Bug 849251 - FreeIPA, rkhunter & "unknown rootkit"
FreeIPA, rkhunter & "unknown rootkit"
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-17 15:58 EDT by Anthony Messina
Modified: 2012-11-27 11:03 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-27 11:03:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2012-08-17 15:58:34 EDT
I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running
well.  I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA
server and each morning I receive the following report from rkhunter.

I imagine/hope that these are not actual rootkits and was wondering if
anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind"
these as they seem like they would be a normal part of the IPA/CA process.

By the way, UID 995 is the pkiuser on my IPA system.

The temporary solution was to add the following to rkhunter.conf:
# FreeIPA Certificate Authority
RTKT_FILE_WHITELIST="/var/log/pki-ca/system"

E-mail thread here:
https://www.redhat.com/archives/freeipa-users/2012-July/msg00183.html
https://www.redhat.com/archives/freeipa-users/2012-August/msg00146.html

rkhunter warning output follows:

Warning: The following processes are using suspicious files:
         Command: java
           UID: 995    PID: 1513
           Pathname: /var/log/pki-ca/system
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1518    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1523    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1524    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1525    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1526    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1527    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1528    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1529    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1530    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1531    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1540    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1541    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1557    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1558    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1559    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1560    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1561    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1628    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1629    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1636    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1638    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1641    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1643    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1646    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1648    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1651    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1653    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1654    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1655    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1658    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1660    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1662    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1663    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1664    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1665    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1666    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1667    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1668    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1670    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1671    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1672    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1673    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1674    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1675    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1676    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1677    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1678    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1679    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 1680    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2254    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2255    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2256    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2257    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2418    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2419    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2420    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
         Command: java
           UID: 2421    PID: 1513
           Pathname: 14287633
           Possible Rootkit: Unknown rootkit
Comment 1 Kevin Fenzi 2012-08-18 16:20:31 EDT
/var/log/pki-ca/system seems like a kinda a poor name for logs, but ok. 

I can add the whitelist and ask upstream about merging it in. 

Thanks for the report.
Comment 2 Fedora Update System 2012-10-06 16:22:34 EDT
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18
Comment 3 Fedora Update System 2012-10-06 16:55:16 EDT
rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17
Comment 4 Fedora Update System 2012-10-06 23:46:05 EDT
Package rkhunter-1.4.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18
then log in and leave karma (feedback).
Comment 5 Anthony Messina 2012-11-27 11:03:42 EST
I confirm this is fixed and can be closed.

Note You need to log in before you can comment on or make changes to this bug.