Ubuntu 12.04 + rkhunter 1.3.8 = false positives!

rkhunter (Rootkit Hunter) is a wonderful tool to assist in securing your system, but it becomes much less helpful if it constantly reports false positives.

After updating your rkhunter.conf file appropriately, you may still be left with the following error:

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs’

This file can’t be whitelisted because it’s a symlink, and rkhunter 1.3.8 doesn’t check for this condition. The 1.4.0 release fixes this bug, but it’s not available from the Ubuntu repos. So you’ve got a few options.

  • Install rkhunter 1.4.0 manually.
  • Download the rkhunter 1.4.0 tarball and extract the executable and conf file yourself
  • Patch the rkhunter executable

I opted to patch the rkhunter executable, which really amounted to adding a few lines (one actual test case line + a few comments). Follow along!

Open up /usr/bin/rkhunter and move down to line 834. You should see the following:

Now, after line 846, you’ll want to add the following lines:

So it looks like this:

Save the file and then open up /etc/rkhunter.conf and add the following line:

ALLOWHIDDENFILE="/dev/.initramfs"

Save, and finally, update the rkhunter properties:

sudo rkhunter –-propupd

There you go! There are a few other items that need to be whitelisted in the conf, but they should all work with the rkhunter 1.3.8, so it’s just a matter of updating the file accordingly.

Thanks to reinhold and Tim Miller Dyck for the patch implementation information and unSpawn for the actual patch. Here’s hoping to see an actual backport fix into the Ubuntu repos.

More information:

 

This entry was posted in System Administration and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. Posted July 31, 2012 at 1:08 am | Permalink

    Brilliant! It works. Just plain works.

  2. Posted September 23, 2012 at 10:43 pm | Permalink

    Thanks, works like a charm.

  3. Matthieu
    Posted March 22, 2013 at 11:55 pm | Permalink

    Brilliant, thanks a lot !

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>