Bug#951366: rkhunter: libkeyutils1/1.6.1-2 triggers a false positive

2020-02-23 Thread Francois Marier 
On 2020-02-15 at 16:12:16, Francesco Poli wrote:
> thanks from a suggestion from keyutils Debian package maintainer,
> I managed to work around the issue, by adding the following two
> lines to my rkhunter configuration file:
> 
>   $ grep keyutils /etc/rkhunter.conf 
>   RTKT_FILE_WHITELIST=/lib/x86_64-linux-gnu/libkeyutils.so.1.9
>   USER_FILEPROP_FILES_DIRS=/lib/x86_64-linux-gnu/libkeyutils.so.1.9

The work-around that got rid of these messages on my machine is putting the
following in /etc/rkhunter.conf.local:

  RTKT_FILE_WHITELIST=/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9

The other line wasn't necessary for me.

Francois

-- 
https://fmarier.org/


signature.asc
Description: PGP signature

Bug#951366: rkhunter: libkeyutils1/1.6.1-2 triggers a false positive

2020-02-23 Thread Francois Mescam 

Hello,

I tried this workaround by adding these two lines on /etc/rkhunter.local 
file.


When I execute rkhunter I obtain

Warning: The file '/lib/x86_64-linux-gnu/libkeyutils.so.1.9' exists on 
the system, but it is not present in the 'rkhunter.dat' file.


and many lines like these :

Warning: The following processes are using suspicious files:Command: 
chromeUID: 1000 PID: 182082Pathname: 
/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9Possible Rootkit: Spam tool 
componentCommand: chromeUID: 182085 PID: 182082Pathname: 22448Possible 
Rootkit: Spam tool component


Regards

François

On Sat, 15 Feb 2020 16:12:16 +0100 Francesco Poli 
 wrote:


> Control: severity -1 normal

>

>

> On Sat, 15 Feb 2020 12:06:03 +0100 Francesco Poli (wintermute) wrote:

>

> [...]

> > As explained in [bug #951338], this looks like a false positive

> > triggered by just the filename.

> >

> > [bug #951338]: 

>

> Hello again,

> thanks from a suggestion from keyutils Debian package maintainer,

> I managed to work around the issue, by adding the following two

> lines to my rkhunter configuration file:

>

> $ grep keyutils /etc/rkhunter.conf

> RTKT_FILE_WHITELIST=/lib/x86_64-linux-gnu/libkeyutils.so.1.9

> USER_FILEPROP_FILES_DIRS=/lib/x86_64-linux-gnu/libkeyutils.so.1.9

>

> I hope this is the correct way to avoid the annoying daily alert.

>

> Please let me know, thanks for your time.

>

>

> --

> http://www.inventati.org/frx/

> There's not a second to spare! To the laboratory!

> . Francesco Poli .

> GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE

--
Francois Mescam

Bug#951366: rkhunter: libkeyutils1/1.6.1-2 triggers a false positive

2020-02-15 Thread Francesco Poli 
Control: severity -1 normal


On Sat, 15 Feb 2020 12:06:03 +0100 Francesco Poli (wintermute) wrote:

[...]
> As explained in [bug #951338], this looks like a false positive
> triggered by just the filename.
> 
> [bug #951338]: 

Hello again,
thanks from a suggestion from keyutils Debian package maintainer,
I managed to work around the issue, by adding the following two
lines to my rkhunter configuration file:

  $ grep keyutils /etc/rkhunter.conf 
  RTKT_FILE_WHITELIST=/lib/x86_64-linux-gnu/libkeyutils.so.1.9
  USER_FILEPROP_FILES_DIRS=/lib/x86_64-linux-gnu/libkeyutils.so.1.9

I hope this is the correct way to avoid the annoying daily alert.

Please let me know, thanks for your time.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpAVrMmZlP3p.pgp
Description: PGP signature

Bug#951366: rkhunter: libkeyutils1/1.6.1-2 triggers a false positive

2020-02-15 Thread Francesco Poli (wintermute) 
Package: rkhunter
Version: 1.4.6-7
Severity: important

Hello and thanks for maintaining rkhunter in Debian!

After upgrading

  [UPGRADE] libkeyutils1:amd64 1.6-6 -> 1.6.1-2

I get the following warning with

  # rkhunter --sk -c

in /var/log/rkhunter.log:

  Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ Warning ]
  Warning: The following processes are using suspicious files:
   Command: sshd
 UID: 0PID: 7331
 Pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9
 Possible Rootkit: Spam tool component

As explained in [bug #951338], this looks like a false positive
triggered by just the filename.

[bug #951338]: 

Please fix this false positive, since getting a daily alert
from rkhunter for this is annoying.

Thanks for your time!
Bye.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rkhunter depends on:
ii  binutils   2.34-2
ii  debconf [debconf-2.0]  1.5.73
ii  file   1:5.38-4
ii  lsof   4.93.2+dfsg-1
ii  net-tools  1.60+git20180626.aebd88e-1
ii  perl   5.30.0-9
ii  ucf3.0038+nmu1

Versions of packages rkhunter recommends:
ii  curl   7.67.0-2
ii  e2fsprogs  1.45.5-2
ii  exim4-daemon-light [mail-transport-agent]  4.93-10
ii  iproute2   5.4.0-1
ii  mailutils [mailx]  1:3.7-2
ii  unhide 20130526-4
ii  unhide.rb  22-4
ii  wget   1.20.3-1+b2

Versions of packages rkhunter suggests:
ii  liburi-perl 1.76-2
ii  libwww-perl 6.43-1
pn  powermgmt-base  

-- Configuration Files:
/etc/rkhunter.conf changed [not included]

-- debconf information:
  rkhunter/apt_autogen: yes
  rkhunter/cron_db_update: yes
  rkhunter/cron_daily_run: yes