Bug#695099: rkhunter: Presence of unhide.rb results in spurious warning

Yago Jesus yjesus at security-projects.com
Tue Dec 4 15:00:16 UTC 2012 

I have a doubt (sorry, not exactly concerned to this mail ...)

Rkhunter only suggests unhide.rb ? or is a Debian decision

Thank you

2012/12/4 Frederik Himpe <fhimpe at vub.ac.be>

> Package: rkhunter
> Version: 1.4.0-1
> Severity: normal
>
> When unhide.rb (recommended by rkhunter) is installed, this results in a
> spurious
> warning because unhide.rb is a ruby script and not a binary file:
> [09:47:05]   /usr/bin/unhide.rb                              [ Warning ]
> [09:47:05] Warning: The command '/usr/bin/unhide.rb' has been replaced by
> a script: /usr/bin/unhide.rb: Ruby script, ASCII text
>
> I had to add:
> SCRIPTWHITELIST=/usr/bin/unhide.rb
>
> to rkhunter.conf to stop this warning. This should probably be done by
> default.
>
> -- System Information:
> Debian Release: wheezy/sid
>   APT prefers testing
>   APT policy: (300, 'testing'), (200, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages rkhunter depends on:
> ii  binutils               2.22-7.1
> ii  debconf [debconf-2.0]  1.5.46
> ii  file                   5.11-2
> ii  net-tools              1.60-24.2
> ii  perl                   5.14.2-15
> ii  ucf                    3.0025+nmu3
>
> Versions of packages rkhunter recommends:
> ii  curl                                       7.28.0-3
> ii  elinks                                     0.12~pre5-9
> ii  exim4-daemon-light [mail-transport-agent]  4.80-5.1
> ii  iproute                                    20120521-3
> ii  lsof                                       4.86+dfsg-1
> ii  unhide.rb                                  13-1
> ii  wget                                       1.14-1
>
> Versions of packages rkhunter suggests:
> ii  bsd-mailx [mailx]         8.1.2-0.20111106cvs-1
> pn  libdigest-whirlpool-perl  <none>
> pn  liburi-perl               <none>
> pn  libwww-perl               <none>
> pn  powermgmt-base            <none>
> pn  tripwire                  <none>
>
> -- Configuration Files:
> /etc/rkhunter.conf changed:
> ROTATE_MIRRORS=1
> UPDATE_MIRRORS=1
> MIRRORS_MODE=0
> MAIL-ON-WARNING="root"
> MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
> TMPDIR=/var/lib/rkhunter/tmp
> DBDIR=/var/lib/rkhunter/db
> SCRIPTDIR=/usr/share/rkhunter/scripts
> UPDATE_LANG=""
> LOGFILE=/var/log/rkhunter.log
> APPEND_LOG=0
> COPY_LOG_ON_ERROR=0
> COLOR_SET2=0
> AUTO_X_DETECT=1
> WHITELISTED_IS_WHITE=0
> ALLOW_SSH_ROOT_USER=no
> ALLOW_SSH_PROT_V1=0
> ENABLE_TESTS="all"
> DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"
> SCRIPTWHITELIST=/bin/egrep
> SCRIPTWHITELIST=/bin/fgrep
> SCRIPTWHITELIST=/bin/which
> SCRIPTWHITELIST=/usr/bin/groups
> SCRIPTWHITELIST=/usr/bin/ldd
> SCRIPTWHITELIST=/usr/bin/lwp-request
> SCRIPTWHITELIST=/usr/sbin/adduser
> SCRIPTWHITELIST=/usr/sbin/prelink
> SCRIPTWHITELIST=/usr/bin/unhide.rb
> IMMUTABLE_SET=0
> PHALANX2_DIRTEST=0
> ALLOW_SYSLOG_REMOTE_LOGGING=0
> SUSPSCAN_TEMP=/dev/shm
> SUSPSCAN_MAXSIZE=10240000
> SUSPSCAN_THRESH=200
> USE_LOCKING=0
> LOCK_TIMEOUT=300
> SHOW_LOCK_MSGS=1
> DISABLE_UNHIDE=1
> INSTALLDIR="/usr"
>
>
> -- debconf information:
> * rkhunter/apt_autogen: true
> * rkhunter/cron_daily_run: true
> * rkhunter/cron_db_update: true
>
> _______________________________________________
> forensics-devel mailing list
> forensics-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20121204/8a98d1e7/attachment.html>

More information about the forensics-devel mailing list