Bug#626643: rkhunter: Multiple ALLOWPROCDELFILE options not working anymore

2011-05-13 Thread Francois Marier 
Package: rkhunter
Version: 1.3.8-4
Severity: normal

Among other things, when the daily cronjob runs, I get the following
processes with open deleted files:

  Process: /usr/bin/kdeinit4PID: 599File: /dev/pts/2
  Process: /usr/bin/gnome-terminalPID: 4971File: /tmp/vteLAK4UV

If I put this in my /etc/rkhunter.conf.local:

  ALLOWPROCDELFILE=/usr/bin/kdeinit4

then the first one disappears and I'm left with:

  Process: /usr/bin/gnome-terminalPID: 4971File: /tmp/vteLAK4UV

However, if I put this in my /etc/rkhunter.conf.local:

  ALLOWPROCDELFILE=/usr/bin/kdeinit4
  ALLOWPROCDELFILE=/usr/bin/gnome-terminal

then none of them are filtered and I'm left with the original two:

  Process: /usr/bin/kdeinit4PID: 599File: /dev/pts/2
  Process: /usr/bin/gnome-terminalPID: 4971File: /tmp/vteLAK4UV

the same problem exists if I merge the two options into a single option:

  ALLOWPROCDELFILE=/usr/bin/kdeinit4 /usr/bin/gnome-terminal

Cheers,
Francois

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.6-grsec+ (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils  2.21.51.20110421-3 The GNU assembler, linker and bina
ii  debconf [debconf-2.0] 1.5.39 Debian configuration management sy
ii  file  5.04-5+b1  Determines file type using magic
ii  net-tools 1.60-23The NET-3 networking toolkit
ii  perl  5.10.1-20  Larry Wall's Practical Extraction 
ii  ucf   3.0025+nmu2Update Configuration File: preserv

Versions of packages rkhunter recommends:
ii  curl   7.21.6-1  Get a file from an HTTP, HTTPS or 
ii  iproute20110315-1networking and traffic control too
ii  lsof   4.81.dfsg.1-1 List open files
ii  postfix [mail-transport-ag 2.8.3-1   High-performance mail transport ag
pn  unhide none(no description available)
pn  unhide.rb  none(no description available)
ii  wget   1.12-3.1  retrieves files from the web

Versions of packages rkhunter suggests:
ii  libdigest-sha1-perl 2.13-1   NIST SHA-1 message digest algorith
pn  libdigest-whirlpool-per none   (no description available)
ii  liburi-perl 1.58-1   module to manipulate and access UR
ii  libwww-perl 6.01-3   simple and consistent interface to
ii  mailutils [mailx]   1:2.2+dfsg1-3+b1 GNU mailutils utilities for handli
ii  powermgmt-base  1.31 Common utils and configs for power
pn  tripwirenone   (no description available)

-- Configuration Files:
/etc/cron.daily/rkhunter changed [not included]
/etc/default/rkhunter changed [not included]

-- debconf information:
* rkhunter/apt_autogen: yes
* rkhunter/cron_daily_run: yes
* rkhunter/cron_db_update: yes



___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/forensics-devel

Bug#751347: grep: write error

2014-07-19 Thread Francois Marier 
Adding set +x to the top of /usr/bin/rkhunter, here's where that error
comes from:

  + [ -n /usr/bin/lsof ]
  + FOUND=0
  + WHITEPROC=
  + BLACKPROC=
  + /usr/bin/lsof -wnlP +c 0
  + grep (dele
  + head -n 1
  grep: write error
  + DELE_FILES=git  4132   10002u  CHR  
136,0  0t0  3 /dev/pts/0 (deleted)
  + [ -n git  4132   10002u  CHR  136,0 
 0t0  3 /dev/pts/0 (deleted) ]
  + PIDLIST=
  + get_option 2 multi ALLOWPROCDELFILE
  + OPTTYPE=2
  + OPTMULTI=multi
  + OPTV=ALLOWPROCDELFILE
  + grep -h ^ALLOWPROCDELFILE= /etc/rkhunter.conf /etc/rkhunter.conf.local

It looks like it comes from the optional PROCDEL module (which I have turned
ON). However, if I run the offending command manually:

  /usr/bin/lsof -wnlP +c 0 | grep '(dele' | head -n 1

that works just fine.

I don't know what that error even means. There's plenty of free space on all
of my disk partitions.

Francois

-- 
Francois Marier   identi.ca/fmarier
http://fmarier.org  twitter.com/fmarier

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#743725: Fixed in 1.4.2-0.1 NMU

2014-10-14 Thread Francois Marier 
I have just uploaded an NMU of the latest upstream to the DELAYED/4
queue. If it's accepted, it will hopefully bring that version to jessie.

Francois

-- 
Francois Marier   identi.ca/fmarier
http://fmarier.org  twitter.com/fmarier

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#765911: rkhunter: 1.4.2-0.1 breaks the apt hook

2014-10-19 Thread Francois Marier 
Package: rkhunter
Version: 1.4.2-0.1
Severity: normal

The last NMU broke the apt hook. After installing/remove packages, we now
get the following error message:

  Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: 
/usr/sbin/prelink
  E: Problem executing scripts DPkg::Post-Invoke 'if [ -x /usr/bin/rkhunter ] 
 grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then 
/usr/share/rkhunter/scripts/rkhupd.sh; fi'
  E: Sub-process returned an error code

While it doesn't interfere with apt, it breaks rkhunter db updates for
those people that don't have the prelink package installed.

The fix is to comment out this line in /etc/rkhunter.conf:

  SCRIPTWHITELIST=/usr/sbin/prelink

Francois

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#765912: rkhunter: 1.4.2-0.2 NMU

2014-10-19 Thread Francois Marier 
Package: rkhunter
Version: 1.4.2-0.1
Severity: normal

This second NMU is a follow-up to my last one to fix a regression
introduced in the conffile of 1.4.2-0.1 (bug #765911).

Since I was editing the conffile, I also took the opportunity to
tweak a comment and fix bug #765901.

Full debdiff is attached.

Francois
diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog
--- rkhunter-1.4.2/debian/changelog	2014-10-15 00:05:04.0 +1300
+++ rkhunter-1.4.2/debian/changelog	2014-10-19 20:14:41.0 +1300
@@ -1,3 +1,11 @@
+rkhunter (1.4.2-0.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix apt hook (closes: #765911)
+  * Mention unhide.rb in conffile comment (closes: #765878)
+
+ -- Francois Marier franc...@debian.org  Sun, 19 Oct 2014 20:07:10 +1300
+
 rkhunter (1.4.2-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru rkhunter-1.4.2/debian/patches/05_custom_conffile.diff rkhunter-1.4.2/debian/patches/05_custom_conffile.diff
--- rkhunter-1.4.2/debian/patches/05_custom_conffile.diff	2014-10-15 00:05:04.0 +1300
+++ rkhunter-1.4.2/debian/patches/05_custom_conffile.diff	2014-10-19 20:14:41.0 +1300
@@ -36,8 +36,8 @@
  # either of the options below are specified, then they will override the
  # program defaults.
  #
-+# hidden_procs test requires the unhide command which is part of the unhide
-+# package in Debian.
++# hidden_procs test requires the unhide and/or unhide.rb commands which are
++# part of the unhide respectively unhide.rb packages in Debian.
 +#
 +# apps test is disabled by default as it triggers warnings about outdated
 +# applications (and warns about possible security risk: we better trust
@@ -71,7 +71,7 @@
 +SCRIPTWHITELIST=/usr/bin/ldd
 +SCRIPTWHITELIST=/usr/bin/lwp-request
 +SCRIPTWHITELIST=/usr/sbin/adduser
-+SCRIPTWHITELIST=/usr/sbin/prelink
++#SCRIPTWHITELIST=/usr/sbin/prelink
 +#SCRIPTWHITELIST=/usr/bin/unhide.rb
  
  #
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#766096: rkhunter: The daily cronjob in 1.4.2-0.2 has warnings

2014-10-20 Thread Francois Marier 
Package: rkhunter
Version: 1.4.2-0.2
Severity: normal

rkhunter sends the following email once a day:

  From: root root@hostname
  To: root@hostname
  Subject: [rkhunter] hostname - Daily report
  
  Invalid RTKT_FILE_WHITELIST configuration option: Non-existent pathname:
  
/etc/init.d/hdparmSP/etc/init.d/.depend.stopSP/etc/init.d/checkroot.shSP/etc/init.d/.depend.boot

I intend to prepare a fix for this after 1.4.2-0.2 makes it to testing,
and then ask the trivial fix (commenting out a few lines) to be considered
for a freeze exception in jessie.

Francois

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils   2.24.90.20141014-1
ii  debconf [debconf-2.0]  1.5.53
ii  file   1:5.20-1
ii  net-tools  1.60-26
ii  perl   5.20.1-1
ii  ucf3.0030

Versions of packages rkhunter recommends:
ii  curl7.38.0-2
ii  iproute 1:3.16.0-2
ii  lsof4.86+dfsg-1
ii  postfix [mail-transport-agent]  2.11.2-1
pn  unhide.rb | unhide  none
ii  wget1.15-1+b1

Versions of packages rkhunter suggests:
ii  bsd-mailx [mailx] 8.1.2-0.20140825cvs-1
ii  libdigest-whirlpool-perl  1.09-1+b2
ii  liburi-perl   1.64-1
ii  libwww-perl   6.08-1
ii  powermgmt-base1.31+nmu1
pn  tripwire  none

-- debconf information:
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: true

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#768396: rkhunter: 1.4.2-0.3 NMU

2014-11-06 Thread Francois Marier 
Package: rkhunter
Version: 1.4.2-0.2
Severity: normal

This NMU fixes a new bug (#767731) introduced upstream in 1.4.2.

It consists of a new one-line patch (debian/patches/20_fix-ipcs-language.diff)
which I have also submitted upstream.

Full debdiff is attached.

Francois
diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog
--- rkhunter-1.4.2/debian/changelog	2014-10-19 20:14:41.0 +1300
+++ rkhunter-1.4.2/debian/changelog	2014-11-07 14:35:51.0 +1300
@@ -1,3 +1,10 @@
+rkhunter (1.4.2-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix IPCS command on non-English locales (closes: #767731)
+
+ -- Francois Marier franc...@debian.org  Fri, 07 Nov 2014 14:34:19 +1300
+
 rkhunter (1.4.2-0.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff
--- rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff	1970-01-01 12:00:00.0 +1200
+++ rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff	2014-11-07 14:35:51.0 +1300
@@ -0,0 +1,18 @@
+Description: Force english locale for ipcs call
+Author: Francois Marier franc...@debian.org
+Forwarded: https://sourceforge.net/p/rkhunter/patches/42/
+Last-Update: 2014-11-07
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767731
+Bug: https://sourceforge.net/p/rkhunter/bugs/130/
+
+--- a/files/rkhunter
 b/files/rkhunter
+@@ -13964,7 +13964,7 @@ ${FOUND_PROCS}
+ touch ${IPCS_TMPFILE}
+ FOUND=0; echo $FOUND  ${IPCS_TMPFILE}
+ 
+-if [ `${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then
++if [ `LANG=C ${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then
+ ${IPCS_CMD} -m | grep ^0x | while read RKH_SHM_KEY RKH_SHM_SHMID RKH_SHM_OWNER RKH_SHM_PERMS RKH_SHM_BYTES RKH_SHM_NATTACH RKH_SHM_STATUS; do
+ if [ $RKH_SHM_PERMS -eq 666 -a $RKH_SHM_BYTES -ge 100 ]; then
+ FOUND=1; echo $FOUND  ${IPCS_TMPFILE}
diff -Nru rkhunter-1.4.2/debian/patches/series rkhunter-1.4.2/debian/patches/series
--- rkhunter-1.4.2/debian/patches/series	2014-10-19 20:14:41.0 +1300
+++ rkhunter-1.4.2/debian/patches/series	2014-11-07 14:35:51.0 +1300
@@ -1,3 +1,4 @@
 05_custom_conffile.diff
 10_fix-man.diff
 15_remove-empty-dir.diff
+20_fix-ipcs-language.diff
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#770242: Tentative patch

2014-11-28 Thread Francois Marier 
The attached patch fixes installation when /etc/rkhunter.conf is missing.

-- 
Francois Marier   identi.ca/fmarier
http://fmarier.org  twitter.com/fmarier
commit f91d229ad51b19d52b979720f8a1edf1e2aea385
Author: Francois Marier franc...@debian.org
Date:   Sat Nov 29 00:27:20 2014 +1300

Work-around missing /etc/rkhunter.conf in postinst (closes: #770242)

diff --git a/debian/postinst b/debian/postinst
old mode 100644
new mode 100755
index 7179cff..d93fdd6
--- a/debian/postinst
+++ b/debian/postinst
@@ -35,7 +35,10 @@ case $1 in
 # Copy the passwd/group files to the TMP directory
 # to avoid warnings when rkhunter is first run.
 # This is normally done by the installer script.
-rkhtmpdir=$(grep '^TMPDIR' /etc/rkhunter.conf | sed 's/TMPDIR=//')
+rkhtmpdir=/var/lib/rkhunter/tmp
+if [ -e /etc/rkhunter.conf ]; then
+rkhtmpdir=$(grep '^TMPDIR' /etc/rkhunter.conf | sed 's/TMPDIR=//')
+fi
 [ -f $rkhtmpdir/passwd ] || cp -p /etc/passwd $rkhtmpdir /dev/null 21
 [ -f $rkhtmpdir/group ] || cp -p /etc/group $rkhtmpdir /dev/null 21
 
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#770242: Broken postinst script?

2014-11-28 Thread Francois Marier 
This bug looks similar to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765911 which got fixed in
1.4.2-0.3 by removing the /usr/sbin/prelink line from the config file.

 I've chosen to keep currently-installed version of /etc/rkhunter.conf

That's a problem and won't work because the configuration file format has
changed between 1.4.0 and 1.4.2. I don't think we necessarily can (or
should) fix this. Users should accept the new config file and merge their
changes manually.

 I did not dig deeper but it looks like something is broken in postinst
 configuration handling...

My patch should fix that problem.

Francois

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Re: rkhunter is marked for autoremoval from testing

2014-11-28 Thread Francois Marier 
On 2014-11-28 at 12:29:53, Michael Prokop wrote:
 * Francois Marier [Sat Nov 29, 2014 at 12:07:49AM +1300]:
  On 2014-11-28 at 11:08:13, Michael Prokop wrote:
   * Debian testing autoremoval watch [Thu Nov 27, 2014 at 04:39:04AM +]:
rkhunter 1.4.2-0.3 is marked for autoremoval from testing on 2014-12-19
 
It is affected by these RC bugs:
770242: rkhunter: upgrade/post-install errors
 
  I've just commented on that bug, it looks fairly simple to fix.
 
 Great, thanks.

If someone else wants to take a look and review my patch (attached to the
bug), I can take care of uploading -0.4 tomorrow.

 Great, any chance that you're willing to help us out in maintaining
 rkhunter? If so it would be great if you could just join our
 forencis group at https://alioth.debian.org/projects/forensics/ -
 then as soon as I (or someone else with admin permissions) grants
 you access to the group you should have write permissions on our git
 repository too.

Sure, I can help with rkhunter, but I'm not really looking to maintain a lot
more packages :) So if that's alright with you, I'll stay off of the mailing
list and just subscribe to the rkhunter package.

Francois

-- 
Francois Marier   identi.ca/fmarier
http://fmarier.org  twitter.com/fmarier


signature.asc
Description: Digital signature
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#765902: Suggestion?

2015-04-26 Thread Francois Marier 
Hi Christoph,

I just pushed out a big update (1.4.2-1) to the dependencies and have
addressed a few of the things you pointed out.

Would you like to suggest actual wording (for the package description) for
the suggests/recommends that are left?

Francois

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#765898: rkhunter: default values of file/command/pathname exceptions

2015-04-28 Thread Francois Marier 

On 2015-04-29 11:15, Christoph Anton Mitterer wrote:

#SYSLOG_CONFIG_FILE=/etc/syslog.conf
= while rkhunter will determine this automatically, it may still be 
nice to

   set it to /etc/rsyslog.conf on Debian, since rsyslog is the default


I'm not sure I enough about this (since it's working) to patch the 
upstream source further.



SCRIPTWHITELIST=/usr/bin/unhide.rb
= maybe it makes also sense un-comment from that line, since rkhunter
   Recommneds unhide.rb and it's likely to be installed
   See als bug #.


That's going to lead to a failure on machines that don't have it 
unfortunately. At least until

http://sourceforge.net/p/rkhunter/feature-requests/41/ is fixed.


INSTALLDIR=/usr
= which isn't contained in the upstream default rkhunter.conf.
   Is this perhaps just a leftover?


It could very well be. We'd have to test with and without.


For the following, I'm not really sure why I didn't suggest sha512
instead of sha256:

HASH_CMD
= As part of crypto strengthening, I'd probably suggest to set this 
to:

   HASH_CMD=sha512sum


Isn't sha512sum slower than sha256sum? As long as sha256 is considered 
strong, I would favour the more efficient tool.



Further, I've seen you commented:

#SCRIPTWHITELIST=/usr/bin/lwp-request

It's also suggested by rkhunter... so similarly to unhide.rb,... it
*may* make sense to have this enabled per default.
But I have no strong opinion on either of the two.


See above comment.

Francois

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#791486: /usr/bin/rkhunter: 7439: [: Binary: unexpected operator

2015-08-03 Thread Francois Marier 
On 2015-07-05 at 16:52:04, Pedro Beja wrote:
 doing an update I get the following error line:
 
 $ sudo rkhunter --update

[snip]

 /usr/bin/rkhunter: 7439: [: Binary: unexpected operator
   Checking file i18n/tr[ No update ]
   Checking file i18n/tr.utf8 [ No update ]
 /usr/bin/rkhunter: 7439: [: Binary: unexpected operator
   Checking file i18n/zh   [ No update ]
   Checking file i18n/zh.utf8[ No update ]

This seems to happen only on non-English locales. Try this (as root):

  LANG=C rkhunter --update

If I output the variables from line 7439 on a fr_CA locale, I get this:

  Checking rkhunter data files...
Checking file mirrors.dat  [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat[ No update ]
Checking file suspscan.dat [ No update ]
  PROG_VERS=2009091601; LATEST_VERS=2009091601
Checking file i18n/cn  [ No update ]
  PROG_VERS=2014010301; LATEST_VERS=2014010301
Checking file i18n/de  [ No update ]
  PROG_VERS=2013112401; LATEST_VERS=2013112401
Checking file i18n/en  [ No update ]
  PROG_VERS=Fichier binaire /var/lib/rkhunter/db/i18n/tr correspondant; 
LATEST_VERS=2014030201
  /usr/bin/rkhunter: 7440: [: Fichier: unexpected operator
Checking file i18n/tr  [ No update ]
  PROG_VERS=2014030201; LATEST_VERS=2014030201
Checking file i18n/tr.utf8 [ No update ]
  PROG_VERS=Fichier binaire /var/lib/rkhunter/db/i18n/zh correspondant; 
LATEST_VERS=2009091601
  /usr/bin/rkhunter: 7440: [: Fichier: unexpected operator
Checking file i18n/zh  [ No update ]
  PROG_VERS=2009091601; LATEST_VERS=2009091601
Checking file i18n/zh.utf8 [ No update ]

The attached patch to the cronjob in /etc is a work-around until this is
fixed upstream.

Francois
diff --git a/cron.weekly/rkhunter b/cron.weekly/rkhunter
index 6976920..e82cd5a 100755
--- a/cron.weekly/rkhunter
+++ b/cron.weekly/rkhunter
@@ -25,12 +25,12 @@ case $CRON_DB_UPDATE in
 echo To: $REPORT_EMAIL
 echo 
 $RKHUNTER --versioncheck --nocolors --appendlog
-$RKHUNTER --update --nocolors --appendlog
+LANG=C $RKHUNTER --update --nocolors --appendlog
 ) | /usr/sbin/sendmail $REPORT_EMAIL
 ;;
 *)
 $RKHUNTER --versioncheck --appendlog 1/dev/null 2$OUTFILE
-$RKHUNTER --update --appendlog 1/dev/null 2$OUTFILE
+LANG=C $RKHUNTER --update --appendlog 1/dev/null 2$OUTFILE
 ;;
 esac
 
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#816170: False positive deleted files after upgrade from wheezy to jessie

2016-07-03 Thread Francois Marier 
On 2016-04-26 at 13:50:21, Klaus Ethgen wrote:
> Find attached a patch, cherry-picked from upstream, that fixes the
> issue. Particular, it is c4d6d8b, 1e5e79a and b4a21a8.

Which upstream repo did you pull that from?

The only repo I know about is a CVS one on Sourceforge:

  http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/

Francois

-- 
https://fmarier.org/

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#865972: #865972 - same problem of false positive regarding PermitRootLogin parameter

2017-08-09 Thread Francois Marier 
On 2017-08-08 at 18:57:25, Jean-Marc wrote:
> So, if the default value "prohibit-password" is secure enough, maybe changing 
> this line
> 
> ALLOW_SSH_ROOT_USER=unset
> 
> can solve this.

It looks fine to me, but I'm not entirely sure that we should stop
recommending that root logins be disabled.

Also, if we disable the check, then it won't warn if someone has root logins
enabled with passwords.

I will leave it as it is for now.

Francois

-- 
https://fmarier.org/

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Bug#868099: rkhunter: clean up legacy conffile

2017-07-11 Thread Francois Marier 
On 2017-07-12 at 02:50:27, Christoph Anton Mitterer wrote:
> Apparently the package used to contain:
> /etc/default/rkhunter
> as a dpkg conffile but no longer does and ships it manually managed instead.
> 
> This file was however not properly cleaned up as conffile and is still marked 
> as such.
> Could you please to so in one of the next versions, so that
> people will get the clean up? :-)

Do you know what the correct to do this is?

Francois

___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Re: Wheezy update of rkhunter?

2017-07-02 Thread Francois Marier 
On 2017-07-02 at 16:46:40, Thorsten Alteholz wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of rkhunter:
> https://security-tracker.debian.org/tracker/CVE-2017-7480
> 
> Would you like to take care of this yourself?

I'm thinking of disabling updates (as per #765895) entirely once the current
fix has migrated to testing.

That should be a really easy fix to backport to stretch, jessie and wheezy.

Francois

-- 
https://fmarier.org/


signature.asc
Description: PGP signature
___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Accepted rkhunter 1.4.6-1 (source all) into unstable

2018-02-25 Thread Francois Marier 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 23 Feb 2018 09:55:31 -0800
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>
Changed-By: Francois Marier <franc...@debian.org>
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 848666 887210
Changes:
 rkhunter (1.4.6-1) unstable; urgency=medium
 .
   * New upstream release
 .
   * Bump Standards-Version up to 4.1.3
   * Bump debhelper compatibility to 11
   * Remove trailing whitespace in debian/changelog
   * Switch VCS URLs to salsa.debian.org
   * Recommend s-nail instead of heirloom-mailx (closes: #848666)
   * Recommend e2fsprogs explicitly (closes: #887210)
   * Run "wrap-and-sort -ast"
 .
   * Switch to HTTPS URL for debian copyright format
   * Add myself to debian/copyright
   * Fixup upstream copyright based on homepage
   * Relicense packaging to GPL2+ with permission from Emanuele, Micah
 and Julien so that it matches the upstream license.
Checksums-Sha1:
 fc099ac1c96fae8275fb819492d520acfaaf3238 2056 rkhunter_1.4.6-1.dsc
 22e646dec315d7316d65a3366a30ff8e5644dcfc 303187 rkhunter_1.4.6.orig.tar.gz
 da12721d1a6ec07e1abefe64a7bb12ed9c49eb6b 26584 rkhunter_1.4.6-1.debian.tar.xz
 a992a55d90879de8c36a5b59245b7baab8eb94f9 255576 rkhunter_1.4.6-1_all.deb
 1318a248d08c1a7ef8364d41de0ed87efecc9cc4 5516 rkhunter_1.4.6-1_amd64.buildinfo
Checksums-Sha256:
 ed1b7209f13795307bdd7fd7714c1329b31826dceae863df72cf92194f2dd9f6 2056 
rkhunter_1.4.6-1.dsc
 9c0f310583ff0dd8168010acd45c7d2e3a37e176300ac642269bce3d759ebda0 303187 
rkhunter_1.4.6.orig.tar.gz
 f6d662fca1bf62291d5760da696cb86e72be5e3ee7686d1cf27b442c0fff1e7d 26584 
rkhunter_1.4.6-1.debian.tar.xz
 08024065ed0826af2d056cb7e6207079f445ea1369ffa29ef6f332ab5d719c86 255576 
rkhunter_1.4.6-1_all.deb
 e6f651aded6871a4d75e6a13be205dca66278066f379f92b51caa8dea4ab17ba 5516 
rkhunter_1.4.6-1_amd64.buildinfo
Files:
 cad92c4e7b0ef71b19183df1f51a1bb1 2056 admin optional rkhunter_1.4.6-1.dsc
 54762d04ec7faa0736cc151271b02c06 303187 admin optional 
rkhunter_1.4.6.orig.tar.gz
 ce62539ff379e54d755b95a67d09936b 26584 admin optional 
rkhunter_1.4.6-1.debian.tar.xz
 d44ccada5797499a6cff62f12ec9d555 255576 admin optional rkhunter_1.4.6-1_all.deb
 350e5e20dfb6f4f756d882466dfb9857 5516 admin optional 
rkhunter_1.4.6-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEjEcLKgsxVo4RDUMlFigfLgB8mNEFAlqTCRFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDhD
NDcwQjJBMEIzMTU2OEUxMTBENDMyNTE2MjgxRjJFMDA3Qzk4RDEACgkQFigfLgB8
mNGwEA/+Ia8iv5mSpW914CvvkIrlK3vp/uvpT2R7s99W/r/lHn2FUN4Hs1FsDw+Z
ipmelk5mvtTa3WWeiTUnalpaHgwph3E/tupR80tXJ1spmYLyK5V98ku4ZuS5QTM6
Q7X7zMlI70WFTHG8Tw9tCP3fz4k6bZsebpLOICSmQIwcmfQx9f2p+Y5KQu5rXtyd
I5WQOKIv8WSF5rA+grYOWD/BafpR41Cn8rbJKUX9RFYdHptzQAnmRI3JNadahYRc
Xo9uXgHcsO/x7nDHSgWRdOPZ9pv0MmuX8CeFxmFBgU2CFqJM8uJtWFN/20u7ThK6
XjhAxQ8VVp5UMdGpfQ5xX81k2adublx8zVWeDgXy2OOE1bwcfpUg21ON3HA1+I0n
8KToU+QL4D07F6k7FgeWVUAGptRHIW323zGeoOnIl4oU/8YBgckGlQwwPWIiiBeF
110/KVpYD+4kI0lbP4y3FfxiWeE/IOm9eY2GVDaXrIiNffgn2Oge/siuPkKSNivF
N27gnfmy+Rc6g0IpwI2eXITiDsvRyZuO1S5FgpWivBAPJVJbhK8wW9o8QoZ/BKa3
eh1oO7yRrUrxpctda9NPu5GaNh0GcI+URPY00Ki4TKjB/GlFi1lm4wZ5tNMXkLce
bYtneKFIZ5oroNTP1A+GBr08iPd42dA0bbrJ+hyn4wy39v4a7Rk=
=puK4
-END PGP SIGNATURE-


___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel

Accepted rkhunter 1.4.6-2 (source all) into unstable

2018-03-04 Thread Francois Marier 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 04 Mar 2018 09:18:26 -0800
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.6-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-secur...@tracker.debian.org>
Changed-By: Francois Marier <franc...@debian.org>
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 892012
Changes:
 rkhunter (1.4.6-2) unstable; urgency=medium
 .
   [ Raphaƫl Hertzog ]
   * Update team maintainer address to Debian Security Tools
 .
   [ Francois Marier ]
   * Fix bashism (closes: #892012)
Checksums-Sha1:
 33c0e51179d5e2b71893eb1bea8bb8c09ffc7d04 2058 rkhunter_1.4.6-2.dsc
 683f3ba93f6a5442492db53c8e49890e8a2a3aa1 26880 rkhunter_1.4.6-2.debian.tar.xz
 384d0badc12c81fb1038b46517b74610c678e81c 255756 rkhunter_1.4.6-2_all.deb
 d89c126c03c28d726ca0fb2e7985f9b2588a377a 5516 rkhunter_1.4.6-2_amd64.buildinfo
Checksums-Sha256:
 0503096ff26a962093e6446782ba66b4eb522e9c4d9dfe9d5b0e150719555f9c 2058 
rkhunter_1.4.6-2.dsc
 241192c9ce81e2ae17ce39b7136aefc821bcce88cc5e5675385f715da3c60fab 26880 
rkhunter_1.4.6-2.debian.tar.xz
 16d643f80e0485b02b3caa5aa189f7a0593a68be97ffc2463033e669f5def7cb 255756 
rkhunter_1.4.6-2_all.deb
 d3c0851e674edb4390797ca32e64041c3862db0e59a3b05028ef6dd5edf60a09 5516 
rkhunter_1.4.6-2_amd64.buildinfo
Files:
 27d289dfa36c13ab186049519f2c 2058 admin optional rkhunter_1.4.6-2.dsc
 f26c78735345a30a2b61ce46c85dd31b 26880 admin optional 
rkhunter_1.4.6-2.debian.tar.xz
 d43e5cc54bdd0e7070b358922e61058a 255756 admin optional rkhunter_1.4.6-2_all.deb
 adba341c9f00b13d4a77484e118d2be0 5516 admin optional 
rkhunter_1.4.6-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEjEcLKgsxVo4RDUMlFigfLgB8mNEFAlqcKwFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDhD
NDcwQjJBMEIzMTU2OEUxMTBENDMyNTE2MjgxRjJFMDA3Qzk4RDEACgkQFigfLgB8
mNGBTA//Ug20MStMNK9OI+YLoTho4rMxCfZbhLriW+AZDgrApug7sa7mxTinDtdU
6Ft8SpuUZB16YpOtXsyliw93z1ELVKw1fzn05UDbCx190eXNvnpdZ3hakcMauV1x
2TZsTuMhA4fGCFL5uleCe9/++4a4r8yqxyvUGH1ACxEfwWVZYk7MYuQvKQOQ0xID
RbYs9KwfOR+iv8ZBd5G7iX8IAqMRmA4FZytUOu9MKVpMb0lPAsSSxkQu6yBUhgOA
wn4ehpPvFyl3Hko/F98yqSVALf8BtFjmLnKt6Nm54A+o8GJlIpbywxxmDawEYjR0
JyHrR2/E6JsfoKchaKLqybXV0NFMbwnF+xmZzQH2FIThKofxgmYG26TetVmLIOtR
MsW7b6pOuOgoGDJD7ZpQSq77P3S51ChAyfehWZA42BC5uWbgdNMHpVZv+yracWcN
Z4ha9P+ZVFK57vd5QbzPRQeUSeO0N3aNbova5IvRXeCS8hkxnLQdUFfIaBJ3KNYN
3P5gP5OX4C+TQELpBqqJtgGEQuTMKoN+C80K3kxVEKSnhLeoNvJaur7pQ7jc1Xzq
/NyyzPoGbH0Op01Ll3VJjYcePZmaxUSTFydlx/8EjvD6B4TTmTRSh9gkChgNUcXc
I0UAqDgiZeUNrgTRKAjGgDWC2BK+qhanJ9zKB3W6tbaraEvqnyk=
=rjcs
-END PGP SIGNATURE-


___
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel