Ubuntu

false positives with /dev/.initramfs & /run/initramfs

Reported by Jens on 2012-05-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Undecided
Unassigned

Bug Description

When running rkhunter, it is not possible to skip /dev/.initramfs. The error message is:

  Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

When I add this to ALLOWHIDDENDIRS, it has no effect. When I add this to ALLOWHIDDENFILES, I get an error message saying this is not a file. In fact, it is a symlink to a directory:

  root@root:~# ls -dl /dev/.initramfs /run/initramfs
  lrwxrwxrwx 1 root root 14 Mai 8 07:30 /dev/.initramfs -> /run/initramfs
  drwxr-xr-x 2 root root 40 Mai 8 07:30 /run/initramfs

Since this file/dir/link is present in Ubuntu's default kernel, I think this is a serious bug, since it is currently not possible for rkhunter to report a Ubuntu system as "clean" (unless one skips the file/dir check altogether).

Possibly a security issue because of the false alarm potential, please tag as security related if you agree.

Configuration /etc/rkhunter.conf:

root@root:~# grep -v ^# /etc/rkhunter.conf |sort|uniq
ALLOWHIDDENDIR="/dev/.initramfs"
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENFILE="/dev/.initramfs"
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=without-password
ALLOW_SYSLOG_REMOTE_LOGGING=0
APPEND_LOG=1
AUTO_X_DETECT=1
COLOR_SET2=0
COPY_LOG_ON_ERROR=0
DBDIR=/var/lib/rkhunter/db
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
DISABLE_UNHIDE=1
ENABLE_TESTS="all"
IMMUTABLE_SET=0
INSTALLDIR="/usr"
LOCK_TIMEOUT=300
LOGFILE=/var/log/rkhunter.log
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
<email address hidden>"
MIRRORS_MODE=0
PHALANX2_DIRTEST=0
ROTATE_MIRRORS=1
SCRIPTDIR=/usr/share/rkhunter/scripts
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/bin/unhide.rb
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
SHOW_LOCK_MSGS=1
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_THRESH=200
TMPDIR=/var/lib/rkhunter/tmp
UPDATE_LANG=""
UPDATE_MIRRORS=1
USE_LOCKING=0
WHITELISTED_IS_WHITE=0

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: rkhunter 1.3.8-10
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Sat May 26 09:33:18 2012
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-color
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: rkhunter
UpgradeStatus: Upgraded to precise on 2012-05-04 (21 days ago)
modified.conffile..etc.rkhunter.conf: [modified]
mtime.conffile..etc.rkhunter.conf: 2012-05-26T09:32:58.943101

Jens (jens-launchpad-net) wrote :
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers