Bug 1913512
Summary: | keyutils-libs-1.6.1-1.fc32.x86_64: Found file '/usr/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer component | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
Component: | keyutils | Assignee: | David Howells <dhowells> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | bclary, bugzilla-fedora, dhowells, goodyca48, kevin, kim-rh, pizzadudedotca, redhat, ss |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-15 20:54:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Harald Reindl
2021-01-07 00:12:18 UTC
I hit this on Fedora 33 this week both on an existing workstation and on a fresh install onto a laptop. Seems like the same issue as https://bugs.archlinux.org/task/63369 My most recent update for this was 2021-01-06T22:38:21-0800 INFO Downloading: http://mirror.atl.genesisadaptive.com/fedora/linux/updates/33/Everything/x86_64/Pac kages/k/keyutils-libs-1.6.1-1.fc33.x86_64.rpm Same with me. # dnf downgrade keyutils-libs followed by rebooting fixes it for now. The downgrade reverted me to 1.6-5. It's due to the name of the libraries. Workaround for now: Create /etc/rkhunter.d/ with the following file inside (you can name the file whatever): nokeyutilsfp.conf with the contents: RTKT_FILE_WHITELIST=/lib/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/lib64/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/usr/lib/libkeyutils.so.1.9 RTKT_FILE_WHITELIST=/usr/lib64/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/lib64/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib/libkeyutils.so.1.9 EXCLUDE_USER_FILEPROP_FILES_DIRS=/usr/lib64/libkeyutils.so.1.9 (In reply to Steve La Rocque from comment #2) > Same with me. > > # dnf downgrade keyutils-libs > > followed by rebooting fixes it for now. The downgrade reverted me to 1.6-5. Same here. I also downgraded to temporarily work around the issue. There are several posts (such as that archlinux bug report mentioned above) that recommend adding a whitelist line to /etc/rkhunter.conf.local (or equivalent), which I'll do if necessary, but I'd prefer a proper rkhunter fix instead, such as the Debian fix described in this bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951366. I vote for the /etc/rkhunter.d "workaround" above for now. Regardless of what it is named, it should have 1) a pointer to this BR, 2) brief history (e.g. "used to be used by a key sniffer") and 3)the RTKT_FILE_WHITELIST and EXCLUDE_USER_FILEPROP_FILES_DIRS lines listed above. Seems like a very rapid and clean fix to me. Much better than letting/making thousands of Fedora users waste time trying to figure it out on their own (like the people in this BR, including myself). This should have been filed on rkhunter... :) Unless the libkeysutils maintainer(s) want to fix this by bumping the soname? It's only libkeyutils.so.1.9 thats misdetected this way. If it's bumped to 2.0 it will save all the false positives for rkhunter users. Anyhow, lets move discussion to the rkhunter bug. *** This bug has been marked as a duplicate of bug 1914662 *** |