Package: rkhunter Version: 1.3.4-6 Severity: normal Tags: patch Certain security frameworks (e.g. grsecurity) prevent programs from reading /proc/kallsyms.
The file exists but it returns error when you try to read from it. I end up receiving these emails every day: From: Anacron <r...@localhost> To: r...@localhost Subject: Anacron job 'cron.daily' on localhost /etc/cron.daily/rkhunter: grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error grep: /proc/kallsyms: Input/output error I have attached a patch which disables this check (as if /proc/kallsyms was missing) if the "file" is not readable. Cheers, Francois -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30.5-grsec (SMP w/2 CPU cores; PREEMPT) Shell: /bin/sh linked to /bin/dash Versions of packages rkhunter depends on: ii binutils 2.19.51.20090805-1 The GNU assembler, linker and bina ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy ii exim4 4.69-11 metapackage to ease Exim MTA (v4) ii exim4-daemon-light [m 4.69-11 lightweight Exim MTA (v4) daemon ii file 5.03-1 Determines file type using "magic" ii net-tools 1.60-23 The NET-3 networking toolkit ii perl 5.10.0-24 Larry Wall's Practical Extraction Versions of packages rkhunter recommends: ii curl 7.19.5-1 Get a file from an HTTP, HTTPS or ii iproute 20090324-1 networking and traffic control too ii lsof 4.81.dfsg.1-1 List open files pn unhide <none> (no description available) ii wget 1.11.4-4 retrieves files from the web Versions of packages rkhunter suggests: pn bsd-mailx <none> (no description available) pn tripwire <none> (no description available) -- debconf information: * rkhunter/apt_autogen: true * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: true
--- /usr/bin/rkhunter 2009-07-29 05:01:56.000000000 +1200 +++ rkhunter 2009-08-18 14:31:47.000000000 +1200 @@ -12316,6 +12316,15 @@ elif [ -f "${RKHROOTDIR}/proc/kallsyms" ]; then KSYMS_FILE="${RKHROOTDIR}/proc/kallsyms" fi + + # + # Check to make sure that the symbols are readable + # as certain security frameworks hide this. + # + + if ! head -1 /proc/kallsyms > /dev/null 2>&1 ; then + KSYMS_FILE="" + fi fi