[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-extras-commits
Subject: nonamedotc pushed to rkhunter (epel7). "Allow /etc/.updated on EL7 (..more)"
From: notifications () fedoraproject ! org
Date: 2015-12-31 23:52:12
Message-ID: 20151231235212.68EAB60635E1 () bastion01 ! phx2 ! fedoraproject ! org
[Download RAW message or body]
From ef6697ff3b48d93611fa103184e1dd8c8bfbaac2 Mon Sep 17 00:00:00 2001
From: Mukundan Ragavan <nonamedotc@fedoraproject.org>
Date: Thu, 31 Dec 2015 18:52:03 -0500
Subject: Allow /etc/.updated on EL7
- Fixes bug#1291629
---
rkhunter-1.4.2-epel7.patch | 198 ++++++++++++++++++++++++++++++++++++++
rkhunter-1.4.2-fedoraconfig.patch | 191 ------------------------------------
2 files changed, 198 insertions(+), 191 deletions(-)
create mode 100644 rkhunter-1.4.2-epel7.patch
delete mode 100644 rkhunter-1.4.2-fedoraconfig.patch
diff --git a/rkhunter-1.4.2-epel7.patch b/rkhunter-1.4.2-epel7.patch
new file mode 100644
index 0000000..bfa31d9
--- /dev/null
+++ b/rkhunter-1.4.2-epel7.patch
@@ -0,0 +1,198 @@
+--- rkhunter-1.4.2-orig/files/rkhunter.conf 2015-12-31 18:40:13.654509378 -0500
++++ rkhunter-1.4.2/files/rkhunter.conf 2015-12-31 18:50:31.433316460 -0500
+@@ -155,6 +155,7 @@
+ # default directory beneath the installation directory.
+ #
+ #TMPDIR=/var/lib/rkhunter/tmp
++TMPDIR=/var/lib/rkhunter
+
+ #
+ # This option specifies the database directory to use.
+@@ -163,7 +164,7 @@
+ # subsequently commented out or removed, then the program will assume a
+ # default directory beneath the installation directory.
+ #
+-#DBDIR=/var/lib/rkhunter/db
++DBDIR=/var/lib/rkhunter/db
+
+ #
+ # This option specifies the script directory to use.
+@@ -172,6 +173,7 @@
+ # subsequently commented out or removed, then the program will not run.
+ #
+ #SCRIPTDIR=/usr/local/lib/rkhunter/scripts
++SCRIPTDIR=/usr/share/rkhunter/scripts
+
+ #
+ # This option can be used to modify the command directory list used by rkhunter
+@@ -228,7 +230,7 @@
+ #
+ # The default value is '/var/log/rkhunter.log'.
+ #
+-LOGFILE=/var/log/rkhunter.log
++LOGFILE=/var/log/rkhunter/rkhunter.log
+
+ #
+ # Set this option to '1' if the log file is to be appended to whenever rkhunter
+@@ -238,6 +240,7 @@
+ # The default value is '0'.
+ #
+ #APPEND_LOG=0
++APPEND_LOG=1
+
+ #
+ # Set the following option to '1' if the log file is to be copied when rkhunter
+@@ -305,6 +308,7 @@
+ #
+ #ALLOW_SSH_ROOT_USER=no
+
++
+ #
+ # Set this option to '1' to allow the use of the SSH-1 protocol, but note
+ # that theoretically it is weaker, and therefore less secure, than the
+@@ -318,6 +322,7 @@
+ # The default value is '0'.
+ #
+ #ALLOW_SSH_PROT_V1=0
++ALLOW_SSH_PROT_V1=2
+
+ #
+ # This setting tells rkhunter the directory containing the SSH configuration
+@@ -350,7 +355,8 @@
+ # program defaults.
+ #
+ ENABLE_TESTS=ALL
+-DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
++#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
++DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps
+
+ #
+ # The HASH_CMD option can be used to specify the command to use for the file
+@@ -422,6 +428,7 @@
+ # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
+ #
+ #PKGMGR=NONE
++PKGMGR=RPM
+
+ #
+ # It is possible that a file, which is part of a package, may have been
+@@ -545,6 +552,14 @@
+ # The default value is the null string.
+ #
+ #EXISTWHITELIST=""
++EXISTWHITELIST=/bin/ad
++# FreeIPA Certificate Authority
++EXISTWHITELIST=/var/log/pki-ca/system
++# FreeIPA Certificate Authority
++EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
++# Some non default installed files we check
++EXISTWHITELIST=/usr/bin/GET
++EXISTWHITELIST=/usr/bin/whatis
+
+ #
+ # Whitelist various attributes of the specified file. The attributes are those
+@@ -575,6 +590,12 @@
+ # The default value is the null string.
+ #
+ #SCRIPTWHITELIST=/usr/bin/groups
++SCRIPTWHITELIST=/usr/bin/whatis
++SCRIPTWHITELIST=/usr/bin/ldd
++SCRIPTWHITELIST=/usr/bin/groups
++SCRIPTWHITELIST=/usr/bin/GET
++SCRIPTWHITELIST=/sbin/ifup
++SCRIPTWHITELIST=/sbin/ifdown
+
+ #
+ # Allow the specified file to have the immutable attribute set.
+@@ -605,6 +626,19 @@
+ #ALLOWHIDDENDIR=/dev/.udev
+ #ALLOWHIDDENDIR=/dev/.udevdb
+ #ALLOWHIDDENDIR=/dev/.mdadm
++ALLOWHIDDENDIR="/etc/.java"
++ALLOWHIDDENDIR=/dev/.udev
++ALLOWHIDDENDIR=/dev/.udevdb
++ALLOWHIDDENDIR=/dev/.udev.tdb
++ALLOWHIDDENDIR=/dev/.static
++ALLOWHIDDENDIR=/dev/.initramfs
++ALLOWHIDDENDIR=/dev/.SRC-unix
++ALLOWHIDDENDIR=/dev/.mdadm
++ALLOWHIDDENDIR=/dev/.systemd
++ALLOWHIDDENDIR=/dev/.mount
++# for etckeeper
++ALLOWHIDDENDIR=/etc/.git
++ALLOWHIDDENDIR=/etc/.bzr
+
+ #
+ # Allow the specified hidden file to be whitelisted.
+@@ -620,6 +654,32 @@
+ #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
+ #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
+ #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
++ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
++ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
++ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
++ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
++ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
++ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
++ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
++ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
++ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
++ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
++ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
++ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
++ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
++ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
++ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
++ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
++ALLOWHIDDENFILE=/dev/.mdadm.map
++ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
++ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
++ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
++# etckeeper
++ALLOWHIDDENFILE=/etc/.etckeeper
++ALLOWHIDDENFILE=/etc/.gitignore
++ALLOWHIDDENFILE=/etc/.bzrignore
++# systemd
++ALLOWHIDDENFILE=/etc/.updated
+
+ #
+ # Allow the specified process to use deleted files. The process name may be
+@@ -681,6 +741,20 @@
+ #
+ #ALLOWDEVFILE=/dev/shm/pulse-shm-*
+ #ALLOWDEVFILE=/dev/shm/sem.ADBE_*
++ALLOWDEVFILE=/dev/shm/pulse-shm-*
++ALLOWDEVFILE=/dev/md/md-device-map
++# tomboy creates this one
++ALLOWDEVFILE="/dev/shm/mono.*"
++# created by libv4l
++ALLOWDEVFILE="/dev/shm/libv4l-*"
++# created by spice video
++ALLOWDEVFILE="/dev/shm/spice.*"
++# created by mdadm
++ALLOWDEVFILE="/dev/md/autorebuild.pid"
++# 389 Directory Server
++ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
++# squid proxy
++ALLOWDEVFILE=/dev/shm/squid-cf*
+
+ #
+ # This option is used to indicate if the Phalanx2 test is to perform a basic
+@@ -1004,6 +1078,11 @@
+ #
+ #RTKT_DIR_WHITELIST=""
+ #RTKT_FILE_WHITELIST=""
++RTKT_FILE_WHITELIST=/bin/ad
++# FreeIPA Certificate Authority
++RTKT_FILE_WHITELIST=/var/log/pki-ca/system
++# FreeIPA Certificate Authority
++RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
+
+ #
+ # The following option can be used to whitelist shared library files that would
+@@ -1222,3 +1301,5 @@
+ #
+ #EMPTY_LOGFILES=""
+ #MISSING_LOGFILES=""
++
++INSTALLDIR="/usr"
diff --git a/rkhunter-1.4.2-fedoraconfig.patch b/rkhunter-1.4.2-fedoraconfig.patch
deleted file mode 100644
index da521a8..0000000
--- a/rkhunter-1.4.2-fedoraconfig.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-diff -Nur rkhunter-1.4.2.orig/files/rkhunter.conf rkhunter-1.4.2/files/rkhunter.conf
---- rkhunter-1.4.2.orig/files/rkhunter.conf 2014-01-25 14:29:51.000000000 -0700
-+++ rkhunter-1.4.2/files/rkhunter.conf 2015-12-06 11:19:26.840917848 -0700
-@@ -155,6 +155,7 @@
- # default directory beneath the installation directory.
- #
- #TMPDIR=/var/lib/rkhunter/tmp
-+TMPDIR=/var/lib/rkhunter
-
- #
- # This option specifies the database directory to use.
-@@ -163,7 +164,7 @@
- # subsequently commented out or removed, then the program will assume a
- # default directory beneath the installation directory.
- #
--#DBDIR=/var/lib/rkhunter/db
-+DBDIR=/var/lib/rkhunter/db
-
- #
- # This option specifies the script directory to use.
-@@ -172,6 +173,7 @@
- # subsequently commented out or removed, then the program will not run.
- #
- #SCRIPTDIR=/usr/local/lib/rkhunter/scripts
-+SCRIPTDIR=/usr/share/rkhunter/scripts
-
- #
- # This option can be used to modify the command directory list used by rkhunter
-@@ -228,7 +230,7 @@
- #
- # The default value is '/var/log/rkhunter.log'.
- #
--LOGFILE=/var/log/rkhunter.log
-+LOGFILE=/var/log/rkhunter/rkhunter.log
-
- #
- # Set this option to '1' if the log file is to be appended to whenever rkhunter
-@@ -238,6 +240,7 @@
- # The default value is '0'.
- #
- #APPEND_LOG=0
-+APPEND_LOG=1
-
- #
- # Set this option to '1' to allow the use of the SSH-1 protocol, but note
-@@ -318,6 +322,7 @@
- # The default value is '0'.
- #
- #ALLOW_SSH_PROT_V1=0
-+ALLOW_SSH_PROT_V1=2
-
- #
- # This setting tells rkhunter the directory containing the SSH configuration
-@@ -350,7 +355,8 @@
- # program defaults.
- #
- ENABLE_TESTS=ALL
--DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
-+#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
-+DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps
-
- #
- # The HASH_CMD option can be used to specify the command to use for the file
-@@ -422,6 +428,7 @@
- # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
- #
- #PKGMGR=NONE
-+PKGMGR=RPM
-
- #
- # It is possible that a file, which is part of a package, may have been
-@@ -545,6 +552,14 @@
- # The default value is the null string.
- #
- #EXISTWHITELIST=""
-+EXISTWHITELIST=/bin/ad
-+# FreeIPA Certificate Authority
-+EXISTWHITELIST=/var/log/pki-ca/system
-+# FreeIPA Certificate Authority
-+EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
-+# Some non default installed files we check
-+EXISTWHITELIST=/usr/bin/GET
-+EXISTWHITELIST=/usr/bin/whatis
-
- #
- # Whitelist various attributes of the specified file. The attributes are those
-@@ -575,6 +590,12 @@
- # The default value is the null string.
- #
- #SCRIPTWHITELIST=/usr/bin/groups
-+SCRIPTWHITELIST=/usr/bin/whatis
-+SCRIPTWHITELIST=/usr/bin/ldd
-+SCRIPTWHITELIST=/usr/bin/groups
-+SCRIPTWHITELIST=/usr/bin/GET
-+SCRIPTWHITELIST=/sbin/ifup
-+SCRIPTWHITELIST=/sbin/ifdown
-
- #
- # Allow the specified file to have the immutable attribute set.
-@@ -605,6 +626,19 @@
- #ALLOWHIDDENDIR=/dev/.udev
- #ALLOWHIDDENDIR=/dev/.udevdb
- #ALLOWHIDDENDIR=/dev/.mdadm
-+ALLOWHIDDENDIR="/etc/.java"
-+ALLOWHIDDENDIR=/dev/.udev
-+ALLOWHIDDENDIR=/dev/.udevdb
-+ALLOWHIDDENDIR=/dev/.udev.tdb
-+ALLOWHIDDENDIR=/dev/.static
-+ALLOWHIDDENDIR=/dev/.initramfs
-+ALLOWHIDDENDIR=/dev/.SRC-unix
-+ALLOWHIDDENDIR=/dev/.mdadm
-+ALLOWHIDDENDIR=/dev/.systemd
-+ALLOWHIDDENDIR=/dev/.mount
-+# for etckeeper
-+ALLOWHIDDENDIR=/etc/.git
-+ALLOWHIDDENDIR=/etc/.bzr
-
- #
- # Allow the specified hidden file to be whitelisted.
-@@ -620,6 +654,32 @@
- #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
- #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
- #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
-+ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
-+ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
-+ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
-+ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
-+ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
-+ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
-+ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
-+ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
-+ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
-+ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
-+ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
-+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
-+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
-+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
-+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
-+ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
-+ALLOWHIDDENFILE=/dev/.mdadm.map
-+ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
-+ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
-+ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
-+# etckeeper
-+ALLOWHIDDENFILE=/etc/.etckeeper
-+ALLOWHIDDENFILE=/etc/.gitignore
-+ALLOWHIDDENFILE=/etc/.bzrignore
-+# systemd
-+ALLOWHIDDENFILE=/etc/.updated
-
- #
- # Allow the specified process to use deleted files. The process name may be
-@@ -681,6 +741,20 @@
- #
- #ALLOWDEVFILE=/dev/shm/pulse-shm-*
- #ALLOWDEVFILE=/dev/shm/sem.ADBE_*
-+ALLOWDEVFILE=/dev/shm/pulse-shm-*
-+ALLOWDEVFILE=/dev/md/md-device-map
-+# tomboy creates this one
-+ALLOWDEVFILE="/dev/shm/mono.*"
-+# created by libv4l
-+ALLOWDEVFILE="/dev/shm/libv4l-*"
-+# created by spice video
-+ALLOWDEVFILE="/dev/shm/spice.*"
-+# created by mdadm
-+ALLOWDEVFILE="/dev/md/autorebuild.pid"
-+# 389 Directory Server
-+ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
-+# squid proxy
-+ALLOWDEVFILE=/dev/shm/squid-cf*
-
- #
- # This option is used to indicate if the Phalanx2 test is to perform a basic
-@@ -1004,6 +1078,11 @@
- #
- #RTKT_DIR_WHITELIST=""
- #RTKT_FILE_WHITELIST=""
-+RTKT_FILE_WHITELIST=/bin/ad
-+# FreeIPA Certificate Authority
-+RTKT_FILE_WHITELIST=/var/log/pki-ca/system
-+# FreeIPA Certificate Authority
-+RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
-
- #
- # The following option can be used to whitelist shared library files that would
-@@ -1222,3 +1301,5 @@
- #
- #EMPTY_LOGFILES=""
- #MISSING_LOGFILES=""
-+
-+INSTALLDIR="/usr"
--
cgit v0.11.2
http://pkgs.fedoraproject.org/cgit/rkhunter.git/commit/?h=epel7&id=ef6697ff3b48d93611fa103184e1dd8c8bfbaac2
--
scm-commits mailing list
scm-commits@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/scm-commits@lists.fedoraproject.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic