Bug 8172 - 3_a3: rkhunter Warnings (syslog, .k5identity.5.xz)
Summary: 3_a3: rkhunter Warnings (syslog, .k5identity.5.xz)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 3
Hardware: x86_64 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: Remco Rijnders
QA Contact:
URL:
Whiteboard:
Keywords: NEEDINFO
Depends on: 9313
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-21 14:42 CET by Bit Twister
Modified: 2013-06-26 21:46 CEST (History)
2 users (show)

See Also:
Source RPM: rkhunter-1.4.0-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description Bit Twister 2012-11-21 14:42:42 CET
Description of problem:

Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.xz: XZ compressed data

Since a Mageia maintainer has added .k5login.5 to /etc/rkhunter.conf, I suggest adding
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.xz

Temporary USER workaround is add the line to /etc/rkhunter.conf.local
 
Warning: The syslog daemon is not running.

Now that rsyslog is no longer installed by default and journald is its replacement, I think the syslog daemon check needs to be masked/disabled and ask upstream to look into detecting journald.


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. click up a terminal, su - root and run the following:
   urpmi rkhunter
   /bin/rm -f /dev/shm/pulse*
   rkhunter --propupd
   rkhunter --skip-keypress -C
   rkhunter --skip-keypress -c

2. grep -i warning /var/log/rkhunter.log
Bit Twister 2012-11-21 14:43:12 CET

Summary: 2_a3: rkhunter Warnings (syslog, .k5identity.5.xz) => 3_a3: rkhunter Warnings (syslog, .k5identity.5.xz)

Comment 1 Bit Twister 2012-11-21 18:36:40 CET
Oops, out of order steps for root should have
   rkhunter --skip-keypress -C
   /bin/rm -f /dev/shm/pulse*
   rkhunter --propupd
   rkhunter --skip-keypress -c

I also can recommend adding
  RTKT_FILE_WHITELIST="/etc/crontab"
to /etc/rkhunter.conf. 

That has suppressed the warning messages I get from the /etc/cron.daily run
like this snippet:

Warning: The following processes are using suspicious files:
         Command: crond
           UID: 0    PID: 805
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
   <snipped 8 more of the above message>
run-parts: /etc/cron.daily/rkhunter exited with return code 1
Manuel Hiebel 2012-11-25 11:56:24 CET

Assignee: bugsquad => remco

Remco Rijnders 2012-11-25 13:46:53 CET

Status: NEW => ASSIGNED

Comment 2 Bit Twister 2012-12-10 12:21:10 CET
FYI: Last night updates have removed/relocated several files. One of which has been removed is
Invalid RTKT_FILE_WHITELIST configuration option: Non-existent pathname: /etc/rc.d/rc.sysinit
Remco Rijnders 2013-06-23 17:26:26 CEST

Blocks: (none) => 9398

Comment 3 Remco Rijnders 2013-06-23 17:28:14 CEST
Hi, thank you for your report. I believe the update in updates_testing rkhunter-1.4.0-3.1.mga3 fixes this problem. Please test it, I hope it solves this problem. Additionally, it should also cover the issues reported in #9398 and #9313

CC: (none) => remco
Assignee: remco => qa-bugs

Remco Rijnders 2013-06-23 18:34:09 CEST

Version: Cauldron => 3

David Walser 2013-06-23 21:05:17 CEST

Depends on: (none) => 9313

David Walser 2013-06-23 21:05:48 CEST

Blocks: 9398 => (none)
Assignee: qa-bugs => remco

Comment 4 Bit Twister 2013-06-23 21:30:37 CEST
(In reply to Remco Rijnders from comment #3)
> Hi, thank you for your report. I believe the update in updates_testing
> rkhunter-1.4.0-3.1.mga3 fixes this problem. 

Installed rkhunter-1.4.0 and executed
   rkhunter --skip-keypress -C
   rkhunter --skip-keypress -c
and saw no problems on
$ cat /etc/release
Mageia release 3 (Official) for x86_64
Comment 5 Rémi Verschelde 2013-06-25 08:58:04 CEST
I can't reproduce the bug with rkhunter-1.4.0-3.mga3 (Core/Release), maybe it was fixed between 1.mga3 and 3.mga3?

CC: (none) => remi

Comment 6 James Kerr 2013-06-25 10:38:32 CEST
/etc/cron.daily/rkhunter was reporting this warning prior to the update. From cron's email on 24/06/13:


/etc/cron.daily/rkhunter:
Warning: GasKit Rootkit                           [ Warning ]
         Directory '/dev/dev' found
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.xz: XZ compressed data
run-parts: /etc/cron.daily/rkhunter exited with return code 1
Comment 7 Manuel Hiebel 2013-06-26 20:04:13 CEST
what is the status of this bug with the last update of rkhunter which is coming ?

Keywords: (none) => NEEDINFO

Comment 8 James Kerr 2013-06-26 21:37:07 CEST
It is fixed - see Comment#4 and Bug#9313
Comment 9 Manuel Hiebel 2013-06-26 21:46:30 CEST
ok

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.