Rkhunter scan results display serious warnings which may or may not be false positives Version = 1.4.2-6 How reproducible: Not sure Steps to Reproduce: 1.Install rkhunter 2. Run a rkhunter scan as root: rkhunter --check 3. Observe the scan results 4. Open with gedit [as root] var/log/rkhunter/rkhunter.log 5. Look at the warnings Actual results: Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable Expected results: Either the files have been modified either by updates or an attack, or rkhunter should not display false positives.
Should you need to review the code of the scripts I can upload it here.
You need to run 'rkhunter --propupd' to tell rkhunter that all is as expected before you try and run checks. There was some talk about tweaking rkhunter to provide clean results on a fresh install, but I think this is a bad way to use the tool. You should always use --propupd to tell rkhunter when you have a clean baseline. So, unless I am misunderstanding things, this is not really a bug...
Fair enough, but I as an average user was not familiar with this command. And in that case rkhunter must come pre-installed in Fedora or be installed right away after installing the system.
Well, I think it would take a good deal of upstream work to make rkhunter a integrated end user tool. It's not really aimed that way right now. The man page explains more about --propupd (which you will have to use after every set of updates or if you change config files anyhow)