Ubuntu
rkhunter package

False positive: "running_procs" incorrectly reports libkeyutils.so.1.9 as "Spam tool component"

Bug #1940851 reported by Nils Toedtmann
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

rkhunter incorrectly reports libkeyutils.so.1.9 as "Sniffer component" or (running_procs) as "Spam tool component".

Unfortunately, the libkeyutils1 package that recent releases of Debian (>=11) and Ubuntu (>=20.10) ship contains /lib/x86_64-linux-gnu/libkeyutils.so.1.9, see e.g. https://packages.ubuntu.com/hirsute/amd64/libkeyutils1/filelist

This is a known issue, see https://sourceforge.net/p/rkhunter/bugs/170/. There's a patch in the 'develop' branch, see https://sourceforge.net/p/rkhunter/rkh_code/ci/6c0675385cafe64ba218b53202b031f616046fe6/ . But the fix doesn't seem to have been released yet.

I am using rkhunter 1.4.6-2~ubuntu18.04.1 on Ubuntu 18.04.5, scanning docker images that are based on Debian 11 and recent Ubuntu releases.

Revision history for this message
Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote :

Fixed in Debian, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951366

Revision history for this message
Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote :

According to some reports, this ought to help:

RTKT_FILE_WHITELIST=/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9

However, in our use case the file in question does not exist on the host system, only inside the containers, so this yields me "Invalid RTKT_FILE_WHITELIST configuration option: Non-existent pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9"

The only workaround I have found so far is far from ideal:

DISABLE_TESTS=running_procs

:-(

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rkhunter (Ubuntu):
status: New → Confirmed
Revision history for this message
Mathias Homann (lemmy04) wrote :

I'm having the same kind of problem on a host that has postgres running inside a docker container.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.