Bug 1275068 - Rkhunter displays warnings which show either a serious attack or false positives
Rkhunter displays warnings which show either a serious attack or false positives
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
22
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-25 10:55 EDT by Ervin
Modified: 2015-10-26 10:43 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-26 10:20:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ervin 2015-10-25 10:55:09 EDT
Rkhunter scan results display serious warnings which may or may not be false positives


Version = 1.4.2-6


How reproducible: Not sure


Steps to Reproduce:
1.Install rkhunter
2. Run a rkhunter scan as root: rkhunter --check
3. Observe the scan results
4. Open with gedit [as root] var/log/rkhunter/rkhunter.log
5. Look at the warnings

Actual results:
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

 Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable

Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable




Expected results:
Either the files have been modified either by updates or an attack, or rkhunter should not display false positives.
Comment 1 Ervin 2015-10-25 16:32:58 EDT
Should you need to review the code of the scripts I can upload it here.
Comment 2 Kevin Fenzi 2015-10-26 10:20:53 EDT
You need to run 'rkhunter --propupd' to tell rkhunter that all is as expected before you try and run checks. 

There was some talk about tweaking rkhunter to provide clean results on a fresh install, but I think this is a bad way to use the tool. You should always use --propupd to tell rkhunter when you have a clean baseline. 

So, unless I am misunderstanding things, this is not really a bug...
Comment 3 Ervin 2015-10-26 10:35:20 EDT
Fair enough, but I as an average user was not familiar with this command. 
And in that case rkhunter must come pre-installed in Fedora or be installed right away after installing the system.
Comment 4 Kevin Fenzi 2015-10-26 10:43:50 EDT
Well, I think it would take a good deal of upstream work to make rkhunter a integrated end user tool. It's not really aimed that way right now. The man page explains more about --propupd (which you will have to use after every set of updates or if you change config files anyhow)

Note You need to log in before you can comment on or make changes to this bug.