Bug 1293059 - When the lldpad package is upgraded, /dev/shm/lldpad.state is created but rkhunter isn't told
When the lldpad package is upgraded, /dev/shm/lldpad.state is created but rkh...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
22
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-19 13:10 EST by Martin Gregorie
Modified: 2016-05-07 08:01 EDT (History)
3 users (show)

See Also:
Fixed In Version: rkhunter-1.4.2-11.fc23 rkhunter-1.4.2-11.fc22 rkhunter-1.4.2-11.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-24 16:52:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Gregorie 2015-12-19 13:10:41 EST
Description of problem:
=======================
When dnf upgrades the lldpad package it creates the /dev/shm/lldpad.state file but does not update the rkhunter configuration. Ads a result, the next rkhunter run reports /dev/shm/lldpad.state as a suspicious file

Version-Release number of selected component (if applicable):
=============================================================
lldpad v1.0.1

How reproducible:
=================
Happens each time the lldpad package is upgraded by dnf

Steps to Reproduce:
===================
1. Update the lldpad package
2. Run "rkhunter --check --nocolors --report-warnings-only"

Actual results:
===============
rkhunter reports:

Warning: Suspicious file types found in /dev:
         /dev/shm/lldpad.state: FoxPro FPT, blocks size 256, next free block index 4127195136, field type 0

Expected results:
=================
rkhunter should not report /dev/shm/lldpad.state as suspicious because it was created by the package upgrade

Additional info:
================
The last time this happened was at 21:07 UTC on 18Dec2015, updating the
lldpad.i686 package to the 1.0.1-2.git986eb2e.fc22 rpm.

On this system it appears that /dev/shm/lldpad.state isn't needed because the previous (first) time this happened I deleted the file. This cleared the rkhunter suspicious file report, which wasn't seen again until last night's rkhunter cronjob run saw that the package upgrade had recreated it. In the interim there have been no error reports or crashes that can be traced to the absence of that file. 

Running "rkhunter --propupd" does not fix the problem.
Comment 1 Martin Gregorie 2015-12-19 13:14:23 EST
Correction: the system's /proc/version shows:

Linux version 4.2.7-200.fc22.i686+PAE (mockbuild@bkernel02.phx2.fedoraproject.org) (gcc version 5.1.1 20150618 (Red Hat 5.1.1-4) (GCC) ) #1 SMP Thu Dec 10 03:46:29 UTC 2015

but the closest to that I can specify is i686.
Comment 2 Chris Leech 2016-04-19 17:33:09 EDT
I have no idea what a package would need to do for rkhunter.  If this is something that should change in the lldpad package, please let me know what and assign it back.  Thanks.
Comment 3 Martin Gregorie 2016-04-19 18:28:22 EDT
rkhunter keeps a database of checksums for executables and a list of the more unusual files associated with some executables. The checksums can be updated by running "rkhunter --propupd" - usually "dnf update" seems to automatically dosomething equivalent and every so often it seems to forget (last time it forgot was after the last coreutils update.

It would be nice if, when new version of the llpad package is released, it could:
- make sure that the master rkhunter knows about files like 
  /dev/shm/lldpad.state and that it has the latest checksum(s)
- when dnf is installing or upgrading the llpad packge it would be nice if it 
  could check whether the rkhunter package is installed and, if so, cause dnf
  to update the local rkhunter database or trigger rkhunter to be run with the
  --propupd option 

This rkhunter-related action is no different from the way that packages that want to run in specific users invariably try to create the user during an upgrade in case its somehow got deleted.

I'm not specifically targetting llpad: its just that its the latest thing to arrive unannounced on my system. I assume its now required by some package I already had installed. Thats not a problem, but having something new arrive unannounced so that my first warning is from rkhunter flagging up newly installed files as suspicious and/or saying the checksums don't match a new/upgraded executable  - that is annoying since it means that I have to find out what the new program does and where it might come have from so I can decide whether to refresh the rkhunter database or set out on a malware hunt.

Anyway, that's the background for this bug report. I hope it is useful to you.
Comment 4 Kevin Fenzi 2016-04-20 11:47:10 EDT
So, I can (and will) definitely update rkhunter to allow /dev/shm/lldpad.state in it's config. 

rkhunter will not however ever run --propupd automatically. It's up to the user to run that when they know they have applied updates or otherwise made known changes to their system. This isn't something that can be automated. 

Look for an update soon...
Comment 5 Fedora Update System 2016-04-20 12:25:55 EDT
rkhunter-1.4.2-11.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-af2e2f9026
Comment 6 Fedora Update System 2016-04-20 12:26:02 EDT
rkhunter-1.4.2-11.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d9e95b90c3
Comment 7 Fedora Update System 2016-04-20 12:26:07 EDT
rkhunter-1.4.2-11.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ac44f3205f
Comment 8 Fedora Update System 2016-04-21 17:58:39 EDT
rkhunter-1.4.2-11.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d9e95b90c3
Comment 9 Fedora Update System 2016-04-21 23:24:56 EDT
rkhunter-1.4.2-11.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ac44f3205f
Comment 10 Fedora Update System 2016-04-22 16:58:06 EDT
rkhunter-1.4.2-11.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-af2e2f9026
Comment 11 Fedora Update System 2016-04-24 16:52:31 EDT
rkhunter-1.4.2-11.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-04-29 20:20:01 EDT
rkhunter-1.4.2-11.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Martin Gregorie 2016-04-30 06:52:58 EDT
Last night's "dnf update" modified the following:

ssh sshd less rkhunter rpm

but without updating the rkhunter database: the daily rkhunter cron job following the update reported these as 

       Warning: The file properties have changed

and showed a changed inode value. I gor rid of these warnings by running 'rkhunter --propupd' but, as always, I was left with the uneasy feeling "did anything get in and change these programs between the dnf update and running 'rkhunter --propupd'?".

Maybe changing the rkhunter manpage to give more detail about what the --propupd option does would help.
Comment 14 Fedora Update System 2016-05-07 08:01:21 EDT
rkhunter-1.4.2-11.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.