Bug 1411130 - suspicious warnings on fresh installed system
Summary: suspicious warnings on fresh installed system
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 25
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-08 15:48 UTC by redhat
Modified: 2017-02-11 13:19 UTC (History)
2 users (show)

Fixed In Version: rkhunter-1.4.2-12.fc25 rkhunter-1.4.2-8.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-05 20:20:55 UTC
Type: Bug


Attachments (Terms of Use)

Description redhat 2017-01-08 15:48:37 UTC
Description of problem:
When running rkhunter on a fresh installed system it produces suspicious warnings.

Version-Release number of selected component (if applicable):
rkhunter-1.4.2-11.fc25.noarch


How reproducible:
Always after fresh installed FC25 Server.

Steps to Reproduce:
1. rkhunter
2.
3.

Actual results:

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
....
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown:
+Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again
+shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell
+script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell
+script, ASCII text executable
...
Warning: Hidden file found: /usr/bin/.tv7: ASCII text, with no line terminators


Expected results:
No warnings

Additional info:

# rpm -qf /usr/bin/egrep
grep-2.27-1.fc25.x86_64
# rpm -Vv grep-2.27-1.fc25.x86_64
.........    /bin/egrep
.........    /bin/fgrep
.........    /bin/grep
.........  c /etc/GREP_COLORS
.........  c /etc/profile.d/colorgrep.csh
.........  c /etc/profile.d/colorgrep.sh
.........    /usr/libexec/grepconf.sh
.........    /usr/share/doc/grep
.........  d /usr/share/doc/grep/AUTHORS
.........  d /usr/share/doc/grep/NEWS
.........  d /usr/share/doc/grep/README
.........  d /usr/share/doc/grep/THANKS
.........  d /usr/share/doc/grep/TODO
.........  d /usr/share/info/grep.info.gz
.........    /usr/share/licenses/grep
.........  l /usr/share/licenses/grep/COPYING
.........    /usr/share/locale/af/LC_MESSAGES/grep.mo
.........    /usr/share/locale/be/LC_MESSAGES/grep.mo
.........    /usr/share/locale/bg/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ca/LC_MESSAGES/grep.mo
.........    /usr/share/locale/cs/LC_MESSAGES/grep.mo
.........    /usr/share/locale/da/LC_MESSAGES/grep.mo
.........    /usr/share/locale/de/LC_MESSAGES/grep.mo
.........    /usr/share/locale/el/LC_MESSAGES/grep.mo
.........    /usr/share/locale/eo/LC_MESSAGES/grep.mo
.........    /usr/share/locale/es/LC_MESSAGES/grep.mo
.........    /usr/share/locale/et/LC_MESSAGES/grep.mo
.........    /usr/share/locale/eu/LC_MESSAGES/grep.mo
.........    /usr/share/locale/fi/LC_MESSAGES/grep.mo
.........    /usr/share/locale/fr/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ga/LC_MESSAGES/grep.mo
.........    /usr/share/locale/gl/LC_MESSAGES/grep.mo
.........    /usr/share/locale/he/LC_MESSAGES/grep.mo
.........    /usr/share/locale/hr/LC_MESSAGES/grep.mo
.........    /usr/share/locale/hu/LC_MESSAGES/grep.mo
.........    /usr/share/locale/id/LC_MESSAGES/grep.mo
.........    /usr/share/locale/it/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ja/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ko/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ky/LC_MESSAGES/grep.mo
.........    /usr/share/locale/lt/LC_MESSAGES/grep.mo
.........    /usr/share/locale/nb/LC_MESSAGES/grep.mo
.........    /usr/share/locale/nl/LC_MESSAGES/grep.mo
.........    /usr/share/locale/pa/LC_MESSAGES/grep.mo
.........    /usr/share/locale/pl/LC_MESSAGES/grep.mo
.........    /usr/share/locale/pt/LC_MESSAGES/grep.mo
.........    /usr/share/locale/pt_BR/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ro/LC_MESSAGES/grep.mo
.........    /usr/share/locale/ru/LC_MESSAGES/grep.mo
.........    /usr/share/locale/sk/LC_MESSAGES/grep.mo
.........    /usr/share/locale/sl/LC_MESSAGES/grep.mo
.........    /usr/share/locale/sr/LC_MESSAGES/grep.mo
.........    /usr/share/locale/sv/LC_MESSAGES/grep.mo
.........    /usr/share/locale/th/LC_MESSAGES/grep.mo
.........    /usr/share/locale/tr/LC_MESSAGES/grep.mo
.........    /usr/share/locale/uk/LC_MESSAGES/grep.mo
.........    /usr/share/locale/vi/LC_MESSAGES/grep.mo
.........    /usr/share/locale/zh_CN/LC_MESSAGES/grep.mo
.........    /usr/share/locale/zh_TW/LC_MESSAGES/grep.mo
.........  d /usr/share/man/man1/egrep.1.gz
.........  d /usr/share/man/man1/fgrep.1.gz
.........  d /usr/share/man/man1/grep.1.gz

# rpm -qf /usr/bin/.tv7
Die Datei /usr/bin/.tv7 gehört zu keinem Paket

Where does this file come from?

Comment 1 Kevin Fenzi 2017-01-08 17:09:49 UTC
Did you run 'rkhunter --propupd' ? You need to do that everytime you make changes and are telling rkhunter that those changes are ok. 

I have no idea what that /usr/bin/.tv7 file is from. No Fedora packages seem to provide it. Perhaps check the contents and timestamp?

Comment 2 redhat 2017-01-08 18:04:37 UTC
> Did you run 'rkhunter --propupd' ? You need to do that everytime you make
> changes and are telling rkhunter that those changes are ok. 

The package rkhunter has been installed after the package grep. So I did not change the system, therefor did not run 'rkhunter --propupd'. And why doesn't it complain about all the other packages that have been installed before? Excuse me, but I do not understand why I should run 'rkhunter --propupd'. Doesn't it has the FC packages in its database?

> I have no idea what that /usr/bin/.tv7 file is from. No Fedora packages seem
> to provide it. Perhaps check the contents and timestamp?

A quick search with google showed https://www.synology.com/en-global/knowledgebase/DSM/tutorial/General/Why_does_Security_Advisor_inform_me_of_modified_system_files which mentions this file. Looks like the TwonkyMediaServer created this file, whis is really odd, because it is not executable. I've just removed id.

Comment 3 Kevin Fenzi 2017-01-09 21:20:22 UTC
(In reply to redhat from comment #2)
> > Did you run 'rkhunter --propupd' ? You need to do that everytime you make
> > changes and are telling rkhunter that those changes are ok. 
> 
> The package rkhunter has been installed after the package grep. So I did not
> change the system, therefor did not run 'rkhunter --propupd'. And why
> doesn't it complain about all the other packages that have been installed
> before? Excuse me, but I do not understand why I should run 'rkhunter
> --propupd'. Doesn't it has the FC packages in its database?

You did change the system. You installed. This is simply the way the tool works. 

See: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ

"3.7) I have just installed Rootkit Hunter, and I am already
     getting warning messages. Why is that?

A.   The first run of rkhunter after an installation will usually give
     some warning messages. One of the checks is whether the file of
     file properties (called 'rkhunter.dat') exists. This file won't
     exist until rkhunter is run with the '--propupd' option."

If you run 'rkhunter --propupd' and then 'rkhunter -c -sk' does it show any problems?

Comment 4 redhat 2017-01-10 13:24:06 UTC
Well, I did as suggested and the warnings disapeared. Fine.

But a new one popped up:

[14:19:51] Info: Starting test name 'filesystem'
[14:19:51] Performing filesystem checks
[14:19:51] Info: SCAN_MODE_DEV set to 'THOROUGH'
[14:19:53] Info: Found file '/dev/shm/squid-cf__readers.shm': it is whitelisted.
[14:19:53] Info: Found file '/dev/shm/squid-cf__queues.shm': it is whitelisted.
[14:19:53] Info: Found file '/dev/shm/squid-cf__metadata.shm': it is whitelisted.
[14:19:57]   Checking /dev for suspicious file types         [ Warning ]
[14:19:57] Warning: Suspicious file types found in /dev:
[14:19:57]          /dev/shm/squid-ssl_session_cache.shm: data

'--propupd' did not whitelist '/dev/shm/squid-ssl_session_cache.shm'. Is this an error of rkhunter or the squid?

Comment 5 Mukundan Ragavan 2017-01-11 02:55:23 UTC
(In reply to redhat from comment #4)

> [14:19:57]   Checking /dev for suspicious file types         [ Warning ]
> [14:19:57] Warning: Suspicious file types found in /dev:
> [14:19:57]          /dev/shm/squid-ssl_session_cache.shm: data
> 
> '--propupd' did not whitelist '/dev/shm/squid-ssl_session_cache.shm'. Is
> this an error of rkhunter or the squid?

yeah ... that's because, this file is not present in rkhunter.conf file.

You will have to add this file to the configuration file and run --propupd again I think.

Of course, you would want to run --propupd on a "known safe" system.

Alternatively, we would have to add this to rkhunter.conf file .. what package does this file belong to?

Thanks.

Comment 6 redhat 2017-01-11 18:23:03 UTC
The file is not directly part of a package, but is created when Squid is operated with the option SSL Bump. Therefore I find it important to add this file to the white list of rkhunter.

# rpm -qal|grep squid-ssl_session_cache.shm
<empty>
# rpm -q squid
squid-4.0.17-1.fc25.x86_64

Comment 7 Mukundan Ragavan 2017-01-12 00:04:21 UTC
(In reply to redhat from comment #6)
> The file is not directly part of a package, but is created when Squid is
> operated with the option SSL Bump. Therefore I find it important to add this
> file to the white list of rkhunter.
> 
> # rpm -qal|grep squid-ssl_session_cache.shm
> <empty>
> # rpm -q squid
> squid-4.0.17-1.fc25.x86_64

that explains why I was unable to find the file.

I am testing another update for rkhunter (in another bug). I will add this as well and do a scratch build and post here.

Comment 8 Fedora Update System 2017-01-26 02:37:54 UTC
rkhunter-1.4.2-8.el7 rkhunter-1.4.2-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-a9679aec00

Comment 9 Fedora Update System 2017-01-26 02:42:31 UTC
rkhunter-1.4.2-12.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-600553ca54

Comment 10 Fedora Update System 2017-01-27 02:48:11 UTC
rkhunter-1.4.2-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-a9679aec00

Comment 11 Fedora Update System 2017-01-28 04:54:25 UTC
rkhunter-1.4.2-12.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-600553ca54

Comment 12 Fedora Update System 2017-02-05 20:20:55 UTC
rkhunter-1.4.2-12.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2017-02-11 13:19:14 UTC
rkhunter-1.4.2-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.