Bug#932594: Handle /usr/bin/egrep etc

[Richard Lewis]

On Wed, 15 Dec 2021 21:29:35 +1300 Andrew Ruthven  wrote:

> I have just spent a little bit of time digging into this, as I want
> rkhunter to work (almost) turnkey, without needing users to have to
> customise any configuration files.

I'm just a fellow user here - when i started using this package a some
years ago i thought a turnkey approach would be good, but over time i
have come to take a different view.

Scanning packages like rkhunter (and chkrootkit, checksecurity, tiger,
etc, etc) cant realistically cope with every possible debian system,
and i dont think they should try.

I think there is more benefit from being told that things have changed
from some baseline (expected position), even if the baseline itself
needs adjusting. And that  it should not be debian's goal, in my
opinion, to eliminate warnings caused by debian packages (other than
those from essential:yes packages) as long as the warnings can be
silenced - rkhunter does pretty well here.

if grep moves from /usr/bin to /bin or the other way, i want to be
told, not have the scanner adjust itself.  If a new lwp-release script
appears i want to be told - even if the explanation is "because that
package got installed" (this does assume there is a reason to check if
lwp-release is a script - im not actually sure this is true given the
automatic updates are now disabled, but that's another story)

(i appreciate that it is entirely reasonable to disagree with this, I
just wanted to share my view)

(personally, i would leave usrmerge the default and close this bug as
you can already edit the rkhunter.conf to say where grep is located)

Bug#932594: Handle /usr/bin/egrep etc

[Andrew Ruthven]

Hey,

I have just spent a little bit of time digging into this, as I want
rkhunter to work (almost) turnkey, without needing users to have to
customise any configuration files.

In answer to John, sadly EXISTWHITELIST doesn't handle this situation,
it says that the the listed files/directories don't need to exist.
However we need to tell rkhunter that egrep and fgrep are allowed to be
scripts.

My approach has been two fold so far, and this feels really really
ugly, but, oh well.

If we modify /etc/default/rkhunter then it can modify
/etc/rkhunter.conf before we run rkhunter via either cron or apt. So
even if there is a transient change, it'll get picked up and corrected
eventually. I added this to /etc/default/rkhunter.conf (I also made it
handle lwp-request being present, since I hit that as well):

-- BEGIN --
# Okay, this is ugly, modify rkhunter.conf to be able to know where
fgrep and
# egrep are. See https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=932594
if [ -f /bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/usr/bin/egrep" /etc/rkhunter.conf)
then
sed -i
's,^SCRIPTWHITELIST=/usr/bin/fgrep,SCRIPTWHITELIST=/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/usr/bin/egrep,SCRIPTWHITELIST=/bin/egrep,' \
/etc/rkhunter.conf
fi
elif [ -f /usr/bin/fgrep ]
then
if $(grep -q "SCRIPTWHITELIST=/bin/egrep" /etc/rkhunter.conf)
then
then
sed -i
's,^SCRIPTWHITELIST=/bin/fgrep,SCRIPTWHITELIST=/usr/bin/fgrep,' \
/etc/rkhunter.conf
sed -i
's,^SCRIPTWHITELIST=/bin/egrep,SCRIPTWHITELIST=/usr/bin/egrep,' \
/etc/rkhunter.conf
fi
fi

# If lwp-request is present, then we need SCRIPTWHITELIST for it.
if [ -f /usr/bin/lwp-request ]
if $(grep -q "^#SCRIPTWHITELIST=/usr/bin/lwp-request"
/etc/rkhunter.conf)
sed -i 's,^#\(SCRIPTWHITELIST=/usr/bin/lwp-request\),\1,' \
/etc/rkhunter.conf
fi
fi
-- END --

Then in /usr/share/rkhunter/scripts/rkhupd.sh we add near the top:

-- BEGIN --
. /etc/default/rkhunter
-- END --

I'm sorry.
-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud:   | This space intentionally left blank
 https://catalystcloud.nz |