Bug 994567

Summary: FreeIPA v3, rkhunter & "unknown rootkit"
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: rkhunterAssignee: Kevin Fenzi <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: kevin, nonamedotc
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rkhunter-1.4.2-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-09 00:55:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2013-08-07 13:58:23 UTC
This bug is identical to Bug 849251, but the file names have changed.  In newer versions of FreeIPA (v3.x), the path has changed to "/var/log/pki/pki-tomcat/ca/system"

The following would be the whitelist fix for the default rkhunter file:

EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system

Comment 1 Kevin Fenzi 2013-08-07 15:47:46 UTC
ok, and to be clear this affects fedora 19 and higher only?

Comment 2 Anthony Messina 2013-08-07 15:53:09 UTC
I can't be certain of the restriction to F19.  I think it affects versions of FreeIPA of 3.x (so F18, too), but I don't have an example.  I believe it might be a factor of the change to Dogtag 10.

I can also say that there needs to be something like the following as well:
# created by FreeIPA/389 DS
ALLOWDEVFILE=/dev/shm/sem.slapd-WHATEVER-COM.stats

As this file is created by 389-ds-base -- this need for ALLOWDEVFILE occurs in F17-F19.

Comment 3 Kevin Fenzi 2013-09-01 18:56:46 UTC
Sorry for the long delay here. 

Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM" ?

Comment 4 Anthony Messina 2013-09-01 19:17:30 UTC
(In reply to Kevin Fenzi from comment #3)
> Sorry for the long delay here. 
> 
> Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM"
> ?

No problem...

It is not literally "WHATEVER-COM".  It is the Kerberos domain of the FreeIPA instance with dots translated to dashes.  So it could be

ALLOWDEVFILE=/dev/shm/sem.slapd-SUBSUBSUBDOMAIN-SUBSUBDOMAIN-SUBDOMAIN-SLD-TLD.stats

Comment 5 Kevin Fenzi 2013-09-01 19:20:08 UTC
ok, so: 

ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 

?

Comment 6 Anthony Messina 2013-09-01 19:26:40 UTC
(In reply to Kevin Fenzi from comment #5)
> ok, so: 
> 
> ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 
> 
> ?

I believe so. Also, this is the case for all 389 DS instances, not just FreeIPA, if that's of any importance to you.  Basically, the '*' portion is named after the instance name in /etc/dirsrv.

Comment 7 Anthony Messina 2014-03-18 14:44:27 UTC
The following works for F20, on systems with both FreeIPA (including 389 DS) as well as systems with standalone 389 DS:

# 389 Directory Server
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
# FreeIPA Certificate Authority
EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
# FreeIPA Certificate Authority
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system

Comment 8 Fedora Update System 2014-04-06 18:03:09 UTC
rkhunter-1.4.2-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-2.fc20

Comment 9 Fedora Update System 2014-04-09 00:55:29 UTC
rkhunter-1.4.2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.