Bug 14542

Summary: rkhunter is not reading all files in /etc/rkhunter.d
Product: Mageia Reporter: Bit Twister <bittwister2>
Component: RPM PackagesAssignee: Remco Rijnders <remco>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: dvgevers
Version: CauldronKeywords: 6sta2, Triaged
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: MGA5TOO
Source RPM: rkhunter-1.4.6-1.mga7.src.rpm CVE:
Status comment:
Attachments: mageia configuration changes

Description Bit Twister 2014-11-14 02:19:37 CET 
Description of problem:

rkhunter is not reading all files in /etc/rkhunter.d
It appears to read the first file and no others.
# dir -A /etc/rkhunter.d
total 24
drwxr-xr-x   2 root root  4096 Nov 13 19:08 .
drwxr-xr-x 144 root root 12288 Nov 13 19:09 ..
-rw-r-----   1 root root  1057 Nov 11 18:02 mageia.conf
-rw-r-----   1 root root   637 Nov 11 18:02 my__rkhunter.conf


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. urpmi rkhunter
2. echo ALLOWHIDDENFILE=/etc/.updated > /etc/rkhunter.d]test.conf
3. chmod 640 /etc/rkhunter.d]test.conf
4. rkhunter --propupd
5. rm -f /var/log/rkhunter.log
6. rkhunter --skip-keypress -c
7. grep /etc/.updated /var/log/rkhunter.log

Test fails if you see Warning: Hidden file found: /etc/.updated: ASCII text
Test passes if you see  Info: Found file '/etc/.updated': it is whitelisted.

Workaround: append file(s) or link file to /etc/rkhunter.conf.local

In my case # ll /etc/rkhunter.conf.local
lrwxrwxrwx 1 root root 33 Nov 13 19:09 /etc/rkhunter.conf.local -> /etc/rkhunter.d/my__rkhunter.conf

# cat /etc/rkhunter.conf.local
#*********** start of /etc/rkhunter.d/my__rkhunter.conf ******
#*
#* created by /local/bin/rkhunter_changes Tue 11 Nov 18:02 2014
#*
#* If you change this file be sure to run
#*    rkhunter --propupd ;rkhunter --skip-keypress -C
#* and retest system with  rkhunter --skip-keypress -c
#*
#*************************************************************

MAIL-ON-WARNING=\"root@$(/bin/hostname --fqdn)\"

ALLOWHIDDENFILE=/etc/.updated
ALLOW_SSH_Protocol=2
XINETD_ALLOWED_SVC=/etc/xinetd.d/saned
SHOW_SUMMARY_WARNINGS_NUMBER=1

#*********** end of /etc/rkhunter.d/my__rkhunter.conf ****************


Reproducible: 

Steps to Reproduce:
Comment 1 Dick Gevers 2014-11-14 04:22:42 CET 
Could you please verify that the charafter ' ] ' was not really used in steps 2 and 3 as you described?

Perhaps rkhunter is bad at reading the file with the underscores in the name: could you try changing the name my__rkhunter.conf to, for example, myrkhunter.conf ?

When you do, obviously any other file quoting it's name would need adjusting and the command " rkhunter --propupd" should be run befire trying again. Please advise results.

Keywords: (none) => NEEDINFO
CC: (none) => dvgevers

Dick Gevers 2014-11-14 04:23:34 CET

Whiteboard: (none) => 5beta1

Comment 2 Bit Twister 2014-11-14 07:15:48 CET 
(In reply to Dick Gevers from comment #1)
> Could you please verify that the charafter ' ] ' was not really used in
> steps 2 and 3 as you described?

Oh, frap. That is a typeo. Sorry.

> Perhaps rkhunter is bad at reading the file with the underscores in the
> name: could you try changing the name my__rkhunter.conf to, for example,
> myrkhunter.conf ?

Yes, I had the same thought and tried a short link to my__rkhunter.conf.
Then I thought maybe name was too long, so tried
# dir -A /etc/rkhunter.d
total 28
drwxr-xr-x   2 root root  4096 Nov 13 23:53 .
drwxr-xr-x 144 root root 12288 Nov 13 23:50 ..
-rw-r-----   1 root root  1057 Nov 11 18:02 mageia.conf
-rw-r-----   1 root root   637 Nov 13 23:53 my.conf


> When you do, obviously any other file quoting it's name would need adjusting
> and the command " rkhunter --propupd" should be run befire trying again.
> Please advise results.

Yup, ran steps 4 through 7 and still have the problem.

Oh, by the way, do you think I need to open a separate bug for this error:

    Checking if SSH protocol v1 is allowed                   [ Not set ]
Error: Invalid display - keyword cannot be found: Display line: display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL
    Checking for a running system logging daemon             [ Not found ]
Comment 3 Dick Gevers 2014-11-14 07:57:39 CET 
In reply to your comment #2:

You should see my remarks as help on the path to solution, like triage, I can't solve it myself.

> do ... I need to open a separate bug for...

Yes, I suppose it's best, since obviously it is a different problem, but with the same package (but I have no idea what causes it).

Keywords: NEEDINFO => (none)

Manuel Hiebel 2014-11-14 22:36:39 CET

Keywords: (none) => Triaged
Assignee: bugsquad => remco

Comment 4 Bit Twister 2015-04-29 13:29:40 CEST 
reading /etc/rkhunter.d directory problem is fixed in the rkhunter-1.4.2 release.
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG

I pulled the Mageia changes out of /etc/rkhunter.conf into 
/etc/rkhunter.d/mageia.conf and had to exclude linked /sbin and /bin directories.
Comment 5 Bit Twister 2015-04-29 13:37:07 CEST 
Created attachment 6396 [details]
mageia configuration changes
Bit Twister 2015-04-30 10:52:15 CEST

Whiteboard: 5beta1 => 5RC

Samuel Verschelde 2015-06-02 10:47:22 CEST

Whiteboard: 5RC => MGA5TOO

Bit Twister 2017-02-01 01:22:19 CET

Summary: 5b1: rkhunter is not reading all files in /etc/rkhunter.d => rkhunter is not reading all files in /etc/rkhunter.d

Bit Twister 2017-02-01 01:25:24 CET

Keywords: (none) => 6sta2
Source RPM: rkhunter-1.4.0-7.mga5.src.rpm => rkhunter-1.4.0-9.mga6.src.rpm

Comment 6 Bit Twister 2018-09-08 11:41:08 CEST 
new release passes my test.

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Source RPM: rkhunter-1.4.0-9.mga6.src.rpm => rkhunter-1.4.6-1.mga7.src.rpm