*** Bug 1206 has been marked as a duplicate of this bug. ***

CC: (none) => terraagua

Created attachment 521 [details]
proposed spec-file

Your proposed specfile says in rkhunter.conf:
# PKGMGR=RPM

May I suggest to uncomment it?
i.e. make it:
PKGMGR=RPM

Imported in cauldron.

Status: NEW => RESOLVED
CC: (none) => cazzaniga.sandro
Resolution: (none) => FIXED

Thanks, will test  in the next days (some probs with cauldron)

*** Bug 2363 has been marked as a duplicate of this bug. ***

CC: (none) => geiger.david68210

The %post install in the RPM fails, as well as the package reporting a few false positives in the default configuration. I'm working on resolving these issues and hope to have an updated RPM within a few days. After testing on Cauldron, hopefully it can be pushed as update to 1.

Status: RESOLVED => REOPENED
CC: (none) => remco, stormi
Resolution: FIXED => (none)
Assignee: bugsquad => remco

You may find the following useful
https://qa.mandriva.com/show_bug.cgi?id=64158#c1

CC: (none) => davidwhodgins

Hi all,

Given the comments above, a new rkhunter package has been pushed to cauldron that will hopefully fix some of the issues reported in previous comments.

If you have the possibility, can you please test it? I'm especially interested in hearing about any false positives or other warnings you run into.

As the rpm will not overwrite the existing config file, you may want to manually edit the rkhunter.conf file or remove it before installing the package.

Should no issues surface in the next few days, we can hopefully push this package as an update to mga 1.

rkhunter is now available in updates_testing. Please test and (hopefully) validate it.

After installation, rkhunter should create its database without errors or warnings.

Running rkhunter as root from the command line will check your system for signs of possible installed rootkits on your system or suspicious changes in system binaries, etc. 

The command to use for this is:
rkhunter --check

I'm very interested in hearing if the default configuration of the package results in any false positives being reported. There were a few, but I eliminated the false positives I got on my system by packaging a changed default configuration for this tool. Please note that changes to the system between installing rkhunter and running the above check might result in warnings. This can happen when you have installed other updates in the mean time.

After running the checks, a log of findings will also be saved in /var/log/rkhunter.log

Assignee: remco => qa-bugs

Created attachment 882 [details]
file rkhunter.log (geiger david)

Tested rkhunter on Mageia release 1 (Official) for x86_64 and it work correctly.

Installation Ok,Check rootkits Ok.

Attached file rkhunter.log ,I'll let you check the file if it contains false positives.

Thanks David for testing. I notice one warning for /etc/.java being a hidden
directory / file. I'll probably have to whitelist that one in the default
configuration.

Testing i586

It installed unhide from core/release but then gave warnings about unhide.

    /usr/sbin/unhide                                         [ Warning ]
    /usr/sbin/unhide-tcp                                     [ Warning ]
    /usr/sbin/unhide-linux26                                 [ Warning ]

The log shows..

[08:43:54] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
[08:43:54]   /usr/sbin/unhide-tcp                            [ Warning ]
[08:43:54] Warning: The file '/usr/sbin/unhide-tcp' exists on the system, but it is not present in the rkhunter.dat file.
[08:43:54]   /usr/sbin/unhide-linux26                        [ Warning ]
[08:43:54] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.


Also..

[08:46:43]   Checking for software intrusions                [ Skipped ]
[08:46:43] Info: Check skipped - tripwire not installed

Should that be a dependency?

Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]


The log shows

[08:46:54]   Checking /dev for suspicious file types         [ Warning ]
[08:46:54] Warning: Suspicious file types found in /dev:
[08:46:54]          /dev/shm/pulse-shm-2707496582: data
[08:46:55] Info: Found hidden directory '/dev/.udev': it is whitelisted.
[08:46:55] Info: Found hidden file '/usr/share/man/man1/..1.xz': it is whitelisted.
[08:46:55] Info: Found hidden file '/usr/share/man/man5/.k5login.5.xz': it is whitelisted.
[08:46:55]   Checking for hidden files and directories       [ Warning ]
[08:46:55] Warning: Hidden directory found: /etc/.java

It does show some similar /dev/shm/pulse-shm files as being whitelisted.

In my opinion, installing rkhunter should not include running
/usr/sbin/rkhunter --propupd

While it has to be done before the generated reports will be of
any use, that should be done by the person installing it, and
should be explained in a urpmi.README.  It should not be done
automatically.

Also, if /etc/.java is being reported, that indicates Comment 8
has not been looked at.

(In reply to comment #14)
>In my opinion, installing rkhunter should not include running
>/usr/sbin/rkhunter --propupd

I'm not sure if I agree with this. Without it the package is of no use and I'd like it to work without needing any special actions from the end user. That said, I'll see if I can distinguish between new installs and present installations and perhaps work differently accordingly?

(In reply to comment #15)
> Also, if /etc/.java is being reported, that indicates Comment 8
> has not been looked at.

I did look at that comment and have incorporated some of the suggested changes in it. I didn't have /etc/.java on my local system and err'ed on the side of whitelisting too few rather than too many files and directories. I'll add this back in the whitelist.

(In reply to comment #13)
> Testing i586
> It installed unhide from core/release but then gave warnings about unhide.
>     /usr/sbin/unhide                                         [ Warning ]
>     /usr/sbin/unhide-tcp                                     [ Warning ]
>     /usr/sbin/unhide-linux26                                 [ Warning ]
> The log shows..
> [08:43:54] Warning: The file '/usr/sbin/unhide' exists on the system, but it is
> not present in the rkhunter.dat file.
> [08:43:54]   /usr/sbin/unhide-tcp                            [ Warning ]
> [08:43:54] Warning: The file '/usr/sbin/unhide-tcp' exists on the system, but
> it is not present in the rkhunter.dat file.
> [08:43:54]   /usr/sbin/unhide-linux26                        [ Warning ]
> [08:43:54] Warning: The file '/usr/sbin/unhide-linux26' exists on the system,
> but it is not present in the rkhunter.dat file.

Hi Claire,

I think this is caused by unhide being installed after rkhunter installed and initiated its initial file database. Running rkhunter --propupd again and then doing --check should make this warning disappear.

> Also..
> [08:46:43]   Checking for software intrusions                [ Skipped ]
> [08:46:43] Info: Check skipped - tripwire not installed
> Should that be a dependency?

Well, perhaps it should be a suggest. That said, I notice tripwire is not in the Mageia repo's yet. I'll look into packaging it.

> Performing filesystem checks
>     Checking /dev for suspicious file types                  [ Warning ]
>     Checking for hidden files and directories                [ Warning ]
> The log shows
> [08:46:54]   Checking /dev for suspicious file types         [ Warning ]
> [08:46:54] Warning: Suspicious file types found in /dev:
> [08:46:54]          /dev/shm/pulse-shm-2707496582: data
> [08:46:55] Info: Found hidden directory '/dev/.udev': it is whitelisted.
> [08:46:55] Info: Found hidden file '/usr/share/man/man1/..1.xz': it is
> whitelisted.
> [08:46:55] Info: Found hidden file '/usr/share/man/man5/.k5login.5.xz': it is
> whitelisted.
> [08:46:55]   Checking for hidden files and directories       [ Warning ]
> [08:46:55] Warning: Hidden directory found: /etc/.java
> It does show some similar /dev/shm/pulse-shm files as being whitelisted.

I'll see about adding this one to the whitelist too.

Thanks for the detailed report!

Unhide was installed as a dependency but appears to have been installed after rkhunter for some reason so you are probably correct. Is there a way to delay the first run by a minute to avoid that?

Oct  2 08:31:31 localhost rpmdrake[2693]: [RPM] rkhunter-1.3.8-1.1.mga1.noarch installed
Oct  2 08:32:00 localhost rpmdrake[2693]: [RPM] unhide-20110113-1.mga1.i586 installed

Running rkhunter --propupd did fix it.

    /usr/sbin/unhide                                         [ OK ]
    /usr/sbin/unhide-tcp                                     [ OK ]
    /usr/sbin/unhide-linux26                                 [ OK ]


Also lost one of the warnings..

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ Warning ]

It temporarily cured the /dev/shm/pulse-shm-*number*



From what I've read, the number itself is different on each boot and is unpredictable so you will probably have to whitelist any /dev/shm/pulse-shm-* or narrow it down to /dev/shm/pulse-shm-[0,9]{1,10} as they all appear to be 10 digits long in /dev/shm/

(In reply to comment #14)
> In my opinion, installing rkhunter should not include running
> /usr/sbin/rkhunter --propupd
> 
> While it has to be done before the generated reports will be of
> any use, that should be done by the person installing it, and
> should be explained in a urpmi.README.  It should not be done
> automatically.

I quite agree. Doesn't rkhunter give an explicit error message if /usr/sbin/rkhunter --propupd has not been run?

I ran rkhunter --check on a system, here are some interesting extracts:

[23:07:58] Warning: Package manager verification has failed:
[23:07:58]          File: /usr/sbin/lsof
[23:07:58]          The file group has changed

[23:08:31]   /usr/bin/passwd                                 [ Warning ]
[23:08:31] Warning: Package manager verification has failed:
[23:08:31]          File: /usr/bin/passwd
[23:08:31]          The file group has changed


[23:10:38]     Running skdet command                         [ Skipped ]
[23:10:38] Info: Unable to find the 'skdet' command


Several tests are not run. Is it intentional?
[23:11:04] Info: Test 'deleted_files' disabled at users request.
[23:11:04]
[23:11:04] Info: Starting test name 'running_procs'
[23:11:07]   Checking running processes for suspicious files [ None found ]
[23:11:07]
[23:11:07] Info: Test 'hidden_procs' disabled at users request.
[23:11:07]
[23:11:07] Info: Test 'suspscan' disabled at users request


[23:11:15] Info: Test 'hidden_ports' disabled at users request.


[23:11:16] Info: Test 'packet_cap_apps' disabled at users request.


[23:11:19]   Checking if SSH root access is allowed          [ Warning ]
[23:11:19] Warning: The SSH and rkhunter configuration options should be the same:
[23:11:19]          SSH configuration option 'PermitRootLogin': no
[23:11:19]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': without-password

Even if it is decided to automatically run rkhunter --propupd when
rkhunter is first installed (which I disagree with), it must not be
run automatically when rkhunter is being installed as an update.

I recently tested getmail, so I'd created ~/Maildir, which meant dovecot
was no longer looking in /var/spool/mail/$USER for messages, so I wasn't
getting the cron messages.  Just fixed that, and found the messages from
rkhunter, that failed to deliver, as they were addressed to
root@wb.home.test

That's from /etc/rkhunter.conf.local.

If there's going to be an address there, I think it should default
to root@localhost.

(In reply to comment #18)
> Unhide was installed as a dependency but appears to have been installed after
> rkhunter for some reason so you are probably correct. Is there a way to delay
> the first run by a minute to avoid that?
> 
> Oct  2 08:31:31 localhost rpmdrake[2693]: [RPM] rkhunter-1.3.8-1.1.mga1.noarch
> installed
> Oct  2 08:32:00 localhost rpmdrake[2693]: [RPM] unhide-20110113-1.mga1.i586
> installed

I gather unhide was added after rkhunter, as a suggests.  If that were
changed to a requires, wouldn't that get it installed before rkhunter?

> I gather unhide was added after rkhunter, as a suggests.  If that were
> changed to a requires, wouldn't that get it installed before rkhunter?

It probably would. But, rkhunter operates fine without a requirement on unhide, so I'd like to not pull everything but the kitchen sink in.

That said, should we decide not to run --propupd after the install, this 'problem' goes away. Of course, it'll be back as soon as any other package on the system gets installed, so I guess this is something one has to live with... it works as rkhunter is supposed to work when it finds changed files since the last time its database got updated.

@Samuel, @Dave,

May I ask why you prefer --propupd not to run automatically upon first install? I don't really see any downside to it and think it helps to make rkhunter work out of the box for most users.

Just trying to understand why you want to deviate from what was practise for this package in Mandriva.

The person who is getting the output from rkhunter will get the message
that the database has not been initialized, and will learn that they
have to run with the --propupd option, when changes are made.

Otherwise, there is a huge risk that the "newbie" will panic, and think
their system has been hacked, when it hasn't.

Receiving the error message until they learn about the necessity of running
with the --propupdt is less likely to cause users to think Mageia has poor
security than running it for them once, and then generating change reports
everytime updates are installed.

@ remmy

Do you already have time to look at the package again?

Do you mind setting it to the ASSIGNED status?

I didn't change version number to "1", because I don't know whether you had a reason to leave it as it is.

CC: (none) => marja11
Whiteboard: (none) => Mdv, cauldron

Working on it once more...

Status: REOPENED => ASSIGNED
Version: Cauldron => 1

In rkhunter-1.3.8-1.2.mga1.noarch.rpm
the /usr/share/doc/rkhunter/README.urpmi file is incorrect.

It has rkhunter --prop-upd, which should be
rkhunter --propupd

Hi, rkhunter-1.3.8-1.3 is now available in testing. Can you please test it?

The package now runs propupd on initial installation, but not on upgrades. The supplied README.urpmi points out the need for the user to run this, including te error Dave spotted in the previous comment (thanks!)

The .java directory is also whitelisted.

Assignee: remco => qa-bugs

Testing complete on i586 for the srpm
rkhunter-1.3.8-1.3.mga1.src.rpm

I checked the readme when I installed and then tested the
update around 12 hours ago.

x86_64

# urpmi rkhunter
To satisfy dependencies, the following packages are going to be installed:
   Package                        Version      Release       Arch
(medium "Core Release")
  unhide                         20110113     1.mga1        x86_64  (suggested)
(medium "Core Updates Testing")
  rkhunter                       1.3.8        1.3.mga1      noarch
864KB of additional disk space will be used.
194KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

Preparing...                     #########################################################
      1/2: unhide                #########################################################
      2/2: rkhunter              #########################################################
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 165 files, found 136
[ Rootkit Hunter version 1.3.8 ]

Checking the local host...

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ None found ]
    Checking for passwd file changes                         [ Warning ]
    Checking for group file changes                          [ Warning ]
    Checking root account shell history files                [ OK ]

[Press <ENTER> to continue]


System checks summary
=====================

File properties checks...
    All checks skipped

Rootkit checks...
    All checks skipped

Applications checks...
    All checks skipped

The system checks took: 0 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

----------------------------------------------------------------------
More information on package rkhunter-1.3.8-1.3.mga1.noarch
rkhunter is a tool to detect rootkits installed on your system and suspicious
file changes. In order for rkhunter to run these checks, it maintains a catalog
of files and their properties installed on your system so it can compare
current files and statusses against the ones recorded in its database.

Out of the box rkhunter is configured to give as few false positives as
possible on a Mageia system. Still, despite this, you might want to change some
of its configuration options yourself to best suit you. The file used for this
is /etc/rkhunter.conf

Upon an initial install, rkhunter will create the databases it needs itself. On
upgrades and during regular use, you may want to update its databases yourself
by executing:
        rkhunter --propupd
before running any other rkhunter checks yourself.

----------------------------------------------------------------------


I don't think it waited for me to press enter but I didn't notice it until afterwards. That isn't really a problem though.

Run manually with rkhunter --check it ran through all its tests and gave a warning about ssh protocols, which is useful to know. During the manual tests it did pause until Enter was pressed.

Testing complete x86_64

Validating

Advisory
--------------
This update brings the rkhunter rootkit hunter which was present in Mandriva 2010.2 but missing from Mageia 1.
--------------

SRPM: rkhunter-1.3.8-1.3.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED