Description of problem:
rkhunter incorrectly reports hidden processes when none exist.
Version-Release number of selected component (if applicable):
Whenever the c-version of unhide is used
Steps to Reproduce:
1. install rkhunter with default configuration
2. run rkhunter --propupd to initialize system
3. run rkhunter --cronjob --nocolors --report-warnings-only (as the cronjob does)
4. see warnings about hidden processes
Warnings about hidden processes
No warnings displayed when no hidden processes present.
The problem appears to be in a newer version of unhide.
F18 had unhide 20100201, which output a report header like:
F19 has unhide 20121229, and has the following header:
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
NOTE : This version of unhide is for systems using Linux >= 2.6
rkhunter's output filter for the unhide command doesn't filter the additional lines, and incorrectly thinks unhide is reporting hidden processes.
The correct behavior is probably to update the egrep -v pattern in /usr/bin/rkhunter, and also only report the warning of hidden processes if the unhide command returns 1 (as documented, at least for the newer version of unhide).
I'll look for a fix.
Thanks for the report.
Can you test this scratch build and confirm this is fixed:
This might have been fixed too. (only relevant output posted)
# grep hidden /var/log/rkhunter/rkhunter.log
[21:50:33] Info: Starting test name 'hidden_procs'
[21:53:07] Checking for hidden processes [ None found ]
# rkhunter -V
Rootkit Hunter 1.4.2
Installed 1.4.2, C version of unhide now works correctly.
[20:26:16] Info: Starting test name 'hidden_procs'
[20:26:16] Info: Found the 'unhide' command: /sbin/unhide
[20:26:16] Info: Found 'unhide' command version: 20130526
[20:26:30] Using command 'unhide sys' [ Warning ]
[20:26:30] Info: Found the 'unhide.rb' command: /sbin/unhide.rb
[20:26:30] Using command 'unhide.rb' [ None found ]
[20:26:30] Checking for hidden processes [ Warning ]
[20:26:30] Warning: Hidden processes found:
[20:26:30] Copyright © 2013 Yago Jesus & Patrick Gouin
[20:26:30] License GPLv3+ : GNU GPL version 3 or later
[20:26:30] NOTE : This version of unhide is for systems using Linux >=
[20:26:30] Used options:
[20:57:13] Info: Starting test name 'hidden_procs'
[20:57:13] Info: Found the 'unhide' command: /sbin/unhide
[20:57:13] Info: Found 'unhide' command version: 20130526
[20:57:29] Using command '/sbin/unhide sys' [ None found ]
[20:57:29] Checking for hidden processes [ None found ]
New version handles the new unhide output correctly :)
... did notice that unhide.rb is not searched for a used even though DISABLE_UNHIDE is set to the default '0' and from the config file text: "By default rkhunter will look for both programs, and execute each of them as they are found"
Might be a new bug though... this one looks fixed!
rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20.
rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19.
rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6.
rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19.
rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.