Ubuntu
rkhunter package

rkhunter complains about files shipped by Ubuntu

Bug #86153 reported by Mikkel Høgh
50
This bug affects 9 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Fix Released
Low
Marco Rodrigues

Bug Description

Binary package hint: rkhunter

When running rkhunter on my (several) Ubuntu 6.06, I have found at least 4 files/dirs/symlinks shipped by Ubuntu itself that is found to be "suspicious" by rkhunter.

These are:
/lib/modules/2.6.15-27-amd64-generic/volatile/.mounted
/dev/.static
/dev/.udev
/dev/.initramfs

Although it is easy to add these to the the allow-list in /etc/rkhunter.conf, it's annoying to have to do this on all your servers, so I think it would be sensible for Ubuntu to add these to the rkhunter.conf we ship.

Revision history for this message
Achim Bohnet (allee) wrote :

I can confirm it. In edgy and feisty, the daily cronjob still always warns about:
Found warnings:
[07:38:24] WARNING, found: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory) /etc/.java (directory)

Changed in rkhunter:
status: Unconfirmed → Confirmed
Revision history for this message
hasan (hassanidin) wrote :

I can confirm this on Feisty as well. I get the following output:

* Filesystem checks
   Checking /dev for suspicious files... [ OK ]
   Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.tmp-11-0
/dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.tmp-11-0 (block special (11/0)) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

[Press <ENTER> to continue]

Marco Rodrigues (gothicx)
Changed in rkhunter:
importance: Undecided → Low
status: Confirmed → Fix Committed
Revision history for this message
Marco Rodrigues (gothicx) wrote :

Fixed on 1.3.0-1 now in Gutsy...

Changed in rkhunter:
assignee: nobody → gothicx
status: Fix Committed → Fix Released
Revision history for this message
Cristóbal M. Palmer (cristobalpalmer) wrote :

From /var/log/rkhunter.log:

[15:42:19] Performing filesystem checks
[15:42:19] Info: Starting test name 'filesystem'
[15:42:19] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:43:43] Checking /dev for suspicious file types [ None found ]
[15:43:44] Checking for hidden files and directories [ Warning ]
[15:43:44] Warning: Hidden directory found: /dev/.static
[15:43:44] Warning: Hidden directory found: /dev/.udev
[15:43:44] Warning: Hidden directory found: /dev/.initramfs

this is on:

cmpalmer@albert:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=7.10
DISTRIB_CODENAME=gutsy
DISTRIB_DESCRIPTION="Ubuntu 7.10"

also:

cmpalmer@albert:~$ dpkg -l rkhunter|grep ^ii
ii rkhunter 1.3.0-1 rootkit, backdoor, sniffer and exploit scanner

this is out-of-the-box rkhunter with no config changes on my part.

Cheers,
CMP

Revision history for this message
Cristóbal M. Palmer (cristobalpalmer) wrote :

Now I feel a bit silly. I see the commented-out lines in the conf file, but I'm wondering why they're commented out and not the default?

Cheers,

Revision history for this message
weer (romeo8881) wrote :

I can confirm that on Karmic
[21:44:32] Warning: Hidden directory found: /etc/.java
[21:44:32] Warning: Hidden directory found: /dev/.udev
[21:44:32] Warning: Hidden directory found: /dev/.initramfs
[21:44:32] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[21:44:38]

Revision history for this message
Artem Yakimenko (temik) wrote :

Uncommented the needed lines in rkhunter.conf, but /dec/.blkid.tab is still not present in default config:
Warning: Hidden file found: /dev/.blkid.tab: ASCII text
Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text

Ubuntu Karmic 32bit

Revision history for this message
Mark Fraser (launchpad-mfraz) wrote :

This is still a problem in Lucid. Had to uncomment the same lines already mentioned, but also had to add
ALLOWHIDDENFILE=/dev/.blkid.tab*
to stop these warnings.
Warning: Hidden file found: /dev/.blkid.tab: ASCII text
Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text

Revision history for this message
Boyd Stephen Smith Jr. (bss03) wrote :

Confirmed on Maverick:
Warning: Hidden file found: /dev/.blkid.tab: ASCII text
Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text

There should be added to the shipped rkhunter.conf as ALLOWHIDDENFILE entries. They don't appear to be owned by any installed package ("dpkg -S" doesn't find them), but I believe they are generated during normal operation of Maverick.

Revision history for this message
Roger Binns (ubuntu-rogerbinns) wrote :

/dev/.blkid.tab is still an issue in oneiric.

Revision history for this message
Joachim Durchholz (jo-durchholz) wrote :

I confirm that the bug still exists in Oneiric.

Revision history for this message
Joachim Durchholz (jo-durchholz) wrote :

I'm adding this to bug #219840, which is still open.

Revision history for this message
Rody Heijstek (rody-heijstek) wrote :

I can confirm this bug. Running ubuntu 10.04 LTS.

How to fix, in await of the bugfix/package update:

Add the line

ALLOWHIDDENFILE=/dev/.blkid.tab*

...to /etc/rkhunter.conf.

Afterwards run the command:

rkhunter --propupd

...to update the datafile of rkhunter.

And run:

rkhunter --check --sk --rwo

...to confirm there are no erros (false positives) anymore. The --sk and ---rwo are skip keypresses and report warnings only options, to make life a little easier.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.