? Can you describe what false positives you think you are seeing?
uhm - i am pretty sure that i have filled out this however, once again /usr/share/man/man5/.k5identity.5.gz is part of krb5-libs on F17 but not F16 seems like this is caused by UsrMove it is intentionally /usr/bin/ad 4:netatalk-2.2.2-1.fc17.x86_64 : Daemon which provides POSIX-compliant *NIX/*BSD systems with the ability to : share files and printers with Apple Macintosh Repo : @fedora Übereinstimmung von: Dateiname : /bin/ad -------- Original-Nachricht -------- Betreff: rkhunter Daily Run on testserver Datum: Thu, 14 Jun 2012 03:49:14 +0200 Von: root An: rhsoft --------------------- Start Rootkit Hunter Update --------------------- [ Rootkit Hunter version 1.4.0 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: 'Spanish' Rootkit [ Warning ] File '/bin/ad' found Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression ----------------------- End Rootkit Hunter Scan -----------------------
For the first item, I can confirm it here. I will talk with the upstream developers. For the second item, the /etc/rkhunter.conf as shipped should have: ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz Can you check for that in /etc/rkhunter.conf or see if you have a /etc/rkhunter.conf.rpmnew ? Thanks for the report.
indeed there was a "/etc/rkhunter.conf.rpmnew" seems on my test-vm i did not revert the changes in a clean way and only created /etc/rkhunter.conf.local which leads to not update the config i did now the following steps which should fix this rm -f /etc/rkhunter.conf.rpmnew rm -f /etc/rkhunter.conf yum reinstall rkhunter for the netatalk false-positive i wait for a update....
is there any progress? the daily mails because netatalk are boring ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: 'Spanish' Rootkit [ Warning ] File '/bin/ad' found ----------------------- End Rootkit Hunter Scan -----------------------
Can you try adding: RTKT_FILE_WHITELIST=/bin/ad and see if that helps?
thank you! this does the trick
ok. I pushed a fix to the config to rawhide. Will wait a while and see if we pick up a few more fixes before pushing to stable releases. Thanks.
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18
rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17
Package rkhunter-1.4.0-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18 then log in and leave karma (feedback).
rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.