Bug 1288450 - /etc/.updated and rkhunter
/etc/.updated and rkhunter
Product: Fedora EPEL
Classification: Fedora
Component: rkhunter (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2015-12-04 04:27 EST by Harald Reindl
Modified: 2017-01-25 12:46 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-25 12:46:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2015-12-04 04:27:22 EST
oh no - such stuff belongs to /var/lib

[root@localhost:~]$ cat /etc/.updated
This file was created by systemd-update-done. Its only
purpose is to hold a timestamp of the time this directory
was updated. See systemd-update-done.service(8).

hidden files below /etc results in rkhunter alerts

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Hidden file found: /etc/.updated: ASCII text

----------------------- End Rootkit Hunter Scan -----------------------
Comment 1 Michal Sekletar 2015-12-04 05:07:24 EST
Well, there is also /var/.updated. As both files are part of offline update scheme provided by systemd and now implemented by Gnome's Software app I think it would be less work for everyone to just add an exception in rkhunter.

At any rate, we will not change the behavior in RHEL, unless it is changed upstream. Any chance you will bring this discussion upstream?
Comment 2 Harald Reindl 2015-12-04 05:09:54 EST
i doubt that this is a unconditional systend-upstream thing because i run Fedora 22/23/24 on several machines and the only system which ever came with this alerts was CentOS 7.2 CR
Comment 3 Nerijus Baliūnas 2015-12-15 05:33:30 EST
See bug 1291629
Comment 4 Jan Synacek 2017-01-25 08:49:35 EST
See comment 1 and 3.
Comment 5 Harald Reindl 2017-01-25 10:23:08 EST
than hand it over to the rkhunter maintainers - it's a joke that users need to configure such things
Comment 6 Kevin Fenzi 2017-01-25 12:22:51 EST
This was fixed in rkhunter over a year ago... 

commit 0c33dc80a147606d268b6f3118ebe516691e43ef
Author: Mukundan Ragavan <nonamedotc@fedoraproject.org>
Date:   Thu Dec 31 18:52:53 2015 -0500

    Allow /etc/.updated on EL7
    - Fixes bug#1291629

Do you actually see this still? what exact version of rkhunter?
Comment 7 Nerijus Baliūnas 2017-01-25 12:29:23 EST
Yes, it is fixed -/etc/rkhunter.conf of rkhunter-1.4.2-7.el7.noarch has a line:
Comment 8 Harald Reindl 2017-01-25 12:39:10 EST
Maybe it was fixed in the meantime, i changed the local config at the day I reported the problem - so why do i get a WONTFIX a year later with explaining why that hidden folders got created while it's still not true that they needed to get introduced that way from start
Comment 9 Kevin Fenzi 2017-01-25 12:46:06 EST
Feel free to take your concerns to upstream systemd about the files. 

As far as rkhunter is concerned it should be fine with them.

Note You need to log in before you can comment on or make changes to this bug.