Description of problem: rkhunter is not reading all files in /etc/rkhunter.d It appears to read the first file and no others. # dir -A /etc/rkhunter.d total 24 drwxr-xr-x 2 root root 4096 Nov 13 19:08 . drwxr-xr-x 144 root root 12288 Nov 13 19:09 .. -rw-r----- 1 root root 1057 Nov 11 18:02 mageia.conf -rw-r----- 1 root root 637 Nov 11 18:02 my__rkhunter.conf Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. urpmi rkhunter 2. echo ALLOWHIDDENFILE=/etc/.updated > /etc/rkhunter.d]test.conf 3. chmod 640 /etc/rkhunter.d]test.conf 4. rkhunter --propupd 5. rm -f /var/log/rkhunter.log 6. rkhunter --skip-keypress -c 7. grep /etc/.updated /var/log/rkhunter.log Test fails if you see Warning: Hidden file found: /etc/.updated: ASCII text Test passes if you see Info: Found file '/etc/.updated': it is whitelisted. Workaround: append file(s) or link file to /etc/rkhunter.conf.local In my case # ll /etc/rkhunter.conf.local lrwxrwxrwx 1 root root 33 Nov 13 19:09 /etc/rkhunter.conf.local -> /etc/rkhunter.d/my__rkhunter.conf # cat /etc/rkhunter.conf.local #*********** start of /etc/rkhunter.d/my__rkhunter.conf ****** #* #* created by /local/bin/rkhunter_changes Tue 11 Nov 18:02 2014 #* #* If you change this file be sure to run #* rkhunter --propupd ;rkhunter --skip-keypress -C #* and retest system with rkhunter --skip-keypress -c #* #************************************************************* MAIL-ON-WARNING=\"root@$(/bin/hostname --fqdn)\" ALLOWHIDDENFILE=/etc/.updated ALLOW_SSH_Protocol=2 XINETD_ALLOWED_SVC=/etc/xinetd.d/saned SHOW_SUMMARY_WARNINGS_NUMBER=1 #*********** end of /etc/rkhunter.d/my__rkhunter.conf **************** Reproducible: Steps to Reproduce:
Could you please verify that the charafter ' ] ' was not really used in steps 2 and 3 as you described? Perhaps rkhunter is bad at reading the file with the underscores in the name: could you try changing the name my__rkhunter.conf to, for example, myrkhunter.conf ? When you do, obviously any other file quoting it's name would need adjusting and the command " rkhunter --propupd" should be run befire trying again. Please advise results.
Keywords: (none) => NEEDINFOCC: (none) => dvgevers
Whiteboard: (none) => 5beta1
(In reply to Dick Gevers from comment #1) > Could you please verify that the charafter ' ] ' was not really used in > steps 2 and 3 as you described? Oh, frap. That is a typeo. Sorry. > Perhaps rkhunter is bad at reading the file with the underscores in the > name: could you try changing the name my__rkhunter.conf to, for example, > myrkhunter.conf ? Yes, I had the same thought and tried a short link to my__rkhunter.conf. Then I thought maybe name was too long, so tried # dir -A /etc/rkhunter.d total 28 drwxr-xr-x 2 root root 4096 Nov 13 23:53 . drwxr-xr-x 144 root root 12288 Nov 13 23:50 .. -rw-r----- 1 root root 1057 Nov 11 18:02 mageia.conf -rw-r----- 1 root root 637 Nov 13 23:53 my.conf > When you do, obviously any other file quoting it's name would need adjusting > and the command " rkhunter --propupd" should be run befire trying again. > Please advise results. Yup, ran steps 4 through 7 and still have the problem. Oh, by the way, do you think I need to open a separate bug for this error: Checking if SSH protocol v1 is allowed [ Not set ] Error: Invalid display - keyword cannot be found: Display line: display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG_SYSTEMD_JOURNAL Checking for a running system logging daemon [ Not found ]
In reply to your comment #2: You should see my remarks as help on the path to solution, like triage, I can't solve it myself. > do ... I need to open a separate bug for... Yes, I suppose it's best, since obviously it is a different problem, but with the same package (but I have no idea what causes it).
Keywords: NEEDINFO => (none)
Keywords: (none) => TriagedAssignee: bugsquad => remco
reading /etc/rkhunter.d directory problem is fixed in the rkhunter-1.4.2 release. http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG I pulled the Mageia changes out of /etc/rkhunter.conf into /etc/rkhunter.d/mageia.conf and had to exclude linked /sbin and /bin directories.
Created attachment 6396 [details] mageia configuration changes
Whiteboard: 5beta1 => 5RC
Whiteboard: 5RC => MGA5TOO
Summary: 5b1: rkhunter is not reading all files in /etc/rkhunter.d => rkhunter is not reading all files in /etc/rkhunter.d
Keywords: (none) => 6sta2Source RPM: rkhunter-1.4.0-7.mga5.src.rpm => rkhunter-1.4.0-9.mga6.src.rpm
new release passes my test.
Resolution: (none) => FIXEDStatus: NEW => RESOLVEDSource RPM: rkhunter-1.4.0-9.mga6.src.rpm => rkhunter-1.4.6-1.mga7.src.rpm