Bug 831989

? Can you describe what false positives you think you are seeing?

uhm - i am pretty sure that i have filled out this 
however, once again

/usr/share/man/man5/.k5identity.5.gz   is part of krb5-libs on F17 but not F16

seems like this is caused by UsrMove
it is intentionally /usr/bin/ad

4:netatalk-2.2.2-1.fc17.x86_64 : Daemon which provides POSIX-compliant *NIX/*BSD systems with the ability to
                               : share files and printers with Apple Macintosh
Repo        : @fedora
Übereinstimmung von:
Dateiname     : /bin/ad


-------- Original-Nachricht --------
Betreff: rkhunter Daily Run on testserver
Datum: Thu, 14 Jun 2012 03:49:14 +0200
Von: root
An: rhsoft

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: 'Spanish' Rootkit                        [ Warning ]
         File '/bin/ad' found
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression

----------------------- End Rootkit Hunter Scan -----------------------

For the first item, I can confirm it here. I will talk with the upstream developers. 

For the second item, the /etc/rkhunter.conf as shipped should have: 

ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz

Can you check for that in /etc/rkhunter.conf or see if you have a /etc/rkhunter.conf.rpmnew ?

Thanks for the report.

indeed there was a "/etc/rkhunter.conf.rpmnew"
seems on my test-vm i did not revert the changes in a clean way
and only created /etc/rkhunter.conf.local which leads to not
update the config

i did now the following steps which should fix this

rm -f /etc/rkhunter.conf.rpmnew
rm -f /etc/rkhunter.conf
yum reinstall rkhunter

for the netatalk false-positive i wait for a update....

is there any progress?

the daily mails because netatalk are boring

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: 'Spanish' Rootkit                        [ Warning ]
         File '/bin/ad' found

----------------------- End Rootkit Hunter Scan -----------------------

Can you try adding: 

RTKT_FILE_WHITELIST=/bin/ad

and see if that helps?

thank you!
this does the trick

ok. I pushed a fix to the config to rawhide. 

Will wait a while and see if we pick up a few more fixes before pushing to stable releases. 

Thanks.

rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18

rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17

Package rkhunter-1.4.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18
then log in and leave karma (feedback).

rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.