Bug#765895: rkhunter: maybe the Debian version should deactivate any update functionality

[Christoph Anton Mitterer]

Package: rkhunter
Version: 1.4.2-0.1
Severity: wishlist
Tags: security


Hi.

This is something for consideration:
rkhunter has this "updating" functionality, which apparently downloads
new stuff from the web, updates the mirrors list and so on.


In a way I feel that this should be disabled (at lest per default) in
Debian for several reasons:


1) security
While I haven't checked rkhunter in specific, downloading stuff from the,
especially new code or pattern files or anything that is actually
used by a program is always really tricky and difficult.

Signing alone is by far not enough, as this often still allows for
blocking/downgrading attacks.

Some time ago I've started a longer thread about this on debian-devel...


It seems to use wget/curl per default for downloading, which means at
best, everything is SSL/TLS secured,... which basically means no security
at all.
wget/curl, both use per default still SSLv3 (which is broken since POODLE,
latestly)... and even worse,... any CA which is activated in the system,
which is per default a big list, including such untrustworthy fellows
as CNNIC) could forge certificates for the source-forge mirrors and
potentially deliver our users forged files (if MitM attacks are possible
as well).
So I guess it's better to be sceptical... especially since rkhunter
runs as root.


As I said, I don't wanna claim that rkhunter wouldn't do this cleanly,
since I haven't checked it... but even if secure, there comes the
following:




2) if packages "update" themselves, they circumvent the package management
system, which no only does everything from (1) correctly... it should
also be the central point of the system, that updates software and its
code, with only very few execptions (typically highly volatile stuff
like spam filter rules, or virus definition files).

If anything new goes to rkhunter, it should go to Debian via a porper
package upgrade, not via some of rkhunter's own update functions.





That being said,... if you agree, than I think the following changes
to the default confiugration hopefully do the job:

ROTATE_MIRRORS=0 (not strictly necessary)
UPDATE_MIRRORS=0 (do not update mirrors)
MIRRORS_MODE=1 (only use local mirrors, never even try to get anything remote)
UPDATE_LANG=en (do not update language files)
WEB_CMD=/bin/false (let any downloading fail)

Apart from that, --update seems to not work anyway (at least for me
it always fails, even without the options from above).


Cheers,
Chris.