Comment 13 for bug 883324

Revision history for this message
Tim Miller Dyck (timmillerdyck) wrote :

Ran into this also. Thanks to reinhold for pointing to the patch.

I am just using the stock Ubuntu 12.04 version with the patch manually applied. That is working fine for me in terms of avoiding the false positive.

vi /usr/bin/rkhunter

    At around line 846 and following

...
    elif [ -d "${FNAME}" ]; then
    #
    # For the ALLOWHIDDENFILE option we need to allow
    # a hidden symbolic link to a directory.
    #
    test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

     case "${OPT_NAME}" in
...

    At around line 15102 and following (the change is just a comment)

...
   FTYPE=`${FILE_CMD} ${FNAME} 2>/dev/null | cat -v | tr -s ' ' ' ' | cut -d' ' -f2-`

#jh - should include block special too.
#jh - also should cater for 'sticky directory' (like /tmp) when using file.
   test -z "${FTYPE}" -o -n "`echo \"${FTYPE}\" | egrep 'character special|empty'`" && continue
...

Update the signature database as the rkhunter file signature has changed with the edits above.

rkhunter --propupd

And here are the other configuration settings I needed to add to avoid false positives on Ubuntu 12.04 Server.

vi /etc/rkhunter.conf

Avoid hidden directory/hidden file false positives

...

#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.initramfs"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/dev/.mdadm"
## add /dev/.udev directory to avoid a false positive
ALLOWHIDDENDIR="/dev/.udev

#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
...
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
## add /dev/.initramfs symbolic link to avoid a false positive
ALLOWHIDDENFILE="/dev/.initramfs"

...

Avoid "replaced by a script" false positives

...

#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
## add /usr/bin/unhide.rb to avoid a false positive
SCRIPTWHITELIST=/usr/bin/unhide.rb

...

Regards,
Tim Miller Dyck