rkhunter reports hidden directories under /dev

Those 3 directories can be whitelisted in /etc/rkhunter.conf by just uncommenting the corresponding lines.

However, the question is whether they should be uncommented by default ubuntu installation or not.

Happens in every ubuntu installation where I'm using rkhunter.

I second Alex. How many Hardy installs are there without: java, initramfs, or udev?

Hi

just a comment - initramfs and udev are surely standard - with java possibly less so (but likely to be installed as the user gets more experienced), so surely rkhunter should be instructed by default to not be concerned about the first 2, and to merely comment on the third ? Possibly a slightly more verbose explanation in those instances might be appropriate ?

The current set-up is consistent with the upstream projects feelings on the subject. Let it detect them but hint it may be ok by putting common whitelists commented out in the conf file.

I wonder if it's possible to pop up some kind of warning message at install time - 'rkhunter is installed but a manual review of the settings will be required on most systems'

I second gray's suggestion.

I would agree that if Ubuntu ships in this configuration by default, then the rkhunter settings should be adapted accordingly. The other option is for udev and initramfs to check if rkhunter is installed and appropriately configured for them, but I see this as an rkhunter config issue for standard ubuntu configurations.

I'm also getting this:

Warning: Hidden file found: /dev/.blkid.tab: ASCII text
Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text

That's a regression of bug #86153.

And yes, rkhunter requires extensive manual installation.
Which is a Good Thing IMHO. Without that, an admin won't be able to distinguish false positives from genuine problems.
However, the commented-out entries in the conf file should also explain under which circumstances leaving them deactivated will give false positives. E.g. I have no idea which process is generating /dev/.blkid.tab - it contains UUIDs of the block devices, and I see little harm in having these files, but I'd like to be able to check what these files are supposed to contain. (Googling for /dev/.blkid.tab give either too many or too few hits, depending on what else you enter.)

I think the package should be installed with reasonable defaults, using a configuration file that will scream false positives to anyone doesn't make much sense. I'm also getting this false positive:
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable

Which is very funny becasue is from a package that's only installed as a dependency for rkhunter itself. That script should be whitelisted too.

I have these in my /etc/rkhunter.conf.local:

  SCRIPTWHITELIST=/usr/bin/unhide.rb

  ALLOWHIDDENDIR=/etc/.java
  ALLOWHIDDENDIR=/dev/.udev
  ALLOWHIDDENDIR=/dev/.static

  ALLOWHIDDENFILE=/dev/.blkid.tab
  ALLOWHIDDENFILE=/dev/.blkid.tab.old
  ALLOWDEVFILE=/dev/.initramfs

However for the .initramfs, there's an upstream bug (http://sourceforge.net/mailarchive/message.php?msg_id=28252358) preventing this option from working with symlinks. See bug 883324 for the details and fix.

This bug makes RKhunter mostly unusable without altering the crontab entry to not report this.

Here's why: getting a report from rkhunter needs to be a serious event, one where people take notice and fix a root kit, a possible intrusion into the system. If rkhunter is giving false positives, then it's really difficult to know when it's serious (the machine has been rooted) or when it's not (some hidden normal dir in /dev/)

How has this been unresolved since 2008?

This issue is still unresolved. It makes absolutely no sense for a default installation of rkhunter on a fresh installation of ubuntu14.04.

The attachment "rkhunter-warnings.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I can't see these hidden directories on 22.04 or on Debian unstable and so I'll assume that this is no longer a bug.

Please reopen if it is in fact still a problem.