Bug 190248 - rkhunter shows false positives on FC3, FC4 and FC5.
Summary: rkhunter shows false positives on FC3, FC4 and FC5.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: rkhunter
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Greg Houlette
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-29 07:51 UTC by Gilboa Davara
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-07 14:49:46 UTC
Type: ---


Attachments (Terms of Use)
False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on) (565 bytes, patch)
2006-04-29 07:51 UTC, Gilboa Davara
no flags Details | Diff

Description Gilboa Davara 2006-04-29 07:51:33 UTC
Created attachment 128387 [details]
False positive patch; Works on FC3 and FC5. (didn't have FC4 to test it on)

Comment 1 Gilboa Davara 2006-04-29 07:51:33 UTC
Description of problem:
rkhunter shows false positive warnings while scanning for hidden files under
FC3, FC4 and FC5. (See below)

Version-Release number of selected component (if applicable):
FC5: rkhunter-1.2.8-3.fc5.noarch
FC3: rkhunter-1.2.8-2.fc3

How reproducible:
Always.

Steps to Reproduce:
1. rkhunter -c -sk
2.
3.
  
Actual results:
E.g. (FC3/i386)

   Scanning for hidden files...  [ Warning! ]
---------------
 /dev/.udev.tdb  /usr/share/man/man1/..1.gz  /etc/.pwd.lock 
---------------
Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression) 

Expected results:
No warnings.

Additional info:
See attached patch.

Comment 2 Greg Houlette 2006-05-07 14:49:46 UTC
Each installation of rkhunter should be 'adapted' for the individual computer
upon which it is to be run.  This is, in fact, part of the setup procedure.

Default 'Whitelisting' is a dangerous practice.  It gives the cracker an open
opportunity to hide his tools right under your nose.  It is a philosophical
decision NOT to engage in this 'convenience'.  YOUR philosophy may vary...

After you have executed your due diligence and actually inspected the file which
was reported (/usr/share/man/man1/..1.gz in this case) you will find an entry
corresponding to this file already in the /etc/rkhunter.conf configuration file.

Simply uncomment this entry (removing the leading #) and it will no longer be
reported.  While it is NOT possible to foresee every variation of this basic
theme of adaptation, there are a few other commented entries in rkhunter.conf
as well for things like JVM installation.

These commented entries are provided as EXAMPLES to illustrate how to add
'whitelisted' directories or files to YOUR system's configuration.

Sorry for the inconvenience.  It is the nature of this tool.  Use it wisely.


Note You need to log in before you can comment on or make changes to this bug.