Bug#695099: rkhunter: Presence of unhide.rb results in spurious warning

Frederik Himpe fhimpe at vub.ac.be
Tue Dec 4 08:59:23 UTC 2012 

Package: rkhunter
Version: 1.4.0-1
Severity: normal

When unhide.rb (recommended by rkhunter) is installed, this results in a spurious
warning because unhide.rb is a ruby script and not a binary file:
[09:47:05]   /usr/bin/unhide.rb                              [ Warning ]
[09:47:05] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text

I had to add:
SCRIPTWHITELIST=/usr/bin/unhide.rb

to rkhunter.conf to stop this warning. This should probably be done by default.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (300, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils               2.22-7.1
ii  debconf [debconf-2.0]  1.5.46
ii  file                   5.11-2
ii  net-tools              1.60-24.2
ii  perl                   5.14.2-15
ii  ucf                    3.0025+nmu3

Versions of packages rkhunter recommends:
ii  curl                                       7.28.0-3
ii  elinks                                     0.12~pre5-9
ii  exim4-daemon-light [mail-transport-agent]  4.80-5.1
ii  iproute                                    20120521-3
ii  lsof                                       4.86+dfsg-1
ii  unhide.rb                                  13-1
ii  wget                                       1.14-1

Versions of packages rkhunter suggests:
ii  bsd-mailx [mailx]         8.1.2-0.20111106cvs-1
pn  libdigest-whirlpool-perl  <none>
pn  liburi-perl               <none>
pn  libwww-perl               <none>
pn  powermgmt-base            <none>
pn  tripwire                  <none>

-- Configuration Files:
/etc/rkhunter.conf changed:
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING="root"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
UPDATE_LANG=""
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
COLOR_SET2=0
AUTO_X_DETECT=1
WHITELISTED_IS_WHITE=0
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
SCRIPTWHITELIST=/usr/bin/unhide.rb
IMMUTABLE_SET=0
PHALANX2_DIRTEST=0
ALLOW_SYSLOG_REMOTE_LOGGING=0
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200
USE_LOCKING=0
LOCK_TIMEOUT=300
SHOW_LOCK_MSGS=1
DISABLE_UNHIDE=1
INSTALLDIR="/usr"


-- debconf information:
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: true

More information about the forensics-devel mailing list