Bug 1411130
| Summary: | suspicious warnings on fresh installed system | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | redhat |
| Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | kevin, nonamedotc |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rkhunter-1.4.2-12.fc25 rkhunter-1.4.2-8.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-05 20:20:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
redhat
2017-01-08 15:48:37 UTC
Did you run 'rkhunter --propupd' ? You need to do that everytime you make changes and are telling rkhunter that those changes are ok. I have no idea what that /usr/bin/.tv7 file is from. No Fedora packages seem to provide it. Perhaps check the contents and timestamp? > Did you run 'rkhunter --propupd' ? You need to do that everytime you make > changes and are telling rkhunter that those changes are ok. The package rkhunter has been installed after the package grep. So I did not change the system, therefor did not run 'rkhunter --propupd'. And why doesn't it complain about all the other packages that have been installed before? Excuse me, but I do not understand why I should run 'rkhunter --propupd'. Doesn't it has the FC packages in its database? > I have no idea what that /usr/bin/.tv7 file is from. No Fedora packages seem > to provide it. Perhaps check the contents and timestamp? A quick search with google showed https://www.synology.com/en-global/knowledgebase/DSM/tutorial/General/Why_does_Security_Advisor_inform_me_of_modified_system_files which mentions this file. Looks like the TwonkyMediaServer created this file, whis is really odd, because it is not executable. I've just removed id. (In reply to redhat from comment #2) > > Did you run 'rkhunter --propupd' ? You need to do that everytime you make > > changes and are telling rkhunter that those changes are ok. > > The package rkhunter has been installed after the package grep. So I did not > change the system, therefor did not run 'rkhunter --propupd'. And why > doesn't it complain about all the other packages that have been installed > before? Excuse me, but I do not understand why I should run 'rkhunter > --propupd'. Doesn't it has the FC packages in its database? You did change the system. You installed. This is simply the way the tool works. See: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ "3.7) I have just installed Rootkit Hunter, and I am already getting warning messages. Why is that? A. The first run of rkhunter after an installation will usually give some warning messages. One of the checks is whether the file of file properties (called 'rkhunter.dat') exists. This file won't exist until rkhunter is run with the '--propupd' option." If you run 'rkhunter --propupd' and then 'rkhunter -c -sk' does it show any problems? Well, I did as suggested and the warnings disapeared. Fine. But a new one popped up: [14:19:51] Info: Starting test name 'filesystem' [14:19:51] Performing filesystem checks [14:19:51] Info: SCAN_MODE_DEV set to 'THOROUGH' [14:19:53] Info: Found file '/dev/shm/squid-cf__readers.shm': it is whitelisted. [14:19:53] Info: Found file '/dev/shm/squid-cf__queues.shm': it is whitelisted. [14:19:53] Info: Found file '/dev/shm/squid-cf__metadata.shm': it is whitelisted. [14:19:57] Checking /dev for suspicious file types [ Warning ] [14:19:57] Warning: Suspicious file types found in /dev: [14:19:57] /dev/shm/squid-ssl_session_cache.shm: data '--propupd' did not whitelist '/dev/shm/squid-ssl_session_cache.shm'. Is this an error of rkhunter or the squid? (In reply to redhat from comment #4) > [14:19:57] Checking /dev for suspicious file types [ Warning ] > [14:19:57] Warning: Suspicious file types found in /dev: > [14:19:57] /dev/shm/squid-ssl_session_cache.shm: data > > '--propupd' did not whitelist '/dev/shm/squid-ssl_session_cache.shm'. Is > this an error of rkhunter or the squid? yeah ... that's because, this file is not present in rkhunter.conf file. You will have to add this file to the configuration file and run --propupd again I think. Of course, you would want to run --propupd on a "known safe" system. Alternatively, we would have to add this to rkhunter.conf file .. what package does this file belong to? Thanks. The file is not directly part of a package, but is created when Squid is operated with the option SSL Bump. Therefore I find it important to add this file to the white list of rkhunter. # rpm -qal|grep squid-ssl_session_cache.shm <empty> # rpm -q squid squid-4.0.17-1.fc25.x86_64 (In reply to redhat from comment #6) > The file is not directly part of a package, but is created when Squid is > operated with the option SSL Bump. Therefore I find it important to add this > file to the white list of rkhunter. > > # rpm -qal|grep squid-ssl_session_cache.shm > <empty> > # rpm -q squid > squid-4.0.17-1.fc25.x86_64 that explains why I was unable to find the file. I am testing another update for rkhunter (in another bug). I will add this as well and do a scratch build and post here. rkhunter-1.4.2-8.el7 rkhunter-1.4.2-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-a9679aec00 rkhunter-1.4.2-12.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-600553ca54 rkhunter-1.4.2-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-a9679aec00 rkhunter-1.4.2-12.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-600553ca54 rkhunter-1.4.2-12.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.4.2-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |