Categories
System Administration

Ubuntu 12.04 + rkhunter 1.3.8 = false positives!

rkhunter (Rootkit Hunter) is a wonderful tool to assist in securing your system, but it becomes much less helpful if it constantly reports false positives.

After updating your rkhunter.conf file appropriately, you may still be left with the following error:

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs’

This file can’t be whitelisted because it’s a symlink, and rkhunter 1.3.8 doesn’t check for this condition. The 1.4.0 release fixes this bug, but it’s not available from the Ubuntu repos. So you’ve got a few options.

  • Install rkhunter 1.4.0 manually.
  • Download the rkhunter 1.4.0 tarball and extract the executable and conf file yourself
  • Patch the rkhunter executable

I opted to patch the rkhunter executable, which really amounted to adding a few lines (one actual test case line + a few comments). Follow along!

Open up /usr/bin/rkhunter and move down to line 834. You should see the following:

Now, after line 846, you’ll want to add the following lines:

So it looks like this:

Save the file and then open up /etc/rkhunter.conf and add the following line:

ALLOWHIDDENFILE="/dev/.initramfs"

Save, and finally, update the rkhunter properties:

sudo rkhunter –-propupd

There you go! There are a few other items that need to be whitelisted in the conf, but they should all work with the rkhunter 1.3.8, so it’s just a matter of updating the file accordingly.

Thanks to reinhold and Tim Miller Dyck for the patch implementation information and unSpawn for the actual patch. Here’s hoping to see an actual backport fix into the Ubuntu repos.

More information: