I am running tkhunter 1.4.0 on Ubuntu 11.4 (the latest version of Ubuntu
that run on my hardware). I run tkhunter with the following call
sudo rkhunter --check --rwo
and get the following returned.
Warning: The command '/usr/sbin/adduser' has been replaced by a script:
/usr/sbin/adduser: a /usr/bin/perl script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script:
/usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script:
/usr/bin/lwp-request: a /usr/bin/perl -w script text executable
Warning: The command '/sbin/chkconfig' has been replaced by a script:
/sbin/chkconfig: a /usr/bin/perl script text executable
Warning: The command '/bin/which' has been replaced by a script:
/bin/which: POSIX shell script text executable
I have Googled these messages and it appears they are quite common but it
is not clear whether they should be shite listed or not. They are all
ASCII files and all seem to be Perl text except to /bin/which which appears
to be linux shell code. Most of the scripts say what they do.
/usr/sbin/adduser: a utility to add users to the system
/usr/bin/ldd: This file is part of the GNU C Library....This is the `ldd'
command, which lists what shared libraries are used by given
dynamically-linked executables. It works by invoking the run-time dynamic
linker as a command and setting the environment variable
LD_TRACE_LOADED_OBJECTS to a non-empty value.
/usr/bin/lwp-request: This program can be used to send requests to WWW
servers and your local file system. The request content for POST and PUT
methods is read from stdin. The content of the response is printed on
stdout. Error messages are printed on stderr. The program returns a
status value indicating the number of URLs that failed.
/sbin/chkconfig: Doesn't actually say what it does but is well commented
throughout and elicits user input, with error messages in the main function.
/bin/which: Looks like shell code with no comments
My question is, which of these should be white listed or declared to be
false positives?
Thanks,
Peter
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
