Bug 1275068

Summary: Rkhunter displays warnings which show either a serious attack or false positives
Product: [Fedora] Fedora Reporter: Ervin <ervindiner>
Component: rkhunterAssignee: Kevin Fenzi <kevin>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 22CC: kevin, nonamedotc
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-26 14:20:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ervin 2015-10-25 14:55:09 UTC 
Rkhunter scan results display serious warnings which may or may not be false positives


Version = 1.4.2-6


How reproducible: Not sure


Steps to Reproduce:
1.Install rkhunter
2. Run a rkhunter scan as root: rkhunter --check
3. Observe the scan results
4. Open with gedit [as root] var/log/rkhunter/rkhunter.log
5. Look at the warnings

Actual results:
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

 Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable

Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable




Expected results:
Either the files have been modified either by updates or an attack, or rkhunter should not display false positives.
Comment 1 Ervin 2015-10-25 20:32:58 UTC 
Should you need to review the code of the scripts I can upload it here.
Comment 2 Kevin Fenzi 2015-10-26 14:20:53 UTC 
You need to run 'rkhunter --propupd' to tell rkhunter that all is as expected before you try and run checks. 

There was some talk about tweaking rkhunter to provide clean results on a fresh install, but I think this is a bad way to use the tool. You should always use --propupd to tell rkhunter when you have a clean baseline. 

So, unless I am misunderstanding things, this is not really a bug...
Comment 3 Ervin 2015-10-26 14:35:20 UTC 
Fair enough, but I as an average user was not familiar with this command. 
And in that case rkhunter must come pre-installed in Fedora or be installed right away after installing the system.
Comment 4 Kevin Fenzi 2015-10-26 14:43:50 UTC 
Well, I think it would take a good deal of upstream work to make rkhunter a integrated end user tool. It's not really aimed that way right now. The man page explains more about --propupd (which you will have to use after every set of updates or if you change config files anyhow)