Hey, I have just spent a little bit of time digging into this, as I want rkhunter to work (almost) turnkey, without needing users to have to customise any configuration files.
In answer to John, sadly EXISTWHITELIST doesn't handle this situation, it says that the the listed files/directories don't need to exist. However we need to tell rkhunter that egrep and fgrep are allowed to be scripts. My approach has been two fold so far, and this feels really really ugly, but, oh well. If we modify /etc/default/rkhunter then it can modify /etc/rkhunter.conf before we run rkhunter via either cron or apt. So even if there is a transient change, it'll get picked up and corrected eventually. I added this to /etc/default/rkhunter.conf (I also made it handle lwp-request being present, since I hit that as well): -- BEGIN -- # Okay, this is ugly, modify rkhunter.conf to be able to know where fgrep and # egrep are. See https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=932594 if [ -f /bin/fgrep ] then if $(grep -q "SCRIPTWHITELIST=/usr/bin/egrep" /etc/rkhunter.conf) then sed -i 's,^SCRIPTWHITELIST=/usr/bin/fgrep,SCRIPTWHITELIST=/bin/fgrep,' \ /etc/rkhunter.conf sed -i 's,^SCRIPTWHITELIST=/usr/bin/egrep,SCRIPTWHITELIST=/bin/egrep,' \ /etc/rkhunter.conf fi elif [ -f /usr/bin/fgrep ] then if $(grep -q "SCRIPTWHITELIST=/bin/egrep" /etc/rkhunter.conf) then then sed -i 's,^SCRIPTWHITELIST=/bin/fgrep,SCRIPTWHITELIST=/usr/bin/fgrep,' \ /etc/rkhunter.conf sed -i 's,^SCRIPTWHITELIST=/bin/egrep,SCRIPTWHITELIST=/usr/bin/egrep,' \ /etc/rkhunter.conf fi fi # If lwp-request is present, then we need SCRIPTWHITELIST for it. if [ -f /usr/bin/lwp-request ] if $(grep -q "^#SCRIPTWHITELIST=/usr/bin/lwp-request" /etc/rkhunter.conf) sed -i 's,^#\(SCRIPTWHITELIST=/usr/bin/lwp-request\),\1,' \ /etc/rkhunter.conf fi fi -- END -- Then in /usr/share/rkhunter/scripts/rkhupd.sh we add near the top: -- BEGIN -- . /etc/default/rkhunter -- END -- I'm sorry. -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |