Ran into this also. Thanks to reinhold for pointing to the patch. I am just using the stock Ubuntu 12.04 version with the patch manually applied. That is working fine for me in terms of avoiding the false positive.
vi /usr/bin/rkhunter At around line 846 and following ... elif [ -d "${FNAME}" ]; then # # For the ALLOWHIDDENFILE option we need to allow # a hidden symbolic link to a directory. # test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue case "${OPT_NAME}" in ... At around line 15102 and following (the change is just a comment) ... FTYPE=`${FILE_CMD} ${FNAME} 2>/dev/null | cat -v | tr -s ' ' ' ' | cut -d' ' -f2-` #jh - should include block special too. #jh - also should cater for 'sticky directory' (like /tmp) when using file. test -z "${FTYPE}" -o -n "`echo \"${FTYPE}\" | egrep 'character special|empty'`" && continue ... Update the signature database as the rkhunter file signature has changed with the edits above. rkhunter --propupd And here are the other configuration settings I needed to add to avoid false positives on Ubuntu 12.04 Server. vi /etc/rkhunter.conf Avoid hidden directory/hidden file false positives ... # # Allow the specified hidden directories to be whitelisted. # # This is a space-separated list of directory pathnames. # The option may be specified more than once. The option # may use wildcard characters. # #ALLOWHIDDENDIR="/etc/.java" #ALLOWHIDDENDIR="/dev/.static" #ALLOWHIDDENDIR="/dev/.initramfs" #ALLOWHIDDENDIR="/dev/.SRC-unix" #ALLOWHIDDENDIR="/dev/.mdadm" ## add /dev/.udev directory to avoid a false positive ALLOWHIDDENDIR="/dev/.udev # # Allow the specified hidden files to be whitelisted. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #ALLOWHIDDENFILE="/etc/.java" ... #ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" ## add /dev/.initramfs symbolic link to avoid a false positive ALLOWHIDDENFILE="/dev/.initramfs" ... Avoid "replaced by a script" false positives ... # # Allow the specified commands to be scripts. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/groups SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser SCRIPTWHITELIST=/usr/sbin/prelink ## add /usr/bin/unhide.rb to avoid a false positive SCRIPTWHITELIST=/usr/bin/unhide.rb ... Regards, Tim Miller Dyck -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/883324 Title: False positive: Hidden file (symbolic link to directory) cannot be white-listed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/883324/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs