[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
I've applied the same patch to the rkhunter that ships with precise (1.38), in case you don't want to jump versions. Package is available in my PPA: https://launchpad.net/~elmuerte/+archive/12.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
@kholler -- 2013-01-01 Thanks to you and your 'ppa' with rkhunter-1.4.x. The new ver. 'fixed' this bug for me on two recently built 12.04 servers. . -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
I read on https://wiki.ubuntu.com/UbuntuBackports about the backporting process and created https://bugs.launchpad.net/precise-backports/+bug/1095056 via requestbackport rkhunter --destination precise after having tested that the rkhunter-1.4.0-2 package from raring builds and runs fine for both precise and quantal. Side effect of that backport testing is that I have those builds now in my https://launchpad.net/~kholler/+archive/ppa-backports PPA repository. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
I still have the same problem, it has been reported several months ago and the fix is known and is easy to implement, why don't you just fix the package? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Quantal - still there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
I have added a backport of the latest version from Debian sid (rkhunter 1.4.0-1) to my PPA: https://launchpad.net/~fmarier/+archive/ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Just copying the executable wasn't enough on my systems. I recommend also copying the 1.4.0 file rkhunter.conf to /etc. After that, create a new file /etc/rkhunter.conf.local and populate it with ALL the different (uncommented) lines from your old 1.3.8 rkhunter.conf. In my opinion, whoever does the repackaging of 1.4.0 for ubuntu distribution will have to make some adjustments to the installation script to follow this new (and improved) scheme for managing local changes to the configuration file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Ran into this also. Thanks to reinhold for pointing to the patch.
I am just using the stock Ubuntu 12.04 version with the patch manually
applied. That is working fine for me in terms of avoiding the false
positive.
vi /usr/bin/rkhunter
At around line 846 and following
...
elif [ -d ${FNAME} ]; then
#
# For the ALLOWHIDDENFILE option we need to
allow
# a hidden symbolic link to a directory.
#
test ${OPT_NAME} = ALLOWHIDDENFILE -a -h
${FNAME} continue
case ${OPT_NAME} in
...
At around line 15102 and following (the change is just a comment)
...
FTYPE=`${FILE_CMD} ${FNAME} 2/dev/null | cat -v | tr -s '
' ' ' | cut -d' ' -f2-`
#jh - should include block special too.
#jh - also should cater for 'sticky directory' (like /tmp) when using file.
test -z ${FTYPE} -o -n `echo \${FTYPE}\ | egrep 'character
special|empty'` continue
...
Update the signature database as the rkhunter file signature has changed
with the edits above.
rkhunter --propupd
And here are the other configuration settings I needed to add to avoid false
positives on Ubuntu 12.04 Server.
vi /etc/rkhunter.conf
Avoid hidden directory/hidden file false positives
...
#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR=/etc/.java
#ALLOWHIDDENDIR=/dev/.static
#ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix
#ALLOWHIDDENDIR=/dev/.mdadm
## add /dev/.udev directory to avoid a false positive
ALLOWHIDDENDIR=/dev/.udev
#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE=/etc/.java
...
#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
## add /dev/.initramfs symbolic link to avoid a false positive
ALLOWHIDDENFILE=/dev/.initramfs
...
Avoid replaced by a script false positives
...
#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
## add /usr/bin/unhide.rb to avoid a false positive
SCRIPTWHITELIST=/usr/bin/unhide.rb
...
Regards,
Tim Miller Dyck
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883324
Title:
False positive: Hidden file (symbolic link to directory) cannot be
white-listed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
downloading the tarfile rkhunter-1.4.0.tar.gz from http://sourceforge.net/projects/rkhunter/files/ and just copying the files/rkhunter script from the tarfile over /usr/bin/rkhunter seems to be fine as workaround - the false positive is gone. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
NEW DISTRIBUTION, AND OLD BUG! :-) In the version of rkhunter 1.3.8-10 that distributed with Ubuntu 12.04 LTS this bug is present again. The patch is in CVS RKhunter since Agoust 2011 and related URL is in another comment of this bug (http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.405r2=1.406sortby=date) It is a security package and the only workaround is to disable the filesystem test! (DISABLE_TESTS = File System in rhkunter.conf) this is not safe or appropriate for system security. Please ... use the patch or release a new version of rkhunter or something! ... This bug was reported seven months ago and still not assigned and not have priority! ... It is also repeated bugs #883416 #896916 and #926156 Who is the maintainer of this package in Ubuntu ?¿?¿ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Who is the maintainer of this package in Ubuntu ?¿?¿ According to https://launchpad.net/ubuntu/+source/rkhunter, the Debian Forensics team (https://launchpad.net/~forensics-devel) which, apparently, does not use Launchpad... (IOW, there doesn't seem to be anyone in Ubuntu claiming responsibility.) According to https://launchpad.net/rkhunter, the Registry Administrators team (https://launchpad.net/~registry). IOW, nobody in Ubuntu really cares about this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Awesome!! I'll search a package ported to Ubuntu from a higher version included in Precise (1.4.0 I hope) .. :( -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
** Tags added: precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
+1. Please backport! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
version 1.3.8-10 from the precise pangolin beta repository has the same problem (symlink to /run/initramfs) as reported against the oneiric 1.3.8-7 package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
This is still the case on precise which is still using rkhunter 1.3.8. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Getting the false positive every morning (as reinhold and Robby point out) is not only annoying but increases the risk of ignoring a real problem: the security software that cried wolf. Please backport the upstream fix to oneiric. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
+1 for a backport to oneiric. Getting emails from all of my machines with this error is highly annoying... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Can't the ubuntu maintainers simply backport that patch to the oneiric version? It's a simple fix, and the ubuntu packages seem to backport fixes regularly, so why not here, too? http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.405r2=1.406sortby=date Right now, I get daily mails from all my machines about this false positive, which highly increases the chance that I miss it when a real problem appears, because simply deleting those false positives has become a habbit... Cheers, Reinhold -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
** Tags added: oneiric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 883324] Re: False positive: Hidden file (symbolic link to directory) cannot be white-listed
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: rkhunter (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
