Red Hat Bugzilla – Bug 806972
F17 /lib/java possible rootkit
Last modified: 2012-05-26 02:49:24 EDT
Description of problem:
16:46:00] Warning: Checking for possible rootkit files and directories [ Warning ]
[16:46:00] Found directory '/lib/java'. Possible rootkit: Rootkit component
/lib/java is an empty dir.
as appears to be normal going by:
Version-Release number of selected component (if applicable):
How reproducible: Number of rkhunter runs
Steps to Reproduce:
1. install jpackage-utils
2. run rkhunter --update --check -sk
This is going to take some changes to the core script as there's no way to whitelist a dir like this in config. Will bring it up upstream too.
upstream is working on a good fix for this. In the mean time I have a workaround I will commit and push out.
Look for an update in a bit here.
rkhunter-1.3.8-15.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.3.8-15.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Hard one to call, fixes the problem in i386.
Cause "no such dir" in x86_64
Oops. Quite right. ;(
I'll ask upstream for a better way around this...
thank you for the testing.
(In reply to comment #6)
> Oops. Quite right. ;(
> I'll ask upstream for a better way around this...
> thank you for the testing.
At the moment, I just make "mkdir /usr/lib/java" on the x86_64.
But the empty dir /usr/lib64/java cause no false flag.
rkhunter-1.4.0-1.fc17 has been submitted as an update for Fedora 17.
rkhunter-1.4.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.