Ubuntu

False positive: Hidden file (symbolic link to directory) cannot be white-listed

Reported by Bernie Hoeneisen on 2011-10-28
372
This bug affects 80 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Undecided
Unassigned

Bug Description

After upgrading to Oneiric rkhunter started reporting the following (false positive):

  Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

which cannot be white-listed in the current rkhunter version in Oneiric.

As it looks like Upstream has already a fix for this:

   http://sourceforge.net/mailarchive/message.php?msg_id=28252358

cheers,
 Bernie

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rkhunter (Ubuntu):
status: New → Confirmed
tags: added: oneiric
Reinhold Kainhofer (reinhold) wrote :

Can't the ubuntu maintainers simply backport that patch to the oneiric version?
It's a simple fix, and the ubuntu packages seem to backport fixes regularly, so why not here, too?
 http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.405&r2=1.406&sortby=date

Right now, I get daily mails from all my machines about this false positive, which highly increases the chance that I miss it when a real problem appears, because simply deleting those false positives has become a habbit...

Cheers,
Reinhold

Robby (robbyd) wrote :

+1 for a backport to oneiric. Getting emails from all of my machines with this error is highly annoying...

Adam Funk (a-funk) wrote :

Getting the false positive every morning (as reinhold and Robby point out) is not only annoying but increases the risk of ignoring a real problem: "the security software that cried wolf". Please backport the upstream fix to oneiric.

Waseem Elliot (waseem-x) wrote :

This is still the case on precise which is still using rkhunter 1.3.8.

luca (llucax) wrote :

+1. Please backport!

Brian Burch (brian-pingtoo) wrote :

version 1.3.8-10 from the precise pangolin beta repository has the same problem (symlink to /run/initramfs) as reported against the oneiric 1.3.8-7 package.

tags: added: precise
Daniel Firvida (dfirvida) wrote :

NEW DISTRIBUTION, AND OLD BUG! :-)

In the version of rkhunter 1.3.8-10 that distributed with Ubuntu 12.04 LTS this bug is present again. The patch is in CVS RKhunter since Agoust 2011 and related URL is in another comment of this bug (http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.405&r2=1.406&sortby=date)

It is a security package and the only workaround is to disable the filesystem test! (DISABLE_TESTS = "File System" in rhkunter.conf) this is not safe or appropriate for system security.

Please ... use the patch or release a new version of rkhunter or something! ... This bug was reported seven months ago and still not assigned and not have priority! ... It is also repeated bugs #883416 #896916 and #926156

Who is the maintainer of this package in Ubuntu ?¿?¿

reini (rrumberger) wrote :

> Who is the maintainer of this package in Ubuntu ?¿?¿

According to https://launchpad.net/ubuntu/+source/rkhunter, the "Debian Forensics" team (https://launchpad.net/~forensics-devel) which, apparently, "does not use Launchpad"...
(IOW, there doesn't seem to be anyone in Ubuntu claiming responsibility.)

According to https://launchpad.net/rkhunter, the "Registry Administrators" team (https://launchpad.net/~registry). IOW, nobody in Ubuntu really cares about this.

Daniel Firvida (dfirvida) wrote :

Awesome!!

I'll search a package ported to Ubuntu from a higher version included in Precise (1.4.0 I hope) .......... :(

KlausHoller (kholler) wrote :

downloading the tarfile rkhunter-1.4.0.tar.gz from http://sourceforge.net/projects/rkhunter/files/ and just copying the files/rkhunter script from the tarfile over /usr/bin/rkhunter seems to be fine as workaround - the false positive is gone.

Brian Burch (brian-pingtoo) wrote :

Just copying the executable wasn't enough on my systems. I recommend also copying the 1.4.0 file rkhunter.conf to /etc. After that, create a new file /etc/rkhunter.conf.local and populate it with ALL the different (uncommented) lines from your old 1.3.8 rkhunter.conf.

In my opinion, whoever does the repackaging of 1.4.0 for ubuntu distribution will have to make some adjustments to the installation script to follow this new (and improved) scheme for managing local changes to the configuration file.

Ran into this also. Thanks to reinhold for pointing to the patch.

I am just using the stock Ubuntu 12.04 version with the patch manually applied. That is working fine for me in terms of avoiding the false positive.

vi /usr/bin/rkhunter

    At around line 846 and following

...
    elif [ -d "${FNAME}" ]; then
    #
    # For the ALLOWHIDDENFILE option we need to allow
    # a hidden symbolic link to a directory.
    #
    test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

     case "${OPT_NAME}" in
...

    At around line 15102 and following (the change is just a comment)

...
   FTYPE=`${FILE_CMD} ${FNAME} 2>/dev/null | cat -v | tr -s ' ' ' ' | cut -d' ' -f2-`

#jh - should include block special too.
#jh - also should cater for 'sticky directory' (like /tmp) when using file.
   test -z "${FTYPE}" -o -n "`echo \"${FTYPE}\" | egrep 'character special|empty'`" && continue
...

Update the signature database as the rkhunter file signature has changed with the edits above.

rkhunter --propupd

And here are the other configuration settings I needed to add to avoid false positives on Ubuntu 12.04 Server.

vi /etc/rkhunter.conf

Avoid hidden directory/hidden file false positives

...

#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.initramfs"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/dev/.mdadm"
## add /dev/.udev directory to avoid a false positive
ALLOWHIDDENDIR="/dev/.udev

#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
...
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
## add /dev/.initramfs symbolic link to avoid a false positive
ALLOWHIDDENFILE="/dev/.initramfs"

...

Avoid "replaced by a script" false positives

...

#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
## add /usr/bin/unhide.rb to avoid a false positive
SCRIPTWHITELIST=/usr/bin/unhide.rb

...

Regards,
Tim Miller Dyck

François Marier (fmarier) wrote :

I have added a backport of the latest version from Debian sid (rkhunter 1.4.0-1) to my PPA:

  https://launchpad.net/~fmarier/+archive/ppa

wiz (wiz) wrote :

Quantal -> still there.

kakaroto (just2register) wrote :

I still have the same problem, it has been reported several months ago and the fix is known and is easy to implement, why don't you just fix the package?

KlausHoller (kholler) wrote :

I read on https://wiki.ubuntu.com/UbuntuBackports about the backporting process and created https://bugs.launchpad.net/precise-backports/+bug/1095056 via requestbackport rkhunter --destination precise after having tested that the rkhunter-1.4.0-2 package from raring builds and runs fine for both precise and quantal.
Side effect of that backport testing is that I have those builds now in my https://launchpad.net/~kholler/+archive/ppa-backports PPA repository.

martywd (martywd) wrote :

@kholler -- 2013-01-01

Thanks to you and your 'ppa' with rkhunter-1.4.x. The new ver. 'fixed' this bug for me on two recently built 12.04 servers.
.

Michiel Hendriks (elmuerte) wrote :

I've applied the same patch to the rkhunter that ships with precise (1.38), in case you don't want to jump versions.
Package is available in my PPA: https://launchpad.net/~elmuerte/+archive/12.04

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers