{"id":296,"date":"2012-05-24T08:56:28","date_gmt":"2012-05-24T16:56:28","guid":{"rendered":"https:\/\/digitalcardboard.com\/blog\/?p=296"},"modified":"2012-05-25T07:13:25","modified_gmt":"2012-05-25T15:13:25","slug":"ubuntu-12-04-rkhunter-1-3-8-false-positives","status":"publish","type":"post","link":"https:\/\/digitalcardboard.com\/blog\/2012\/05\/24\/ubuntu-12-04-rkhunter-1-3-8-false-positives\/","title":{"rendered":"Ubuntu 12.04 + rkhunter 1.3.8 = false positives!"},"content":{"rendered":"<p><a href=\"http:\/\/rkhunter.sourceforge.net\/\" target=\"_blank\">rkhunter (Rootkit Hunter)<\/a> is a wonderful tool to assist in securing your system, but it becomes much less helpful if it constantly reports false positives.<\/p>\n<p>After updating your rkhunter.conf file appropriately, you may still be left with the following error:<\/p>\n<blockquote><p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\"><strong>Warning: Hidden file found: \/dev\/.initramfs: symbolic link to `\/run\/initramfs&#8217;<\/strong><\/span><\/p><\/blockquote>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">This file can\u2019t be whitelisted because it\u2019s a symlink, and rkhunter 1.3.8 doesn\u2019t check for this condition. The 1.4.0 release fixes this bug, but it\u2019s not available from the Ubuntu repos. So you\u2019ve got a few options.<\/span><\/p>\n<ul>\n<li><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Install rkhunter 1.4.0 manually.<\/span><\/li>\n<li><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Download the rkhunter 1.4.0 tarball and extract the executable and conf file yourself<\/span><\/li>\n<li><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Patch the rkhunter executable<\/span><\/li>\n<\/ul>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">I opted to patch the rkhunter executable, which really amounted to adding a few lines (one actual test case line + a few comments). Follow along!<\/span><\/p>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Open up <strong>\/usr\/bin\/rkhunter<\/strong> and move down to line 834. You should see the following:<\/span><\/p>\n<script src=\"https:\/\/gist.github.com\/2782605.js?file=rkhunter-before.sh\"><\/script><noscript><pre><code class=\"language-shell shell\">            #\n            # Now test for the different file types.\n            #\n\n            if [ -f &quot;${FNAME}&quot; ]; then\n                case &quot;${OPT_NAME}&quot; in\n                ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|ROOTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP)\n                    ERRCODE=1\n                    test $CONFIG_CHECK -eq 1 &amp;&amp; RET_CODE=1\n                    echo &quot;Invalid ${OPT_NAME} configuration option: Not a directory: ${FNAME}&quot;\n                    ;;\n                esac\n            elif [ -d &quot;${FNAME}&quot; ]; then\n                case &quot;${OPT_NAME}&quot; in\n                                                                                                                                                                                     WRITEWHITELIST|IMMUTWHITELIST|SCRIPTWHITELIST|ALLOWHIDDENFILE|LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|RTKT_FILE_WHITELIST|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|WEBCMD|*_CMD)\n                    ERRCODE=1\n                    test $CONFIG_CHECK -eq 1 &amp;&amp; RET_CODE=1\n                    echo &quot;Invalid ${OPT_NAME} configuration option: Not a file: ${FNAME}&quot;\n                    ;;\n                esac<\/code><\/pre><\/noscript>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Now, after line 846, you\u2019ll want to add the following lines:<\/span><\/p>\n<script src=\"https:\/\/gist.github.com\/2782605.js?file=rkhunter-changes.sh\"><\/script><noscript><pre><code class=\"language-shell shell\">                #\n                # For the ALLOWHIDDENFILE option we need to allow\n                # a hidden symbolic link to a directory.\n                #\n                test &quot;${OPT_NAME}&quot; = &quot;ALLOWHIDDENFILE&quot; -a -h &quot;${FNAME}&quot; &amp;&amp; continue\n<\/code><\/pre><\/noscript>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">So it looks like this:<\/span><\/p>\n<script src=\"https:\/\/gist.github.com\/2782605.js?file=rkhunter-after.sh\"><\/script><noscript><pre><code class=\"language-shell shell\">            #\n            # Now test for the different file types.\n            #\n\n            if [ -f &quot;${FNAME}&quot; ]; then\n                case &quot;${OPT_NAME}&quot; in\n                ALLOWHIDDENDIR|TMPDIR|DBDIR|BINDIR|SCRIPTDIR|ROOTDIR|SSH_CONFIG_DIR|SUSPSCAN_DIRS|SUSPSCAN_TEMP)\n                    ERRCODE=1\n                    test $CONFIG_CHECK -eq 1 &amp;&amp; RET_CODE=1\n                    echo &quot;Invalid ${OPT_NAME} configuration option: Not a directory: ${FNAME}&quot;\n                    ;;\n                esac\n            elif [ -d &quot;${FNAME}&quot; ]; then\n                #\n                # For the ALLOWHIDDENFILE option we need to allow\n                # a hidden symbolic link to a directory.\n                #\n                test &quot;${OPT_NAME}&quot; = &quot;ALLOWHIDDENFILE&quot; -a -h &quot;${FNAME}&quot; &amp;&amp; continue\n\n\n                case &quot;${OPT_NAME}&quot; in\n                                                                                                                                                                                     WRITEWHITELIST|IMMUTWHITELIST|SCRIPTWHITELIST|ALLOWHIDDENFILE|LOGFILE|SYSLOG_CONFIG_FILE|INETD_CONF_PATH|XINETD_CONF_PATH|PASSWORD_FILE|RTKT_FILE_WHITELIST|OS_VERSION_FILE|IGNORE_PRELINK_DEP_ERR|WEBCMD|*_CMD)\n                    ERRCODE=1\n                    test $CONFIG_CHECK -eq 1 &amp;&amp; RET_CODE=1\n                    echo &quot;Invalid ${OPT_NAME} configuration option: Not a file: ${FNAME}&quot;\n                    ;;\n                esac<\/code><\/pre><\/noscript>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Save the file and then\u00a0open up <strong>\/etc\/rkhunter.conf<\/strong> and add the following line:<\/span><\/p>\n<p><code>ALLOWHIDDENFILE=\"\/dev\/.initramfs\"<\/code><\/p>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Save, and finally, update the rkhunter properties:<\/span><\/p>\n<p><code>sudo rkhunter \u2013-propupd<\/code><\/p>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">There you go! There are a few other items that need to be whitelisted in the conf, but they should all work with the rkhunter 1.3.8, so it&#8217;s just a matter of updating the file accordingly.<\/span><\/p>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">Thanks to <a href=\"https:\/\/launchpad.net\/~reinhold\" target=\"_blank\">reinhold<\/a> and <a href=\"https:\/\/launchpad.net\/~timmillerdyck\" target=\"_blank\">Tim Miller Dyck<\/a> for the patch implementation information and <a href=\"http:\/\/sourceforge.net\/users\/unspawn\" target=\"_blank\">unSpawn<\/a> for the actual patch. Here\u2019s hoping to see an actual backport fix into the Ubuntu repos.<\/span><\/p>\n<h3>More information:<\/h3>\n<ul>\n<li><a href=\"https:\/\/bugs.launchpad.net\/ubuntu\/+source\/rkhunter\/+bug\/883324\" target=\"_blank\">False positive: Hidden file (symbolic link to directory) cannot be white-listed<\/a><\/li>\n<li><a href=\"http:\/\/rkhunter.cvs.sourceforge.net\/viewvc\/rkhunter\/rkhunter\/files\/rkhunter?r1=1.405&amp;r2=1.406&amp;sortby=date&amp;diff_format=h\" target=\"_blank\">SCM Repositories &#8211; rkhunter &#8211; revision 1.406 diff<\/a><\/li>\n<\/ul>\n<p><span style=\"widows: 2; text-transform: none; text-indent: 0px; letter-spacing: normal; display: inline !important; font: 13px arial, sans-serif; white-space: normal; orphans: 2; float: none; color: #222222; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>rkhunter (Rootkit Hunter) is a wonderful tool to assist in securing your system, but it becomes much less helpful if it constantly reports false positives. After updating your rkhunter.conf file appropriately, you may still be left with the following error: Warning: Hidden file found: \/dev\/.initramfs: symbolic link to `\/run\/initramfs&#8217; This file can\u2019t be whitelisted because [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29],"tags":[83,23,82,81,84,79],"class_list":["post-296","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-fixes","tag-linux","tag-patches","tag-rkhunter","tag-security","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/comments?post=296"}],"version-history":[{"count":5,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":302,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/posts\/296\/revisions\/302"}],"wp:attachment":[{"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/media?parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/categories?post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digitalcardboard.com\/blog\/wp-json\/wp\/v2\/tags?post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}