Bug 190248 - rkhunter shows false positives on FC3, FC4 and FC5.
rkhunter shows false positives on FC3, FC4 and FC5.
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Greg Houlette
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2006-04-29 03:51 EDT by Gilboa Davara
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-07 10:49:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on) (565 bytes, patch)
2006-04-29 03:51 EDT, Gilboa Davara
no flags Details | Diff

  None (edit)
Description Gilboa Davara 2006-04-29 03:51:33 EDT
Created attachment 128387 [details]
False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on)
Comment 1 Gilboa Davara 2006-04-29 03:51:33 EDT
Description of problem:
rkhunter shows false positive warnings while scanning for hidden files under
FC3, FC4 and FC5. (See below)

Version-Release number of selected component (if applicable):
FC5: rkhunter-1.2.8-3.fc5.noarch
FC3: rkhunter-1.2.8-2.fc3

How reproducible:

Steps to Reproduce:
1. rkhunter -c -sk
Actual results:
E.g. (FC3/i386)

   Scanning for hidden files...  [ Warning! ]
 /dev/.udev.tdb  /usr/share/man/man1/..1.gz  /etc/.pwd.lock 
Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression) 

Expected results:
No warnings.

Additional info:
See attached patch.
Comment 2 Greg Houlette 2006-05-07 10:49:46 EDT
Each installation of rkhunter should be 'adapted' for the individual computer
upon which it is to be run.  This is, in fact, part of the setup procedure.

Default 'Whitelisting' is a dangerous practice.  It gives the cracker an open
opportunity to hide his tools right under your nose.  It is a philosophical
decision NOT to engage in this 'convenience'.  YOUR philosophy may vary...

After you have executed your due diligence and actually inspected the file which
was reported (/usr/share/man/man1/..1.gz in this case) you will find an entry
corresponding to this file already in the /etc/rkhunter.conf configuration file.

Simply uncomment this entry (removing the leading #) and it will no longer be
reported.  While it is NOT possible to foresee every variation of this basic
theme of adaptation, there are a few other commented entries in rkhunter.conf
as well for things like JVM installation.

These commented entries are provided as EXAMPLES to illustrate how to add
'whitelisted' directories or files to YOUR system's configuration.

Sorry for the inconvenience.  It is the nature of this tool.  Use it wisely.

Note You need to log in before you can comment on or make changes to this bug.