Ran into this also. Thanks to reinhold for pointing to the patch.
I am just using the stock Ubuntu 12.04 version with the patch manually
applied. That is working fine for me in terms of avoiding the false
positive.
vi /usr/bin/rkhunter
At around line 846 and following
...
elif [ -d "${FNAME}" ]; then
#
# For the ALLOWHIDDENFILE option we need to
allow
# a hidden symbolic link to a directory.
#
test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h
"${FNAME}" && continue
case "${OPT_NAME}" in
...
At around line 15102 and following (the change is just a comment)
...
FTYPE=`${FILE_CMD} ${FNAME} 2>/dev/null | cat -v | tr -s '
' ' ' | cut -d' ' -f2-`
#jh - should include block special too.
#jh - also should cater for 'sticky directory' (like /tmp) when using file.
test -z "${FTYPE}" -o -n "`echo \"${FTYPE}\" | egrep 'character
special|empty'`" && continue
...
Update the signature database as the rkhunter file signature has changed
with the edits above.
rkhunter --propupd
And here are the other configuration settings I needed to add to avoid false
positives on Ubuntu 12.04 Server.
vi /etc/rkhunter.conf
Avoid hidden directory/hidden file false positives
...
#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.initramfs"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/dev/.mdadm"
## add /dev/.udev directory to avoid a false positive
ALLOWHIDDENDIR="/dev/.udev
#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
...
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
## add /dev/.initramfs symbolic link to avoid a false positive
ALLOWHIDDENFILE="/dev/.initramfs"
...
Avoid "replaced by a script" false positives
...
#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
## add /usr/bin/unhide.rb to avoid a false positive
SCRIPTWHITELIST=/usr/bin/unhide.rb
...
Regards,
Tim Miller Dyck
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/883324
Title:
False positive: Hidden file (symbolic link to directory) cannot be
white-listed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
