Bug 189796 - FC5 not supported
FC5 not supported
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Greg Houlette
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2006-04-24 14:38 EDT by David Nečas
Modified: 2008-01-05 08:48 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-05 08:48:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
OS detection patch. (469 bytes, patch)
2006-04-29 03:44 EDT, Gilboa Davara
no flags Details | Diff
proposed patch (684 bytes, patch)
2006-05-07 04:36 EDT, David Nečas
no flags Details | Diff
proposed patch (789 bytes, patch)
2006-05-07 04:52 EDT, David Nečas
no flags Details | Diff

  None (edit)
Description David Nečas 2006-04-24 14:38:29 EDT
Description of problem:
No patform-version (i386, x86_64, ppc) of Fedora Core 5 (Bordeaux) is present in
/var/rkhunter/db/os.dat.  Not speaking about the list of known good md5sums.  In
other words, although a FC5 rpm exists, the distro is unsupported.

This makes rkhunter complain on startup and ALWAYS report possible infection.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. rkhunter --cronjob --disable-md5-check
Actual results:
Rootkit Hunter 1.2.8 is running
Mon, 24 Apr 2006 20:18:33 +0200
Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

Expected results:
Rootkit Hunter 1.2.8 is running
Mon, 24 Apr 2006 20:40:48 +0200
Determining OS... Ready
Comment 1 Gilboa Davara 2006-04-29 03:44:18 EDT
Created attachment 128386 [details]
OS detection patch.

OS detection patch.
Should fix the unknown problem.
Comment 2 David Nečas 2006-05-02 01:17:51 EDT
I of course locally edited /var/rkhunter/db/os.dat to achieve the same but this
asks for a new package release.  I also asked rkhunter maintainer(s) for
addition of FC5 support meanwhile, though this would be really better handled by
FE package maintainer...
Comment 3 Gilboa Davara 2006-05-02 02:21:52 EDT
Do you have any idea how to create the md5 checksum data base?
Comment 4 David Nečas 2006-05-02 11:06:10 EDT
The format seems to be simple


so it is trivial to generate (I cannot find some of these fields actually used
anywhere though):

  echo 12345:$x:$(md5sum $x|cut -b-32):$(sha1sum $x|cut -b-40):$(stat -c%s
$x):$(rpm -qf $x): >>HASHFILE

But I do not see much point generating the hashes when the next

rkhunter --update

overwrites it.  It should either get upstream or it is useless.  Or at least the
update script would have to be fixed to merge rkhunter's database with some
Fedora database -- and update that when updated packages are released for Fedora.

In addition checksum verification does not seem to be something rkhunter can do
better than plain rpm --verify anyway (beside being a second more or less
independent source of file checksums).
Comment 5 Gilboa Davara 2006-05-06 02:21:55 EDT
AFAIR rpm --verify is very slow and cannot be limited to a selected set of files. 
Comment 6 David Nečas 2006-05-06 06:05:20 EDT
The main point was that if you do include the hashes for Fedora, you have to deal

1. with Fedora updates (releasing timely updates of the checksums)
2. with rkhunter --update (preventing it from overwriting it with upstream which
lacks Fedora checksums)

The latter reminds me of another packaging problem: rpm --verify on rkhunter
itself reports these files as changed:

SM5....T    /var/rkhunter/db/defaulthashes.dat
SM5....T    /var/rkhunter/db/mirrors.dat
SM5....T    /var/rkhunter/db/os.dat
SM5....T    /var/rkhunter/db/programs_bad.dat
SM5....T    /var/rkhunter/db/programs_good.dat

Since they are *supposed* to change with rkhunter --update, there is no point
veryfying their checksums and they should be marked

%verify(not md5 size mtime)

in spec the %files section.
Comment 7 Greg Houlette 2006-05-06 11:44:49 EDT
David Nečas (yeti@physics.muni.cz) wrote:

> It should either get upstream or it is useless.

I too, am at the mercy of the package author with regards to database updates.
I have hopes that FC5 support will be forthcoming at which time the *current*
RPM (rkhunter-1.2.8-3.fc5) will retrieve the updated database files on the next
cron run.  It is unfortunate that it has taken longer than expected...

When a new set of database files are available that support FC5, I will release
an updated FC5 RPM (?rkhunter-1.2.8-4.fc5) with those new database files...

I am more concerned about the .spec configuration error that inadvertently got
into the current release of rkhunter for FE.  You are correct that they are
*supposed* to change and should have been tagged with the %verify directive.

I hope we will see FC5 support added soon...
Comment 8 David Nečas 2006-05-07 04:33:33 EDT
Well, tonight my corrected os.dat was updated to an upstream version without
Fedora.  So we have to deal with point 1. anyway.

Here's a patch to append the contents of /var/rkhunter/db/foo.fedora to
/var/rkhunter/db/foo every time /var/rkhunter/db/foo is updated.
Comment 9 David Nečas 2006-05-07 04:36:35 EDT
Created attachment 128702 [details]
proposed patch

Amend updated db files with fedora-specific data.
Comment 10 David Nečas 2006-05-07 04:52:40 EDT
Created attachment 128703 [details]
proposed patch

When we are at it, I also propose the attached patch.  It is true on Fedora
/tmp generally has +t permission and therefore mktmp(1) can work without race
conditions, but I do not understand why to rely on that when we can use
${DBDIR} itself -- where the file will be finally placed -- for the temporary
file too.
Comment 11 David Nečas 2006-05-07 05:12:47 EDT
And it should not do


anyway (I forgot to include in the patch).  It should do


to preserve the attributes of ${DBDIR}/${FILENAME}.

Another problem is that the db files are not signed in any way -- although it
would be easy to sign them with gpg and distribute the public key needed to
verify their autenticity directly with rkhunter.  Unfortunately, this cannot be
fixed in Fedora unless we want to maintain our own db file mirrors.

Granted, once you are 0wned you cannot trust anything so it would be
hypocritical to pretend real security in a program supposed to be run in these
conditions, but the shell programming quality does not strike me as
extraordinarily good and I wonder what is in the 5000+ lines I have not looked at...
Comment 12 Kevin J. Cummings 2006-10-08 19:55:10 EDT
Well it looks like there is finally some FC5 support in the MD5 Hashes and OS
files as of version 2006100500, which was updated for me last night (from
2006022800).  However, with this MD5 file, 38/51 MD5 hashes failed.  This *is*
progress.  How do we now keep the MD5 hases up-to-date?
Comment 13 Kevin J. Cummings 2006-10-20 10:06:37 EDT
My system just updated the MD5 hashes again last night to version 2006101202 and
ALL 50 MD5SUMS PASSED!  (Should I be worried that its 50/50 and not 51/51?)
Comment 14 Till Maas 2008-01-05 08:48:00 EST
rkhunter is not available in Fedora anymore[1], so this bug won't be fixed.
Therefore I close it.

[1] https://admin.fedoraproject.org/pkgdb/packages/name/rkhunter

Note You need to log in before you can comment on or make changes to this bug.