On Thu, 14 Sep 2023, 06:00 Francois Marier, <[email protected]> wrote:
> On 2023-09-13 at 14:15:53, Moritz Mühlenhoff ([email protected]) wrote: > > https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 > > My summary of this is: it's possible to figure out what files/ports/etc. > rkhunter is looking for by looking at the log file. > > That log file is: > > -rw-r----- 1 root adm 502K 13 sep 07:41 > rkhunter.log > > and on my machine that means only root and logcheck can see it: > > $ grep adm /etc/group > adm:x:4:logcheck > > Of course, it's also possible to find out what files/ports/etc. rkhunter is > looking for by looking in /usr/share/rkhunter/scripts/ or looking at the > source code > (https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/). > > So am I missing something here or is this simply not relevant given the > rkhunter threat model of being an Open Source tool with a public database? > > Francois > I dont think you are missing anything - the cve links to a githab gist which boils down to "i can write a rootkit that rkhunter doesnt detect, because i can find what strings rkhunter looks for in a log" - as you say, the strings are in the source code anyway. And calling this a security issue is a bit odd really. rkhunter detects a number of known rootkits with some quite basic string matching - it cant possibly detect arbitrary variations. possibly they have reported over-interpreted the "hunter" part of the name rkhunter!
