994567 – FreeIPA v3, rkhunter & "unknown rootkit"

Bug 994567 - FreeIPA v3, rkhunter & "unknown rootkit"

Summary: FreeIPA v3, rkhunter & "unknown rootkit"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rkhunter
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-07 13:58 UTC by Anthony Messina
Modified:	2014-04-09 00:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:	rkhunter-1.4.2-2.fc20
Clone Of:
Environment:
Last Closed:	2014-04-09 00:55:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	849251	0	unspecified	CLOSED	FreeIPA, rkhunter & "unknown rootkit"	2021-02-22 00:41:40 UTC

Description Anthony Messina 2013-08-07 13:58:23 UTC

This bug is identical to Bug 849251, but the file names have changed.  In newer versions of FreeIPA (v3.x), the path has changed to "/var/log/pki/pki-tomcat/ca/system"

The following would be the whitelist fix for the default rkhunter file:

EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system

Comment 1 Kevin Fenzi 2013-08-07 15:47:46 UTC

ok, and to be clear this affects fedora 19 and higher only?

Comment 2 Anthony Messina 2013-08-07 15:53:09 UTC

I can't be certain of the restriction to F19.  I think it affects versions of FreeIPA of 3.x (so F18, too), but I don't have an example.  I believe it might be a factor of the change to Dogtag 10.

I can also say that there needs to be something like the following as well:
# created by FreeIPA/389 DS
ALLOWDEVFILE=/dev/shm/sem.slapd-WHATEVER-COM.stats

As this file is created by 389-ds-base -- this need for ALLOWDEVFILE occurs in F17-F19.

Comment 3 Kevin Fenzi 2013-09-01 18:56:46 UTC

Sorry for the long delay here. 

Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM" ?

Comment 4 Anthony Messina 2013-09-01 19:17:30 UTC

(In reply to Kevin Fenzi from comment #3)
> Sorry for the long delay here. 
> 
> Is this "WHATEVER-COM" variable, or is that really litterally "WHATEVER-COM"
> ?

No problem...

It is not literally "WHATEVER-COM".  It is the Kerberos domain of the FreeIPA instance with dots translated to dashes.  So it could be

ALLOWDEVFILE=/dev/shm/sem.slapd-SUBSUBSUBDOMAIN-SUBSUBDOMAIN-SUBDOMAIN-SLD-TLD.stats

Comment 5 Kevin Fenzi 2013-09-01 19:20:08 UTC

ok, so: 

ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 

?

Comment 6 Anthony Messina 2013-09-01 19:26:40 UTC

(In reply to Kevin Fenzi from comment #5)
> ok, so: 
> 
> ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats 
> 
> ?

I believe so. Also, this is the case for all 389 DS instances, not just FreeIPA, if that's of any importance to you.  Basically, the '*' portion is named after the instance name in /etc/dirsrv.

Comment 7 Anthony Messina 2014-03-18 14:44:27 UTC

The following works for F20, on systems with both FreeIPA (including 389 DS) as well as systems with standalone 389 DS:

# 389 Directory Server
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
# FreeIPA Certificate Authority
EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
# FreeIPA Certificate Authority
RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system

Comment 8 Fedora Update System 2014-04-06 18:03:09 UTC

rkhunter-1.4.2-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-2.fc20

Comment 9 Fedora Update System 2014-04-09 00:55:29 UTC

rkhunter-1.4.2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.