Justin Pasher

I tried running "rkhunter --enable filesystem" using the latest snapshot on Ubuntu 22.04, and I am not seeing the grep warning anymore (it did still give me the suspicious files in /dev warning, as expected for a default config). Looking at the log file, I do see this line, so it looks like it switched shells properly. [14:19:35] Info: Environment shell is /bin/bash; rkhunter is using bash [14:19:35] Info: Unknown shell changed from /usr/bin/dash to bash Somewhat interesting is the log entry for...

Does /etc/rkhunter.conf contain this line? Mine does. SCRIPTWHITELIST=/usr/bin/which.debianutils I see that Ubuntu 20.04 does not have it, but 22.04 does. Maybe your conf file wasn't merged with upstream changes? I see this changelog entry: rkhunter (1.4.6-10) unstable; urgency=medium * Add /usr/bin/which.debianutils to SCRIPTWHITELIST. * Bump Standards-Version up to 4.6.0. -- Francois Marier <francois@debian.org> Sun, 22 Aug 2021 11:14:44 -0700

The command you provided works fine without warnings (it even works fine without the tr). Keep in mind that it's the 'echo' command in dash that is causing the escape sequences to be converted to their actual ASCII characters. If you chain together the 'file' and 'grep' commands, I wouldn't expect any warnings about binary files to display, since 'file' produces "clean" output. However, rkhunter captures the results in FTYPE, then echoes it out to grep because of the special case for MACOSX. If I...

Okay, I did a little more testing and narrowed down when it's happening, and it's a bash vs dash echo thing (Ubuntu uses dash for /bin/sh). The 'file' command is actually returning regular backslash-escaped text. I was able to create a test file that triggers the false detection that you can use (it should be 22 bytes). $ echo -ne '\x0\x0\x0\x0\xd0\xd0\xd0\xd0\x6\x0\x0\x0\x0\x0\x0\x0\x10\x0\x0\x0\xca\x18' >testfile $ file testfile testfile: Matlab v4 mat-file (little endian) \312\030, numeric, rows...

rkhunter generates "bogus" grep warnings