Bug 831989 - F17: false positives
F17: false positives
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
17
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-14 04:55 EDT by Harald Reindl
Modified: 2012-12-20 10:27 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:27:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2012-06-14 04:55:14 EDT

    
Comment 1 Kevin Fenzi 2012-06-14 10:35:34 EDT
? Can you describe what false positives you think you are seeing?
Comment 2 Harald Reindl 2012-06-14 10:44:15 EDT
uhm - i am pretty sure that i have filled out this 
however, once again

/usr/share/man/man5/.k5identity.5.gz   is part of krb5-libs on F17 but not F16

seems like this is caused by UsrMove
it is intentionally /usr/bin/ad

4:netatalk-2.2.2-1.fc17.x86_64 : Daemon which provides POSIX-compliant *NIX/*BSD systems with the ability to
                               : share files and printers with Apple Macintosh
Repo        : @fedora
Übereinstimmung von:
Dateiname     : /bin/ad


-------- Original-Nachricht --------
Betreff: rkhunter Daily Run on testserver
Datum: Thu, 14 Jun 2012 03:49:14 +0200
Von: root
An: rhsoft@test.rh

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: 'Spanish' Rootkit                        [ Warning ]
         File '/bin/ad' found
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression

----------------------- End Rootkit Hunter Scan -----------------------
Comment 3 Kevin Fenzi 2012-06-14 11:28:44 EDT
For the first item, I can confirm it here. I will talk with the upstream developers. 

For the second item, the /etc/rkhunter.conf as shipped should have: 

ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz

Can you check for that in /etc/rkhunter.conf or see if you have a /etc/rkhunter.conf.rpmnew ?

Thanks for the report.
Comment 4 Harald Reindl 2012-06-14 11:38:37 EDT
indeed there was a "/etc/rkhunter.conf.rpmnew"
seems on my test-vm i did not revert the changes in a clean way
and only created /etc/rkhunter.conf.local which leads to not
update the config

i did now the following steps which should fix this

rm -f /etc/rkhunter.conf.rpmnew
rm -f /etc/rkhunter.conf
yum reinstall rkhunter

for the netatalk false-positive i wait for a update....
Comment 5 Harald Reindl 2012-08-14 04:17:10 EDT
is there any progress?

the daily mails because netatalk are boring

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: 'Spanish' Rootkit                        [ Warning ]
         File '/bin/ad' found

----------------------- End Rootkit Hunter Scan -----------------------
Comment 6 Kevin Fenzi 2012-08-14 14:05:23 EDT
Can you try adding: 

RTKT_FILE_WHITELIST=/bin/ad

and see if that helps?
Comment 7 Harald Reindl 2012-08-14 16:52:55 EDT
thank you!
this does the trick
Comment 8 Kevin Fenzi 2012-08-15 15:59:07 EDT
ok. I pushed a fix to the config to rawhide. 

Will wait a while and see if we pick up a few more fixes before pushing to stable releases. 

Thanks.
Comment 9 Fedora Update System 2012-10-06 16:22:41 EDT
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18
Comment 10 Fedora Update System 2012-10-06 16:55:21 EDT
rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17
Comment 11 Fedora Update System 2012-10-06 23:46:12 EDT
Package rkhunter-1.4.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-12-20 10:27:44 EST
rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.