Description of problem: The version of rkhunter in EPEL 8 reports libkeyutils.so.1.9 as a spam tool component, even though it is now a legitimate library version (and that suspicious file has been removed as of commit 6c0675 - https://sourceforge.net/p/rkhunter/rkh_code/ci/6c0675385cafe64ba218b53202b031f616046fe6/). When running processes that use that library inside of a container, it is impossible to whitelist the file and the only way to avoid reporting the potential problem nightly is to disable the running_procs test. Version-Release number of selected component (if applicable): 1.4.6-6.el8 How reproducible: 100% of the time when running the rkhunter cron.daily job Steps to Reproduce: 1. Install docker-ce and minikube 2. Install AWX via the AWX operator (https://github.com/ansible/awx-operator) 3. Install rkhunter 4. Run /etc/cron.daily/rkhunter Actual results: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The following processes are using suspicious files: Command: awx-manage UID: 1000 PID: 104251 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 635471 PID: 104251 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 635659 PID: 104251 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 636022 PID: 104251 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 686921 PID: 104251 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104329 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104330 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104386 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104387 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104388 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104389 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 104497 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 635470 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 635475 PID: 635470 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 635658 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 635662 PID: 635658 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 636019 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 636025 PID: 636019 Pathname: 3944947 Possible Rootkit: Spam tool component Command: awx-manage UID: 1000 PID: 686917 Pathname: Possible Rootkit: Spam tool component Command: awx-manage UID: 686973 PID: 686917 Pathname: 3944947 Possible Rootkit: Spam tool component Command: daphne UID: 1000 PID: 104253 Pathname: Possible Rootkit: Spam tool component Command: daphne UID: 105730 PID: 104253 Pathname: 3944947 Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 100926 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101014 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101015 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101016 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101017 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101018 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 101019 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 104340 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 104506 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 109957 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 686923 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 686930 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 706227 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 726887 Pathname: Possible Rootkit: Spam tool component Command: postgres UID: 999 PID: 726905 Pathname: Possible Rootkit: Spam tool component Command: uwsgi UID: 1000 PID: 104258 Pathname: Possible Rootkit: Spam tool component Command: uwsgi UID: 1000 PID: 104259 Pathname: Possible Rootkit: Spam tool component Command: uwsgi UID: 1000 PID: 104260 Pathname: Possible Rootkit: Spam tool component Command: uwsgi UID: 1000 PID: 104262 Pathname: Possible Rootkit: Spam tool component Command: uwsgi UID: 1000 PID: 460693 Pathname: Possible Rootkit: Spam tool component ----------------------- End Rootkit Hunter Scan ----------------------- Expected results: No detections. Additional info: This issue was tracked by rkhunter as bug #170 (https://sourceforge.net/p/rkhunter/bugs/170/) and is fixed in the development branch of rkhunter, but has not made it into a release yet. However I suspect that it will become a bigger deal the longer time goes on.
Yeah, we fixed this in 1914662 in fedora, just need to push that into epel8 too.
Any timeframe for this to get pushed to epel8?
Sorry, been busy. I'll try and get it soon... PR's welcome. :)
Sorry for the long delay here. Look for an update here in a few...
FEDORA-EPEL-2022-85206be988 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-85206be988
FEDORA-EPEL-2022-85206be988 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-85206be988 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-85206be988 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.