Created attachment 128387 [details] False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on)
Description of problem: rkhunter shows false positive warnings while scanning for hidden files under FC3, FC4 and FC5. (See below) Version-Release number of selected component (if applicable): FC5: rkhunter-1.2.8-3.fc5.noarch FC3: rkhunter-1.2.8-2.fc3 How reproducible: Always. Steps to Reproduce: 1. rkhunter -c -sk 2. 3. Actual results: E.g. (FC3/i386) Scanning for hidden files... [ Warning! ] --------------- /dev/.udev.tdb /usr/share/man/man1/..1.gz /etc/.pwd.lock --------------- Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) Expected results: No warnings. Additional info: See attached patch.
Each installation of rkhunter should be 'adapted' for the individual computer upon which it is to be run. This is, in fact, part of the setup procedure. Default 'Whitelisting' is a dangerous practice. It gives the cracker an open opportunity to hide his tools right under your nose. It is a philosophical decision NOT to engage in this 'convenience'. YOUR philosophy may vary... After you have executed your due diligence and actually inspected the file which was reported (/usr/share/man/man1/..1.gz in this case) you will find an entry corresponding to this file already in the /etc/rkhunter.conf configuration file. Simply uncomment this entry (removing the leading #) and it will no longer be reported. While it is NOT possible to foresee every variation of this basic theme of adaptation, there are a few other commented entries in rkhunter.conf as well for things like JVM installation. These commented entries are provided as EXAMPLES to illustrate how to add 'whitelisted' directories or files to YOUR system's configuration. Sorry for the inconvenience. It is the nature of this tool. Use it wisely.