Red Hat Bugzilla – Bug 1275068
Rkhunter displays warnings which show either a serious attack or false positives
Last modified: 2015-10-26 10:43:50 EDT
Rkhunter scan results display serious warnings which may or may not be false positives
Version = 1.4.2-6
How reproducible: Not sure
Steps to Reproduce:
2. Run a rkhunter scan as root: rkhunter --check
3. Observe the scan results
4. Open with gedit [as root] var/log/rkhunter/rkhunter.log
5. Look at the warnings
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Either the files have been modified either by updates or an attack, or rkhunter should not display false positives.
Should you need to review the code of the scripts I can upload it here.
You need to run 'rkhunter --propupd' to tell rkhunter that all is as expected before you try and run checks.
There was some talk about tweaking rkhunter to provide clean results on a fresh install, but I think this is a bad way to use the tool. You should always use --propupd to tell rkhunter when you have a clean baseline.
So, unless I am misunderstanding things, this is not really a bug...
Fair enough, but I as an average user was not familiar with this command.
And in that case rkhunter must come pre-installed in Fedora or be installed right away after installing the system.
Well, I think it would take a good deal of upstream work to make rkhunter a integrated end user tool. It's not really aimed that way right now. The man page explains more about --propupd (which you will have to use after every set of updates or if you change config files anyhow)