Bug 2063310

Summary:	rkhunter reports libkeyutils.so.1.9 as spam tool component
Product:	[Fedora] Fedora EPEL	Reporter:	Joshua Megerman <joshua.megerman>
Component:	rkhunter	Assignee:	Kevin Fenzi <kevin>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	epel8	CC:	kevin, manuel.wolfshant, nonamedotc
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	rkhunter-1.4.6-7.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-06-20 01:07:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Joshua Megerman 2022-03-11 18:35:53 UTC

Description of problem:
The version of rkhunter in EPEL 8 reports libkeyutils.so.1.9 as a spam tool component, even though it is now a legitimate library version (and that suspicious file has been removed as of commit 6c0675 - https://sourceforge.net/p/rkhunter/rkh_code/ci/6c0675385cafe64ba218b53202b031f616046fe6/).  When running processes that use that library inside of a container, it is impossible to whitelist the file and the only way to avoid reporting the potential problem nightly is to disable the running_procs test.

Version-Release number of selected component (if applicable):
1.4.6-6.el8

How reproducible:
100% of the time when running the rkhunter cron.daily job

Steps to Reproduce:
1. Install docker-ce and minikube
2. Install AWX via the AWX operator (https://github.com/ansible/awx-operator)
3. Install rkhunter
4. Run /etc/cron.daily/rkhunter

Actual results:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The following processes are using suspicious files:
         Command: awx-manage
           UID: 1000    PID: 104251
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 635471    PID: 104251
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 635659    PID: 104251
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 636022    PID: 104251
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 686921    PID: 104251
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104329
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104330
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104386
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104387
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104388
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104389
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 104497
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 635470
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 635475    PID: 635470
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 635658
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 635662    PID: 635658
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 636019
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 636025    PID: 636019
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 1000    PID: 686917
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: awx-manage
           UID: 686973    PID: 686917
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: daphne
           UID: 1000    PID: 104253
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: daphne
           UID: 105730    PID: 104253
           Pathname: 3944947
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 100926
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101014
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101015
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101016
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101017
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101018
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 101019
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 104340
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 104506
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 109957
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 686923
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 686930
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 706227
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 726887
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: postgres
           UID: 999    PID: 726905
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: uwsgi
           UID: 1000    PID: 104258
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: uwsgi
           UID: 1000    PID: 104259
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: uwsgi
           UID: 1000    PID: 104260
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: uwsgi
           UID: 1000    PID: 104262
           Pathname: 
           Possible Rootkit: Spam tool component
         Command: uwsgi
           UID: 1000    PID: 460693
           Pathname: 
           Possible Rootkit: Spam tool component

----------------------- End Rootkit Hunter Scan -----------------------


Expected results:
No detections.

Additional info:
This issue was tracked by rkhunter as bug #170 (https://sourceforge.net/p/rkhunter/bugs/170/) and is fixed in the development branch of rkhunter, but has not made it into a release yet.  However I suspect that it will become a bigger deal the longer time goes on.

Comment 1 Kevin Fenzi 2022-03-15 03:27:17 UTC

Yeah, we fixed this in 1914662 in fedora, just need to push that into epel8 too.

Comment 2 Joshua Megerman 2022-04-20 14:32:33 UTC

Any timeframe for this to get pushed to epel8?

Comment 3 Kevin Fenzi 2022-04-25 20:07:45 UTC

Sorry, been busy. I'll try and get it soon... PR's welcome. :)

Comment 4 Kevin Fenzi 2022-06-11 17:12:41 UTC

Sorry for the long delay here. 

Look for an update here in a few...

Comment 5 Fedora Update System 2022-06-11 17:24:10 UTC

FEDORA-EPEL-2022-85206be988 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-85206be988

Comment 6 Fedora Update System 2022-06-12 02:07:24 UTC

FEDORA-EPEL-2022-85206be988 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-85206be988

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-06-20 01:07:57 UTC

FEDORA-EPEL-2022-85206be988 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.