994706 – rkhunter needs to correctly handle unhide output

Bug 994706 - rkhunter needs to correctly handle unhide output

Summary: rkhunter needs to correctly handle unhide output

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rkhunter
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-07 19:58 UTC by Scott Shambarger
Modified:	2014-11-07 02:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:	rkhunter-1.4.2-5.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-15 15:01:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Scott Shambarger 2013-08-07 19:58:37 UTC

Description of problem:
rkhunter incorrectly reports hidden processes when none exist.

Version-Release number of selected component (if applicable):
rkhunter-1.4.0-6.fc19

How reproducible:
Whenever the c-version of unhide is used

Steps to Reproduce:
1. install rkhunter with default configuration
2. run rkhunter --propupd to initialize system
3. run rkhunter --cronjob --nocolors --report-warnings-only (as the cronjob does)
4. see warnings about hidden processes

Actual results:
Warnings about hidden processes

Expected results:
No warnings displayed when no hidden processes present.

Additional info:
The problem appears to be in a newer version of unhide.

F18 had unhide 20100201, which output a report header like:
---
Unhide 20100201
http://www.security-projects.com/?Unhide
---

F19 has unhide 20121229, and has the following header:
---
Unhide 20121229
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6 

---

rkhunter's output filter for the unhide command doesn't filter the additional lines, and incorrectly thinks unhide is reporting hidden processes.

The correct behavior is probably to update the egrep -v pattern in /usr/bin/rkhunter, and also only report the warning of hidden processes if the unhide command returns 1 (as documented, at least for the newer version of unhide).

Comment 1 Kevin Fenzi 2013-08-18 16:33:53 UTC

This is: 
http://sourceforge.net/p/rkhunter/bugs/97/
upsteam. 

I'll look for a fix. 

Thanks for the report.

Comment 2 Kevin Fenzi 2014-03-13 19:53:27 UTC

Can you test this scratch build and confirm this is fixed: 

http://koji.fedoraproject.org/koji/taskinfo?taskID=6630812

Comment 3 Mukundan Ragavan 2014-03-14 03:20:30 UTC

This might have been fixed too. (only relevant output posted)

# grep hidden /var/log/rkhunter/rkhunter.log

[21:50:33] Info: Starting test name 'hidden_procs'
[21:53:07]   Checking for hidden processes                   [ None found ]

# rkhunter -V
Rootkit Hunter 1.4.2

Comment 4 Scott Shambarger 2014-03-14 04:14:44 UTC

Installed 1.4.2, C version of unhide now works correctly.

Before (1.4.0):

[20:26:16] Info: Starting test name 'hidden_procs'
[20:26:16] Info: Found the 'unhide' command: /sbin/unhide
[20:26:16] Info: Found 'unhide' command version: 20130526
[20:26:30]     Using command 'unhide sys'                    [ Warning ]
[20:26:30] Info: Found the 'unhide.rb' command: /sbin/unhide.rb
[20:26:30]     Using command 'unhide.rb'                     [ None found ]
[20:26:30]   Checking for hidden processes                   [ Warning ]
[20:26:30] Warning: Hidden processes found:
[20:26:30]          Copyright © 2013 Yago Jesus & Patrick Gouin
[20:26:30]          License GPLv3+ : GNU GPL version 3 or later
[20:26:30]          NOTE : This version of unhide is for systems using Linux >= 
2.6 
[20:26:30]          Used options: 

After (1.4.2):

[20:57:13] Info: Starting test name 'hidden_procs'
[20:57:13] Info: Found the 'unhide' command: /sbin/unhide
[20:57:13] Info: Found 'unhide' command version: 20130526
[20:57:29]     Using command '/sbin/unhide  sys'             [ None found ]
[20:57:29]   Checking for hidden processes                   [ None found ]

New version handles the new unhide output correctly :)

... did notice that unhide.rb is not searched for a used even though DISABLE_UNHIDE is set to the default '0' and from the config file text: "By default rkhunter will look for both programs, and execute each of them as they are found"

Might be a new bug though... this one looks fixed!

Comment 5 Fedora Update System 2014-03-14 16:41:13 UTC

rkhunter-1.4.2-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc20

Comment 6 Fedora Update System 2014-03-14 16:43:34 UTC

rkhunter-1.4.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.fc19

Comment 7 Fedora Update System 2014-03-14 16:53:00 UTC

rkhunter-1.4.2-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-1.el6

Comment 8 Fedora Update System 2014-03-15 15:01:40 UTC

rkhunter-1.4.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-03-30 18:47:22 UTC

rkhunter-1.4.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-10-27 15:57:49 UTC

rkhunter-1.4.2-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rkhunter-1.4.2-5.fc19

Comment 11 Fedora Update System 2014-11-07 02:40:01 UTC

rkhunter-1.4.2-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.