Bug#794315: rkhunter: Path names not working in PORT_WHITELIST

Matthieu Dalstein deb at dalmat.net
Sat Aug 1 08:27:10 UTC 2015 

Package: rkhunter
Version: 1.4.2-0.4
Severity: normal

Dear Maintainer,

The PORT_WHITELIST option related to the hidden_ports test seems to fail when an executable path name is specified.
The documentation mentions the ability to filter by executable. I used the proposed sample option from the configuration file which fails with the following error:
Invalid entry specified in PORT_WHITELIST configuration option: /home/user1/abc
Invalid entry specified in PORT_WHITELIST configuration option: /opt/xyz

Please note that the issue occurs as well with a  valid executable:
# rkhunter --enable-tests hidden_ports
Invalid entry specified in PORT_WHITELIST configuration option: /bin/ls


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.14.10-Dalmat (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages rkhunter depends on:
ii  binutils               2.25-5
ii  debconf [debconf-2.0]  1.5.56
ii  file                   1:5.22+15-2
ii  net-tools              1.60-26+b1
ii  perl                   5.20.2-3+deb8u1
ii  ucf                    3.0030

Versions of packages rkhunter recommends:
ii  curl                            7.38.0-4+deb8u2
ii  iproute                         1:3.16.0-2
ii  lsof                            4.86+dfsg-1
ii  lynx                            2.8.9dev1-2
ii  postfix [mail-transport-agent]  2.11.3-1
ii  unhide                          20121229-1+b1
ii  wget                            1.16-1

Versions of packages rkhunter suggests:
ii  bsd-mailx [mailx]         8.1.2-0.20141216cvs-2
pn  libdigest-whirlpool-perl  <none>
ii  liburi-perl               1.64-1
ii  libwww-perl               6.08-1
pn  powermgmt-base            <none>
pn  tripwire                  <none>

-- Configuration Files:
/etc/apt/apt.conf.d/90rkhunter changed:
// Makes sure that rkhunter file properties database is updated after each remove or install only if hashes test is enabled
DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && ( ! grep -q -E '^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)' /etc/rkhunter.conf || grep -q -E '^ENABLE_TESTS=.*(hashes|attributes|properties)' /etc/rkhunter.conf); then /usr/bin/rkhunter --propupd --nolog; fi" }

/etc/default/rkhunter a7083f49a7dad11ce1ae4e5e20d00cf2 [Errno 2] Aucun fichier ou dossier de ce type: u'/etc/default/rkhunter a7083f49a7dad11ce1ae4e5e20d00cf2'
/etc/rkhunter.conf changed:
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING=""
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
UPDATE_LANG=""
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
COLOR_SET2=0
AUTO_X_DETECT=1
WHITELISTED_IS_WHITE=0
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files"
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/etc/.hg
ALLOWHIDDENFILE=/dev/shm/.run-transition
ALLOWPROCDELFILE=/usr/lib/dovecot/imap-login
ALLOWPROCDELFILE=/usr/lib/dovecot/imap:/srv/Mails/**/dovecot.index
ALLOWPROCDELFILE=/usr/lib/apache2/mpm-prefork/apache2:/run/apache2/ssl_mutex
ALLOWPROCDELFILE=/usr/sbin/dovecot:/run/dovecot/login-master-n*
ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
ALLOWPROCDELFILE=/bin/dash:/tmp/tmp*
ALLOWPROCDELFILE=/bin/dash:/var/log/tt-rss*
ALLOWPROCDELFILE=/usr/sbin/smbd:/var/log/samba/log*
ALLOWPROCDELFILE=/usr/sbin/cron:/tmp/tmp*
ALLOWPROCDELFILE=/bin/run-parts:/tmp/tmp*
ALLOWPROCDELFILE=/usr/bin/php5:/var/lib/tt-rss/update_daemon.lock
ALLOWPROCDELFILE=/usr/bin/php5:/var/log/tt-rss*
ALLOWDEVFILE=/dev/shm/network/ifstate
ALLOWDEVFILE=/dev/.udev/*
ALLOWDEVFILE=/dev/.udev/*/*
ALLOW_SYSLOG_REMOTE_LOGGING=0
SUSPSCAN_DIRS="/tmp /var/tmp"
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200
PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
USE_LOCKING=0
LOCK_TIMEOUT=300
SHOW_LOCK_MSGS=1
INSTALLDIR="/usr"


-- debconf information excluded

More information about the forensics-devel mailing list