Ubuntu
rkhunter package

/dev/.initramfs triggers warnings in rkhunter

Bug #896916 reported by Tony Green
90
This bug affects 18 people
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Since Ubuntu 11.10, /dev/.initramfs is a symlink to /run/initramfs.
rkhunter triggers a daily warning about this:

[10:57:36] Checking for hidden files and directories [ Warning ]
[10:57:36] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

Although it's possible to whitelist files or directories in the rkhunter config file, it doesn't currently allow the whitelisting of symlinks.

According to http://comments.gmane.org/gmane.comp.security.rkhunter.user/2678 a patch for rkhunter has been created to allow symlinks to be whitelisted, specifically because of the new behaviour in 11.10. It seems like a good idea for that patch to be incorporated in rkhunter for Ubuntu.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: rkhunter 1.3.8-7
ProcVersionSignature: Ubuntu 2.6.38-11.50-generic 2.6.38.8
Uname: Linux 2.6.38-11-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Sun Nov 27 16:38:14 2011
InstallationMedia: Xubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_GB:en_US:en
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 LC_MESSAGES=en_GB.UTF-8
 SHELL=/bin/ksh
SourcePackage: rkhunter
UpgradeStatus: Upgraded to oneiric on 2011-10-15 (43 days ago)
modified.conffile..etc.cron.daily.rkhunter: [deleted]
modified.conffile..etc.cron.weekly.rkhunter: [deleted]
mtime.conffile..etc.rkhunter.conf: 2011-11-19T15:40:44.528472

Revision history for this message
Tony Green (mrzx4-c4uxxu-hwbqs) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rkhunter (Ubuntu):
status: New → Confirmed
Revision history for this message
Thabo Ntitsane (thabon) wrote :

If one sets in /etc/rkhuhnter.conf
ALLOWHIDDENDIR="/dev/.initramfs"
it still generates a warning, as it is a file (well, symlink) not a directory.

If one sets
ALLOWHIDDENFILE="/dev/.initramfs"
rkhunter refuses to run, because it should be a directory.

It would be great to see an update of rkhunter in oneiric server to solve this.

Revision history for this message
Douglas Bagnall (douglasbagnall) wrote :

Acknowledged upstream:

http://sourceforge.net/mailarchive/message.php?msg_id=28258565

There seems to be no satisfactory workaround.

Revision history for this message
Tony Green (mrzx4-c4uxxu-hwbqs) wrote :

I'm rather puzzled by the statement "There seems to be no satisfactory workaround".

The posting referenced by Douglas (which is essentially the same one I originally referenced, on a different site) says,

"I have put a fix into the CVS code so that ALLOWHIDDENFILE should work
correctly.
I will email you (off list) a fixed 'rkhunter' program with this fix,
which you should be able to just use as a drop-in replacement. In your
RKH config file you should use 'ALLOWHIDDENFILE=/dev/.initramfs'."

...which is saying that the maintainer has patched the rkhunter code SPECIFICALLY for this bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.