Bug#859622: rkhunter: False positive /tmp/config and /tmp/servers created by package websvn

Sebastien Koechlin seb.debianpkg at koocotte.org
Wed Apr 5 10:07:21 UTC 2017 

Package: rkhunter
Version: 1.4.2-0.4
Severity: minor

Dear Maintainer,

I'm not sure if it's rkhunter or websvn responsability.

When using the websvn package; it create two configuration files in the /tmp directory
called config and servers owned by www-data.

Thoses two files create anoying and false positive warnings:

Warning: File '/tmp/config' (score: 292) contains some suspicious content and should be checked.
Warning: File '/tmp/servers' (score: 241) contains some suspicious content and should be checked.
Warning: Checking for files with suspicious contents [ Warning ]

It would be good if thoses warning can be removed from an out-of-the-box
installation.

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages rkhunter depends on:
ii  binutils               2.25-5
ii  debconf [debconf-2.0]  1.5.56
ii  file                   1:5.22+15-2+deb8u3
ii  net-tools              1.60-26+b1
ii  perl                   5.20.2-3+deb8u6
ii  ucf                    3.0030

Versions of packages rkhunter recommends:
ii  curl                            7.38.0-4+deb8u5
pn  iproute                         <none>
ii  lsof                            4.86+dfsg-1
ii  postfix [mail-transport-agent]  2.11.3-1
ii  unhide                          20121229-1+b1
ii  wget                            1.16-1+deb8u1

Versions of packages rkhunter suggests:
ii  bsd-mailx [mailx]         8.1.2-0.20141216cvs-2
pn  libdigest-whirlpool-perl  <none>
ii  liburi-perl               1.64-1
ii  libwww-perl               6.08-1
pn  powermgmt-base            <none>
pn  tripwire                  <none>

-- Configuration Files:
/etc/rkhunter.conf changed [not included]

-- debconf information:
* rkhunter/apt_autogen: true
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: files.tgz
Type: application/gzip
Size: 5572 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20170405/5442d048/attachment.bin>

More information about the forensics-devel mailing list