oh no - such stuff belongs to /var/lib [root@localhost:~]$ cat /etc/.updated This file was created by systemd-update-done. Its only purpose is to hold a timestamp of the time this directory was updated. See systemd-update-done.service(8). hidden files below /etc results in rkhunter alerts ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Hidden file found: /etc/.updated: ASCII text ----------------------- End Rootkit Hunter Scan -----------------------
Well, there is also /var/.updated. As both files are part of offline update scheme provided by systemd and now implemented by Gnome's Software app I think it would be less work for everyone to just add an exception in rkhunter. At any rate, we will not change the behavior in RHEL, unless it is changed upstream. Any chance you will bring this discussion upstream?
i doubt that this is a unconditional systend-upstream thing because i run Fedora 22/23/24 on several machines and the only system which ever came with this alerts was CentOS 7.2 CR
See bug 1291629
See comment 1 and 3.
than hand it over to the rkhunter maintainers - it's a joke that users need to configure such things
This was fixed in rkhunter over a year ago... commit 0c33dc80a147606d268b6f3118ebe516691e43ef Author: Mukundan Ragavan <nonamedotc> Date: Thu Dec 31 18:52:53 2015 -0500 Allow /etc/.updated on EL7 - Fixes bug#1291629 Do you actually see this still? what exact version of rkhunter?
Yes, it is fixed -/etc/rkhunter.conf of rkhunter-1.4.2-7.el7.noarch has a line: ALLOWHIDDENFILE=/etc/.updated
Maybe it was fixed in the meantime, i changed the local config at the day I reported the problem - so why do i get a WONTFIX a year later with explaining why that hidden folders got created while it's still not true that they needed to get introduced that way from start
Feel free to take your concerns to upstream systemd about the files. As far as rkhunter is concerned it should be fine with them.