Bug 1288450

Summary: /etc/.updated and rkhunter
Product: [Fedora] Fedora EPEL Reporter: Harald Reindl <h.reindl>
Component: rkhunterAssignee: Kevin Fenzi <kevin>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: bblaskov, jsynacek, kevin, manuel.wolfshant, msekleta, nerijus, nonamedotc, systemd-maint-list
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-25 17:46:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2015-12-04 09:27:22 UTC 
oh no - such stuff belongs to /var/lib

[root@localhost:~]$ cat /etc/.updated
This file was created by systemd-update-done. Its only
purpose is to hold a timestamp of the time this directory
was updated. See systemd-update-done.service(8).

hidden files below /etc results in rkhunter alerts

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Hidden file found: /etc/.updated: ASCII text

----------------------- End Rootkit Hunter Scan -----------------------
Comment 1 Michal Sekletar 2015-12-04 10:07:24 UTC 
Well, there is also /var/.updated. As both files are part of offline update scheme provided by systemd and now implemented by Gnome's Software app I think it would be less work for everyone to just add an exception in rkhunter.

At any rate, we will not change the behavior in RHEL, unless it is changed upstream. Any chance you will bring this discussion upstream?
Comment 2 Harald Reindl 2015-12-04 10:09:54 UTC 
i doubt that this is a unconditional systend-upstream thing because i run Fedora 22/23/24 on several machines and the only system which ever came with this alerts was CentOS 7.2 CR
Comment 3 Nerijus Baliƫnas 2015-12-15 10:33:30 UTC 
See bug 1291629
Comment 4 Jan Synacek 2017-01-25 13:49:35 UTC 
See comment 1 and 3.
Comment 5 Harald Reindl 2017-01-25 15:23:08 UTC 
than hand it over to the rkhunter maintainers - it's a joke that users need to configure such things
Comment 6 Kevin Fenzi 2017-01-25 17:22:51 UTC 
This was fixed in rkhunter over a year ago... 

commit 0c33dc80a147606d268b6f3118ebe516691e43ef
Author: Mukundan Ragavan <nonamedotc>
Date:   Thu Dec 31 18:52:53 2015 -0500

    Allow /etc/.updated on EL7
    
    - Fixes bug#1291629

Do you actually see this still? what exact version of rkhunter?
Comment 7 Nerijus Baliƫnas 2017-01-25 17:29:23 UTC 
Yes, it is fixed -/etc/rkhunter.conf of rkhunter-1.4.2-7.el7.noarch has a line:
ALLOWHIDDENFILE=/etc/.updated
Comment 8 Harald Reindl 2017-01-25 17:39:10 UTC 
Maybe it was fixed in the meantime, i changed the local config at the day I reported the problem - so why do i get a WONTFIX a year later with explaining why that hidden folders got created while it's still not true that they needed to get introduced that way from start
Comment 9 Kevin Fenzi 2017-01-25 17:46:06 UTC 
Feel free to take your concerns to upstream systemd about the files. 

As far as rkhunter is concerned it should be fine with them.