Andy Blanchard wrote:
2009/11/30 Kevin Fenzi <kevin@xxxxxxxxx>:
Sure, that works fine if you are willing to keep up to date on security
updates on those applications and update your config each time one
changes in fedora.
I did say that I like to know when things change, hence the inclusion
of the version numbers. That approach also works very well if you
need to keep a package at a certain revision for some reason as
including its specific version in "rkhunter.conf" would provide a
warning should an update ever be applied by mistake, or a default
package be installed instead of a custom build for that matter.
That's definitely not appropriate for a dynamic distribution like
Fedora, although maybe something like Debian Stable or Red Hat where
version numbers don't change much could get away with it.
For the out of box package that would result in pushing an update to
rkhunter anytime any of those updated and there could be lag between
the updates and when someone applied the rkhunter one.
That's a good point about the lag and it would be a problem, but then
again it wouldn't be the only package in Fedora that needed to be
updated in response to changes to another, apparently unrelated one;
Yelp and Firefox for instance.
For a more general package distribution it would definitely be better
to either disable the checks or just push the RKHunter package with a
whitelist of problematic applications without the version numbers, for
instance:
APP_WHITELIST="gpg httpd named sshd..."
Wow, a list of things I really don't want to change and an evil doer might like
to change.
Whitelisting is kind of like taking the battery out of the smoke detector, it
stops the noise but loses the warning. Short term I'd rather manually verify the
checksums of the new packages, and long term, if Kevin doesn't push a new list,
you can build it yourself.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines