Description of problem: rkhunter incorrectly reports hidden processes when none exist. Version-Release number of selected component (if applicable): rkhunter-1.4.0-6.fc19 How reproducible: Whenever the c-version of unhide is used Steps to Reproduce: 1. install rkhunter with default configuration 2. run rkhunter --propupd to initialize system 3. run rkhunter --cronjob --nocolors --report-warnings-only (as the cronjob does) 4. see warnings about hidden processes Actual results: Warnings about hidden processes Expected results: No warnings displayed when no hidden processes present. Additional info: The problem appears to be in a newer version of unhide. F18 had unhide 20100201, which output a report header like: --- Unhide 20100201 http://www.security-projects.com/?Unhide --- F19 has unhide 20121229, and has the following header: --- Unhide 20121229 Copyright © 2012 Yago Jesus & Patrick Gouin License GPLv3+ : GNU GPL version 3 or later http://www.unhide-forensics.info NOTE : This version of unhide is for systems using Linux >= 2.6 --- rkhunter's output filter for the unhide command doesn't filter the additional lines, and incorrectly thinks unhide is reporting hidden processes. The correct behavior is probably to update the egrep -v pattern in /usr/bin/rkhunter, and also only report the warning of hidden processes if the unhide command returns 1 (as documented, at least for the newer version of unhide).
This is: http://sourceforge.net/p/rkhunter/bugs/97/ upsteam. I'll look for a fix. Thanks for the report.
Can you test this scratch build and confirm this is fixed: http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812
This might have been fixed too. (only relevant output posted) # grep hidden /var/log/rkhunter/rkhunter.log [21:50:33] Info: Starting test name 'hidden_procs' [21:53:07] Checking for hidden processes [ None found ] # rkhunter -V Rootkit Hunter 1.4.2
Installed 1.4.2, C version of unhide now works correctly. Before (1.4.0): [20:26:16] Info: Starting test name 'hidden_procs' [20:26:16] Info: Found the 'unhide' command: /sbin/unhide [20:26:16] Info: Found 'unhide' command version: 20130526 [20:26:30] Using command 'unhide sys' [ Warning ] [20:26:30] Info: Found the 'unhide.rb' command: /sbin/unhide.rb [20:26:30] Using command 'unhide.rb' [ None found ] [20:26:30] Checking for hidden processes [ Warning ] [20:26:30] Warning: Hidden processes found: [20:26:30] Copyright © 2013 Yago Jesus & Patrick Gouin [20:26:30] License GPLv3+ : GNU GPL version 3 or later [20:26:30] NOTE : This version of unhide is for systems using Linux >= 2.6 [20:26:30] Used options: After (1.4.2): [20:57:13] Info: Starting test name 'hidden_procs' [20:57:13] Info: Found the 'unhide' command: /sbin/unhide [20:57:13] Info: Found 'unhide' command version: 20130526 [20:57:29] Using command '/sbin/unhide sys' [ None found ] [20:57:29] Checking for hidden processes [ None found ] New version handles the new unhide output correctly :) ... did notice that unhide.rb is not searched for a used even though DISABLE_UNHIDE is set to the default '0' and from the config file text: "By default rkhunter will look for both programs, and execute each of them as they are found" Might be a new bug though... this one looks fixed!
rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc20
rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc19
rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.el6
rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19
rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.