08:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration