#78 Broken symlink across nfs mount warning problem

closed-fixed
John Horne
Detection (54)
5
2011-11-16
2011-06-06
tom
No

Dear All,

I am running the CVS version of RKH and get the following warning, which I cannot prevent;

[16:02:37] Info: Starting file properties data update...
[16:02:37] Info: Created temporary file '/var/lib/rkhunter/tmp/rkhunter.dat.gOuAT27128'
[16:02:38] Collecting O/S info...
[16:02:38] Info: Found system architecture: x86_64
[16:02:38] Info: Found release file: /etc/redhat-release
[16:02:38] Info: Found O/S name: Scientific Linux CERN SLC release 5.6 (Boron)
[16:02:38] Getting file properties...
[16:02:38] Warning: No hash value found for file '/usr/local/bin/lynx'
[16:02:38] The file is a broken link: /usr/local/bin/lynx -> /usr/bin/lynx

Some points;
(1) /usr/local/bin/lynx is a symlink but /usr/bin/lynx does not exist on the target machine.
(2) /usr/local is remote mounted from a central server but /usr/bin is local to the target machine.
(3) I have other symlinks in /usr/local/bin which are also broken but the difference is they point to other locations within /usr/local and RKH does not issue warnings.
(4) I would prefer not to have to delete /usr/local/bin/lynx as other machines on which I would like to run RKH also remote mount /usr/local from the same server but do have /usr/bin/lynx present.
(5) I have tried the following options in rkhunter.conf but without success;
USER_FILEPROP_FILES_DIRS="!/usr/local/bin/lynx"
EXISTWHITELIST="/usr/local/bin/lynx /usr/bin/lynx"

Is this a bug? Any ideas for a workaround?

Many thanks
Tom Crane.

Ps. I have attached the complete rkhunter.conf should any other settings be relevant.

Discussion

  • tom
    tom
    2011-06-06

    rkhunter.conf

     
    Attachments
  • John Horne
    John Horne
    2011-11-10

    • assigned_to: nobody --> jhorne
    • status: open --> pending
     
  • John Horne
    John Horne
    2011-11-10

    Apologies for the delay in replying. I'll run some tests to try and reproduce the problem (I'm assuming just a broken link should cause it).

     
  • John Horne
    John Horne
    2011-11-12

    I have reproduced the problem. However adding a USER_FILEPROP_FILES_DIRS to the config file prevented a warning from appearing. The log file confirms this (in my case):

    Info: Excluding from file properties check:
    /usr/local/bin/jhf

    Can you try adding the entry:

    USER_FILEPROP_FILES_DIRS="!/usr/local/bin/lynx"

    to your configuration again please, then run 'rkhunter --propupd --rwo'. If a warning is still shown, then please run 'rkhunter --propupd --debug' and email me the debug file created in the /tmp directory. (Email to: jhorne @ plymouth.ac.uk).

    I think the EXISTWHITELIST option should probably also have worked in this case. It is used in the file properties check, so should probably work when '--propupd' is used too. I will look into that.

     
  • John Horne
    John Horne
    2011-11-16

    • status: pending --> closed-fixed
     
  • John Horne
    John Horne
    2011-11-16

    Fixed in CVS.

    In your case putting 'EXISTWHITELIST=/usr/bin/lynx' should stop warnings from appearing.