Bug#816089: rkhunter: "Found preloaded shared library" test not understanding comments
reportbug at rather.puzzling.org
reportbug at rather.puzzling.org
Sat Feb 27 11:18:41 UTC 2016
Package: rkhunter
Version: 1.4.2-5
Severity: normal
Dear Maintainer,
A commented out entry in /etc/ld.so.preload is interpreted as a filename in rkhunter:
pi> cat /etc/ld.so.preload
#/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so
This alerts:
Warning: Found preloaded shared library: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so
If I add this commented out entry to SHARED_LIB_WHITELIST to try to
fool rkhunter, naturally it doesn't like that this doesn't look like
an absolute filename:
SHARED_LIB_WHITELIST="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"
Invalid SHARED_LIB_WHITELIST configuration option: Relative pathname: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so
It'd be better if rkhunter understood the comment meant the library
wasn't loaded and hence could not possibly be a threat that had to be
tested.
-- System Information:
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 8.0 (jessie)
Release: 8.0
Codename: jessie
Architecture: armv6l
Kernel: Linux 3.18.7+ (PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rkhunter depends on:
ii binutils 2.25-5
ii debconf [debconf-2.0] 1.5.56
ii file 1:5.22+15-2+deb8u1
ii lsof 4.86+dfsg-1
ii net-tools 1.60-26
ii perl 5.20.2-3+deb8u3
ii ucf 3.0030
Versions of packages rkhunter recommends:
ii bsd-mailx [mailx] 8.1.2-0.20141216cvs-2
ii curl 7.38.0-4+deb8u3
ii iproute2 4.3.0-1
ii sendmail-bin [mail-transport-agent] 8.14.4-8
ii unhide 20130526-1
ii unhide.rb 22-2
ii wget 1.16-1
Versions of packages rkhunter suggests:
ii liburi-perl 1.64-1
ii libwww-perl 6.08-1
ii powermgmt-base 1.31+nmu1
-- Configuration Files:
/etc/rkhunter.conf changed:
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING="tconnors"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
UPDATE_LANG=""
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
COLOR_SET2=0
AUTO_X_DETECT=1
WHITELISTED_IS_WHITE=0
ALLOW_SSH_ROOT_USER=yes
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps immutable"
USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
USER_FILEPROP_FILES_DIRS="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"
USER_FILEPROP_FILES_DIRS="/usr/sbin/ifstatus"
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/unhide.rb
SCRIPTWHITELIST=/usr/sbin/ifstatus
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENFILE=/etc/.serial.conf.old
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/dev/.tmp-block-*:*
ALLOWPROCLISTEN=/sbin/dhclient3
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/network/ifstate
ALLOWDEVFILE=/dev/shm/resolvconf/resolv.conf
ALLOWDEVFILE=/dev/shm/resolvconf/interface/eth0
ALLOWDEVFILE=/dev/shm/resolvconf/interface/wlan0
ALLOWDEVFILE=/dev/shm/resolvconf/interface/lo.pdnsd
INETD_ALLOWED_SVC=nntp
UID0_ACCOUNTS="sashroot"
ALLOW_SYSLOG_REMOTE_LOGGING=0
APP_WHITELIST="0.9.8o gpg:1.4.10 sshd:5.5p1 exim:4.71"
SUSPSCAN_DIRS="/tmp /var/tmp"
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200
RTKT_FILE_WHITELIST="/etc/init.d/hdparm:hdparm"
RTKT_FILE_WHITELIST="/etc/init.d/.depend.boot:hdparm"
SHARED_LIB_WHITELIST="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"
USE_LOCKING=0
LOCK_TIMEOUT=300
SHOW_LOCK_MSGS=1
DISABLE_UNHIDE=1
INSTALLDIR="/usr"
-- debconf information:
rkhunter/cron_daily_run: true
rkhunter/apt_autogen: true
rkhunter/cron_db_update: true
More information about the forensics-devel
mailing list