Bookmark and Share

Fixing Rootkit Hunter’s false alarms in Debian

Rootkit Hunter (rkhunter) is an application for Unix-like systems that scans for rootkits and other similar exploits. Opinions vary on how much tools like this actually benefit security, but at least it won’t hurt, so I’m using one.

Rkhunter actually does quite a bit more than scans for rootkits. Among other things it checks for installed software versions to ensure that they’re up to date. Recently some Debian users started to get weird warnings from their rkhunter scans. Something like this:

Warning: Application 'exim', version '4.69', is out of date, and possibly a security risk. Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)

Here’s a relief: those messages do not imply any security risk despite what they say.

The root of the problem is that rkhunter’s idea of “up to date” software conflicts with Debian’s philosophy of “stable” software. Rkhunter has its own software version database, and it assumes that in order to be secure, a piece of software should always be the latest version. But Debian packages—particularly those in the stable release of Debian—are intentionally out of date, which is not to say that they’re insecure: security vulnerabilities are patched and the packages are secure even though their version numbers lag behind.

Now, any serious Debian administrator uses apt commands diligently to keep the system up to date, preferably semi-automatically as described in my earlier post. No extra checks for application versions are needed. So, the simple and correct fix for this rkhunter “problem” is to disable the application scanning. Edit /etc/rkhunter.conf find line DISABLE_TESTS and add apps there. My line looks like this:

DISABLE_TESTS="apps suspscan hidden_procs deleted_files packet_cap_apps"

That’s it! Quick and simple.

Last modified: 2009-12-19 12:03 +0200


blog comments powered by Disqus