Bug 994567 - FreeIPA v3, rkhunter & "unknown rootkit"
FreeIPA v3, rkhunter & "unknown rootkit"
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-07 09:58 EDT by Anthony Messina
Modified: 2014-04-08 20:55 EDT (History)
2 users (show)

See Also:
Fixed In Version: rkhunter-1.4.2-2.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-08 20:55:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 849251 None None None Never

  None (edit)
Description Anthony Messina 2013-08-07 09:58:23 EDT
This bug is identical to Bug 849251, but the file names have changed.  In newer versions of FreeIPA (v3.x), the path has changed to "/var/log/pki/pki-tomcat/ca/system"

The following would be the whitelist fix for the default rkhunter file:

EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
Comment 1 Kevin Fenzi 2013-08-07 11:47:46 EDT
ok, and to be clear this affects fedora 19 and higher only?
Comment 2 Anthony Messina 2013-08-07 11:53:09 EDT
I can't be certain of the restriction to F19.  I think it affects versions of FreeIPA of 3.x (so F18, too), but I don't have an example.  I believe it might be a factor of the change to Dogtag 10.

I can also say that there needs to be something like the following as well:
# created by FreeIPA/389 DS
ALLOWDEVFILE=/dev/shm/sem.slapd-WHATEVER-COM.stats

As this file is created by 389-ds-base -- this need for ALLOWDEVFILE occurs in F17-F19.
Comment 3 Kevin Fenzi 2013-09-01 14:56:46 EDT
Sorry for the long delay here. 

Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM" ?
Comment 4 Anthony Messina 2013-09-01 15:17:30 EDT
(In reply to Kevin Fenzi from comment #3)
> Sorry for the long delay here. 
> 
> Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM"
> ?

No problem...

It is not literally "WHATEVER-COM".  It is the Kerberos domain of the FreeIPA instance with dots translated to dashes.  So it could be

ALLOWDEVFILE=/dev/shm/sem.slapd-SUBSUBSUBDOMAIN-SUBSUBDOMAIN-SUBDOMAIN-SLD-TLD.stats
Comment 5 Kevin Fenzi 2013-09-01 15:20:08 EDT
ok, so: 

ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 

?
Comment 6 Anthony Messina 2013-09-01 15:26:40 EDT
(In reply to Kevin Fenzi from comment #5)
> ok, so: 
> 
> ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 
> 
> ?

I believe so. Also, this is the case for all 389 DS instances, not just FreeIPA, if that's of any importance to you.  Basically, the '*' portion is named after the instance name in /etc/dirsrv.
Comment 7 Anthony Messina 2014-03-18 10:44:27 EDT
The following works for F20, on systems with both FreeIPA (including 389 DS) as well as systems with standalone 389 DS:

# 389 Directory Server
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
# FreeIPA Certificate Authority
EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
# FreeIPA Certificate Authority
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
Comment 8 Fedora Update System 2014-04-06 14:03:09 EDT
rkhunter-1.4.2-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-2.fc20
Comment 9 Fedora Update System 2014-04-08 20:55:29 EDT
rkhunter-1.4.2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.