#95 False positive: /usr/bin/unhide.rb is a script

main
closed-wont-fix
Detection (54)
5
2014-09-21
2013-01-17
Anonymous
No

Hi!

I have a problem with rkhunter CVS post 1.4.

1. Install unhide.rb in /usr/bin:
http://bazaar.launchpad.net/~walles/unhide.rb/trunk/files

2. Run rkhunter.

Current result:
* rkhunter warns about /usr/bin/unhide.rb being a script (search for unhide.rb in the attached log)

Expected result:
* rkhunter shouldn't report anything since unhide.rb is *supposed* to be a (Ruby) script.

Suggestion:
* Add the following line to the rkhunter.conf file that you ship:
SCRIPTWHITELIST="/usr/bin/unhide.rb"

Regards //Johan

Discussion

  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2013-01-17

    rkhunter.log falsely warning about /usr/bin/unhide.rb being a script

     
    Last edit: Anonymous 2014-11-07
    Attachments
  • John Horne

    John Horne - 2013-11-11

    The point is that rkhunter doesn't know if it should be a script or not. It assumes things will be binary (commands), and so any scripts need to be whitelisted. That is for the user to do after they have verified that the file should indeed be a script.

    We can't add a SCRIPTWHITELIST entry for the simple reason that not everyone has 'unhide.rb' installed. A non-existent file will cause an error.

     
  • John Horne

    John Horne - 2013-11-11
    • status: open --> closed-wont-fix
    • assigned_to: John Horne
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks