Ubuntu

rkhunter reports hidden directories under /dev

Reported by gray on 2008-04-20
54
This bug affects 11 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: rkhunter

Running Rootkit Hunter version 1.3.0

I am reasonably sure that

[11:51:08] Checking for hidden files and directories [ Warning ]
[11:51:09] Warning: Hidden directory found: /dev/.static
[11:51:09] Warning: Hidden directory found: /dev/.udev
[11:51:09] Warning: Hidden directory found: /dev/.initramfs

merely means that rkhunter has found a non-standard file - at least as far as rkhunter is concerned - but which is a default install for Hardy Heron. In this case I would assume that rkhunter needs to be updated ?

I am using the release candidate of Hardy Heron - installed in free space at the end of my single hard drive, dual booting with winxp. The install is a standard setup (no fancy partitions), with all updates, plus quanta, dvdrip, amarok and k3b with all required libs and apps for these additions. The only changes I have made via the console have been to place winxp first in the grub menu, enable ufw (with default deny) and to make sudo timeout to be zero.

What I would have expected to happen is no warnings - seeing as this is a clean, new install, done last night and only surfing to known safe websites, and the limited installation done thus far

Alex Muntada (alex.muntada) wrote :

Those 3 directories can be whitelisted in /etc/rkhunter.conf by just uncommenting the corresponding lines.

However, the question is whether they should be uncommented by default ubuntu installation or not.

Alex Muntada (alex.muntada) wrote :

Happens in every ubuntu installation where I'm using rkhunter.

Changed in rkhunter:
status: New → Confirmed
Dan (dan-garthwaite) wrote :

I second Alex. How many Hardy installs are there without: java, initramfs, or udev?

gray (info-graydesigns) wrote :

Hi

just a comment - initramfs and udev are surely standard - with java possibly less so (but likely to be installed as the user gets more experienced), so surely rkhunter should be instructed by default to not be concerned about the first 2, and to merely comment on the third ? Possibly a slightly more verbose explanation in those instances might be appropriate ?

furicle (furicle) wrote :

The current set-up is consistent with the upstream projects feelings on the subject. Let it detect them but hint it may be ok by putting common whitelists commented out in the conf file.

I wonder if it's possible to pop up some kind of warning message at install time - 'rkhunter is installed but a manual review of the settings will be required on most systems'

Deckard (carsten-schmitz-hh) wrote :

I second gray's suggestion.

nils (internationils) wrote :

I would agree that if Ubuntu ships in this configuration by default, then the rkhunter settings should be adapted accordingly. The other option is for udev and initramfs to check if rkhunter is installed and appropriately configured for them, but I see this as an rkhunter config issue for standard ubuntu configurations.

Changed in rkhunter (Ubuntu):
importance: Undecided → Medium

I'm also getting this:

Warning: Hidden file found: /dev/.blkid.tab: ASCII text
Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text

That's a regression of bug #86153.

And yes, rkhunter requires extensive manual installation.
Which is a Good Thing IMHO. Without that, an admin won't be able to distinguish false positives from genuine problems.
However, the commented-out entries in the conf file should also explain under which circumstances leaving them deactivated will give false positives. E.g. I have no idea which process is generating /dev/.blkid.tab - it contains UUIDs of the block devices, and I see little harm in having these files, but I'd like to be able to check what these files are supposed to contain. (Googling for /dev/.blkid.tab give either too many or too few hits, depending on what else you enter.)

luca (llucax) wrote :

I think the package should be installed with reasonable defaults, using a configuration file that will scream false positives to anyone doesn't make much sense. I'm also getting this false positive:
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable

Which is very funny becasue is from a package that's only installed as a dependency for rkhunter itself. That script should be whitelisted too.

François Marier (fmarier) wrote :

I have these in my /etc/rkhunter.conf.local:

  SCRIPTWHITELIST=/usr/bin/unhide.rb

  ALLOWHIDDENDIR=/etc/.java
  ALLOWHIDDENDIR=/dev/.udev
  ALLOWHIDDENDIR=/dev/.static

  ALLOWHIDDENFILE=/dev/.blkid.tab
  ALLOWHIDDENFILE=/dev/.blkid.tab.old
  ALLOWDEVFILE=/dev/.initramfs

However for the .initramfs, there's an upstream bug (http://sourceforge.net/mailarchive/message.php?msg_id=28252358) preventing this option from working with symlinks. See bug 883324 for the details and fix.

This bug makes RKhunter mostly unusable without altering the crontab entry to not report this.

Here's why: getting a report from rkhunter needs to be a serious event, one where people take notice and fix a root kit, a possible intrusion into the system. If rkhunter is giving false positives, then it's really difficult to know when it's serious (the machine has been rooted) or when it's not (some hidden normal dir in /dev/)

How has this been unresolved since 2008?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions