Bug#816089: rkhunter: "Found preloaded shared library" test not understanding comments

reportbug at rather.puzzling.org reportbug at rather.puzzling.org
Sat Feb 27 11:18:41 UTC 2016


Package: rkhunter
Version: 1.4.2-5
Severity: normal

Dear Maintainer,

A commented out entry in /etc/ld.so.preload is interpreted as a filename in rkhunter:

pi> cat /etc/ld.so.preload
#/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

This alerts:
Warning: Found preloaded shared library: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

If I add this commented out entry to SHARED_LIB_WHITELIST to try to
fool rkhunter, naturally it doesn't like that this doesn't look like
an absolute filename:

SHARED_LIB_WHITELIST="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"

Invalid SHARED_LIB_WHITELIST configuration option: Relative pathname: #/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

It'd be better if rkhunter understood the comment meant the library
wasn't loaded and hence could not possibly be a threat that had to be
tested.



-- System Information:
Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 8.0 (jessie)
Release:	8.0
Codename:	jessie
Architecture: armv6l

Kernel: Linux 3.18.7+ (PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages rkhunter depends on:
ii  binutils               2.25-5
ii  debconf [debconf-2.0]  1.5.56
ii  file                   1:5.22+15-2+deb8u1
ii  lsof                   4.86+dfsg-1
ii  net-tools              1.60-26
ii  perl                   5.20.2-3+deb8u3
ii  ucf                    3.0030

Versions of packages rkhunter recommends:
ii  bsd-mailx [mailx]                    8.1.2-0.20141216cvs-2
ii  curl                                 7.38.0-4+deb8u3
ii  iproute2                             4.3.0-1
ii  sendmail-bin [mail-transport-agent]  8.14.4-8
ii  unhide                               20130526-1
ii  unhide.rb                            22-2
ii  wget                                 1.16-1

Versions of packages rkhunter suggests:
ii  liburi-perl     1.64-1
ii  libwww-perl     6.08-1
ii  powermgmt-base  1.31+nmu1

-- Configuration Files:
/etc/rkhunter.conf changed:
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING="tconnors"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
UPDATE_LANG=""
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
COLOR_SET2=0
AUTO_X_DETECT=1
WHITELISTED_IS_WHITE=0
ALLOW_SSH_ROOT_USER=yes
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps immutable"
USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
USER_FILEPROP_FILES_DIRS="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"
USER_FILEPROP_FILES_DIRS="/usr/sbin/ifstatus"
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/unhide.rb
SCRIPTWHITELIST=/usr/sbin/ifstatus
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENFILE=/etc/.serial.conf.old
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/dev/.tmp-block-*:*
ALLOWPROCLISTEN=/sbin/dhclient3
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/network/ifstate
ALLOWDEVFILE=/dev/shm/resolvconf/resolv.conf
ALLOWDEVFILE=/dev/shm/resolvconf/interface/eth0
ALLOWDEVFILE=/dev/shm/resolvconf/interface/wlan0
ALLOWDEVFILE=/dev/shm/resolvconf/interface/lo.pdnsd
INETD_ALLOWED_SVC=nntp
UID0_ACCOUNTS="sashroot"
ALLOW_SYSLOG_REMOTE_LOGGING=0
APP_WHITELIST="0.9.8o gpg:1.4.10 sshd:5.5p1 exim:4.71"
SUSPSCAN_DIRS="/tmp /var/tmp"
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200
RTKT_FILE_WHITELIST="/etc/init.d/hdparm:hdparm"
RTKT_FILE_WHITELIST="/etc/init.d/.depend.boot:hdparm"
SHARED_LIB_WHITELIST="/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so"
USE_LOCKING=0
LOCK_TIMEOUT=300
SHOW_LOCK_MSGS=1
DISABLE_UNHIDE=1
INSTALLDIR="/usr"


-- debconf information:
  rkhunter/cron_daily_run: true
  rkhunter/apt_autogen: true
  rkhunter/cron_db_update: true



More information about the forensics-devel mailing list