Hi Axel,
thank you for your effort in locating the cause of this!
On 14.02.20 20:21, Axel Beckert wrote:
> c459dfa4 (Francois Marier 2014-10-14 23:24:53 +1300 9958)
> \[pdflush\]:IRC bot
> eca1837f (Francois Marier 2017-07-01 20:33:17 -0700 9959)
> libkeyutils.so.1.9:Spam tool component
> eca1837f (Francois Marier 2017-07-01 20:33:17 -0700 9960)
> .IptabLex:malware component
>
> So it's solely the filename and it's in there since at least 2017.
> And the change which triggered this warning is this commit:
>
> commit 0f70f77491bb6976a2bf761224fec1a9cc6cfb87
> Author: David Howells <dhowe...@redhat.com>
> Date: Wed May 29 23:37:15 2019 +0100
>
> Add support for KEYCTL_MOVE
>
> Signed-off-by: David Howells <dhowe...@redhat.com>
>
> diff --git a/version.lds b/version.lds
> index 9317222..9e78ea2 100644
> --- a/version.lds
> +++ b/version.lds
> @@ -91,3 +91,9 @@ KEYUTILS_1.8 {
> keyctl_pkey_verify;
>
> } KEYUTILS_1.7;
> +
> +KEYUTILS_1.9 {
> + /* Management functions */
> + keyctl_move;
> +
> +} KEYUTILS_1.8;
>
> Doesn't look like a rootkit addition to me, just bumping the SONAME.
> (And the adding of KEYCTL_MOVE neither.) Lowering the severity to
> default ("normal")...
>
> IMHO this is a bug in rkhunter, but it could also be solved in
> keyutils by bumping the SONAME again, i.e. skipping this SONAME
> version explicitly. But feel free to reassign.
The SONAME wasn't changed. keyutils used versioned symbols, so that file
above actually generates a symbol keyctl_move@KEYUTILS_1.9 (you can see
it in libkeyutils1.symbols).
The only way I can see this changing properly is when a new symbol gets
added. I could maybe hack around this now, but I am not sure that doing
so would be the right solution, if the problem is rkhunter only matching
on a filename (not size, content, etc.). Because what would rkhunter do
when somewhat starts calling a malware file "grep" or something...
I'll have to think about this...
