#137 rkhunter reports its own tmp files as suspicious (suspscan test)

[Francois Marier]

The following was reported at https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/1342866:

"When run from the default Ubuntu cron file (/etc/cron.daily/rkhunter), if the option 'suspscan' is included, rkhunter reports the tmp file created by its own cron job as suspicious:

Warning: File '/tmp/tmp.Vnv2CeoUes' (score: 230) contains some suspicious content and should be checked.
Warning: Checking for files with suspicious contents [ Warning ]

This is caused by using 'mktmp' in the cron bash script which by default puts temp files in '/tmp'. The solution is to change the line

OUTFILE=mktemp || exit 1

to

OUTFILE=mktemp -p /var/lib/rkhunter/tmp || exit 1

so that the temp file is put in rkhunter's whitelisted tmp directory."

[John Horne]

The RKH installer does not allow the use of '/tmp' for temporary files. This is obviously something set by Ubuntu after installation. We also do not provide any cron job to run RKH except in the RPM spec file, and that does not specify any temporary file.

The above is an Ubuntu problem, not an rkhunter one.