[Bug 219840] Re: rkhunter reports hidden directories under /dev
The attachment "rkhunter-warnings.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
This issue is still unresolved. It makes absolutely no sense for a default installation of rkhunter on a fresh installation of ubuntu14.04. ** Patch added: "rkhunter-warnings.patch" https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+attachment/4228217/+files/rkhunter-warnings.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
This bug makes RKhunter mostly unusable without altering the crontab entry to not report this. Here's why: getting a report from rkhunter needs to be a serious event, one where people take notice and fix a root kit, a possible intrusion into the system. If rkhunter is giving false positives, then it's really difficult to know when it's serious (the machine has been rooted) or when it's not (some hidden normal dir in /dev/) How has this been unresolved since 2008? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I have these in my /etc/rkhunter.conf.local: SCRIPTWHITELIST=/usr/bin/unhide.rb ALLOWHIDDENDIR=/etc/.java ALLOWHIDDENDIR=/dev/.udev ALLOWHIDDENDIR=/dev/.static ALLOWHIDDENFILE=/dev/.blkid.tab ALLOWHIDDENFILE=/dev/.blkid.tab.old ALLOWDEVFILE=/dev/.initramfs However for the .initramfs, there's an upstream bug (http://sourceforge.net/mailarchive/message.php?msg_id=28252358) preventing this option from working with symlinks. See bug 883324 for the details and fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I think the package should be installed with reasonable defaults, using a configuration file that will scream false positives to anyone doesn't make much sense. I'm also getting this false positive: Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: a /usr/bin/ruby -w script text executable Which is very funny becasue is from a package that's only installed as a dependency for rkhunter itself. That script should be whitelisted too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I'm also getting this: Warning: Hidden file found: /dev/.blkid.tab: ASCII text Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text That's a regression of bug #86153. And yes, rkhunter requires extensive manual installation. Which is a Good Thing IMHO. Without that, an admin won't be able to distinguish false positives from genuine problems. However, the commented-out entries in the conf file should also explain under which circumstances leaving them deactivated will give false positives. E.g. I have no idea which process is generating /dev/.blkid.tab - it contains UUIDs of the block devices, and I see little harm in having these files, but I'd like to be able to check what these files are supposed to contain. (Googling for /dev/.blkid.tab give either too many or too few hits, depending on what else you enter.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
** Changed in: rkhunter (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I would agree that if Ubuntu ships in this configuration by default, then the rkhunter settings should be adapted accordingly. The other option is for udev and initramfs to check if rkhunter is installed and appropriately configured for them, but I see this as an rkhunter config issue for standard ubuntu configurations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/219840 Title: rkhunter reports hidden directories under /dev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/219840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I second gray's suggestion. -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
The current set-up is consistent with the upstream projects feelings on the subject. Let it detect them but hint it may be ok by putting common whitelists commented out in the conf file. I wonder if it's possible to pop up some kind of warning message at install time - 'rkhunter is installed but a manual review of the settings will be required on most systems' -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
Hi just a comment - initramfs and udev are surely standard - with java possibly less so (but likely to be installed as the user gets more experienced), so surely rkhunter should be instructed by default to not be concerned about the first 2, and to merely comment on the third ? Possibly a slightly more verbose explanation in those instances might be appropriate ? -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
I second Alex. How many Hardy installs are there without: java, initramfs, or udev? -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
Happens in every ubuntu installation where I'm using rkhunter. ** Changed in: rkhunter (Ubuntu) Status: New => Confirmed -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 219840] Re: rkhunter reports hidden directories under /dev
Those 3 directories can be whitelisted in /etc/rkhunter.conf by just uncommenting the corresponding lines. However, the question is whether they should be uncommented by default ubuntu installation or not. -- rkhunter reports hidden directories under /dev https://bugs.launchpad.net/bugs/219840 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
