#71 Using --rootdir option generates false positive in 1.3.8

closed
Detection (54)
5
2011-11-10
2010-12-08
Téquila
No

Hi,
I'm in a case where I'm checking remote shared disks so I'm using --rootdir option. Everything was fine with 1.3.6 but now during the files properties checks I get warnings due to file from rkhunter.dat not existing in the properties file db as in :
...
Warning: The file '/usr/sbin/tcpd' does not exist on the system, but it is present in the rkhunter.dat file.
Warning: The file '/usr/sbin/useradd' does not exist on the system, but it is present in the rkhunter.dat file.
Warning: The file '/usr/sbin/userdel' does not exist on the system, but it is present in the rkhunter.dat file.
Warning: The file '/usr/sbin/usermod' does not exist on the system, but it is present in the rkhunter.dat file.
...

I identified where should be the problem in rkhunter script : in the tests from line 10110 to 10127 in the 1.3.8 released version. I didn't test but I think "grep \"^${FNAME}$\" ${RKH_FILEPROP_LIST}" at line 10111 should be replaced by "grep \"^${RDIR}${FNAME}$\" ${RKH_FILEPROP_LIST}" with just a ${RDIR} inserted just before "${FNAME}".

For exemple, if I have "/usr/sbin/useradd" in my rkhunter.dat, I have "/rkhunter-root/usr/sbin/useradd" lines in my rkhunter_prop_list.dat after I run rkhunter with --propudt option (and of course always with the same --rootdir /rkhunter-root than during a check).

Btw, great work with Rkhunter, thanks.
Tequila

Discussion

  • John Horne

    John Horne - 2011-01-12

    The '--rootdir' option is not well supported and very patchy throughout the rkhunter program. As such it requires a complete overhaul, but that is a large job. To be honest I am surprised that anyone is using it, or rather that it works!

    I don't think the fix you mentioned above is sufficient, but I would suggest modifying your copy of rkhunter and testing it. Can you let me know if it works please.

    I am a little loath to provide a fix since it will be adding to the rootdir code whereas it should really be recoded completely. Having said that, if the minor change above works, then it should not affect anyone using RKH without the rootdir option, and I suspect that is the majority of users. As such adding it back into RKH should be okay.

     
  • John Horne

    John Horne - 2011-01-12
    • assigned_to: nobody --> jhorne
    • status: open --> pending
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • SourceForge Robot

    • status: pending --> closed
     
  • John Horne

    John Horne - 2011-02-10
    • status: closed --> open
     
  • John Horne

    John Horne - 2011-02-10
    • status: open --> pending
     
  • John Horne

    John Horne - 2011-11-10
    • status: pending --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks