Red Hat Bugzilla – Bug 190248
rkhunter shows false positives on FC3, FC4 and FC5.
Last modified: 2007-11-30 17:11:31 EST
Created attachment 128387 [details]
False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on)
Description of problem:
rkhunter shows false positive warnings while scanning for hidden files under
FC3, FC4 and FC5. (See below)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. rkhunter -c -sk
Scanning for hidden files... [ Warning! ]
/dev/.udev.tdb /usr/share/man/man1/..1.gz /etc/.pwd.lock
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
See attached patch.
Each installation of rkhunter should be 'adapted' for the individual computer
upon which it is to be run. This is, in fact, part of the setup procedure.
Default 'Whitelisting' is a dangerous practice. It gives the cracker an open
opportunity to hide his tools right under your nose. It is a philosophical
decision NOT to engage in this 'convenience'. YOUR philosophy may vary...
After you have executed your due diligence and actually inspected the file which
was reported (/usr/share/man/man1/..1.gz in this case) you will find an entry
corresponding to this file already in the /etc/rkhunter.conf configuration file.
Simply uncomment this entry (removing the leading #) and it will no longer be
reported. While it is NOT possible to foresee every variation of this basic
theme of adaptation, there are a few other commented entries in rkhunter.conf
as well for things like JVM installation.
These commented entries are provided as EXAMPLES to illustrate how to add
'whitelisted' directories or files to YOUR system's configuration.
Sorry for the inconvenience. It is the nature of this tool. Use it wisely.