Package: rkhunter Version: 1.4.2-0.1 Severity: wishlist Tags: security
Hi. This is something for consideration: rkhunter has this "updating" functionality, which apparently downloads new stuff from the web, updates the mirrors list and so on. In a way I feel that this should be disabled (at lest per default) in Debian for several reasons: 1) security While I haven't checked rkhunter in specific, downloading stuff from the, especially new code or pattern files or anything that is actually used by a program is always really tricky and difficult. Signing alone is by far not enough, as this often still allows for blocking/downgrading attacks. Some time ago I've started a longer thread about this on debian-devel... It seems to use wget/curl per default for downloading, which means at best, everything is SSL/TLS secured,... which basically means no security at all. wget/curl, both use per default still SSLv3 (which is broken since POODLE, latestly)... and even worse,... any CA which is activated in the system, which is per default a big list, including such untrustworthy fellows as CNNIC) could forge certificates for the source-forge mirrors and potentially deliver our users forged files (if MitM attacks are possible as well). So I guess it's better to be sceptical... especially since rkhunter runs as root. As I said, I don't wanna claim that rkhunter wouldn't do this cleanly, since I haven't checked it... but even if secure, there comes the following: 2) if packages "update" themselves, they circumvent the package management system, which no only does everything from (1) correctly... it should also be the central point of the system, that updates software and its code, with only very few execptions (typically highly volatile stuff like spam filter rules, or virus definition files). If anything new goes to rkhunter, it should go to Debian via a porper package upgrade, not via some of rkhunter's own update functions. That being said,... if you agree, than I think the following changes to the default confiugration hopefully do the job: ROTATE_MIRRORS=0 (not strictly necessary) UPDATE_MIRRORS=0 (do not update mirrors) MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote) UPDATE_LANG=en (do not update language files) WEB_CMD=/bin/false (let any downloading fail) Apart from that, --update seems to not work anyway (at least for me it always fails, even without the options from above). Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
