Ubuntu
rkhunter package

false positives with /dev/.initramfs & /run/initramfs

Bug #1004816 reported by Jens
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rkhunter (Ubuntu)
New
Undecided
Unassigned

Bug Description

When running rkhunter, it is not possible to skip /dev/.initramfs. The error message is:

  Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

When I add this to ALLOWHIDDENDIRS, it has no effect. When I add this to ALLOWHIDDENFILES, I get an error message saying this is not a file. In fact, it is a symlink to a directory:

  root@root:~# ls -dl /dev/.initramfs /run/initramfs
  lrwxrwxrwx 1 root root 14 Mai 8 07:30 /dev/.initramfs -> /run/initramfs
  drwxr-xr-x 2 root root 40 Mai 8 07:30 /run/initramfs

Since this file/dir/link is present in Ubuntu's default kernel, I think this is a serious bug, since it is currently not possible for rkhunter to report a Ubuntu system as "clean" (unless one skips the file/dir check altogether).

Possibly a security issue because of the false alarm potential, please tag as security related if you agree.

Configuration /etc/rkhunter.conf:

root@root:~# grep -v ^# /etc/rkhunter.conf |sort|uniq
ALLOWHIDDENDIR="/dev/.initramfs"
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENFILE="/dev/.initramfs"
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=without-password
ALLOW_SYSLOG_REMOTE_LOGGING=0
APPEND_LOG=1
AUTO_X_DETECT=1
COLOR_SET2=0
COPY_LOG_ON_ERROR=0
DBDIR=/var/lib/rkhunter/db
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
DISABLE_UNHIDE=1
ENABLE_TESTS="all"
IMMUTABLE_SET=0
INSTALLDIR="/usr"
LOCK_TIMEOUT=300
LOGFILE=/var/log/rkhunter.log
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
<email address hidden>"
MIRRORS_MODE=0
PHALANX2_DIRTEST=0
ROTATE_MIRRORS=1
SCRIPTDIR=/usr/share/rkhunter/scripts
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/bin/unhide.rb
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
SHOW_LOCK_MSGS=1
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_THRESH=200
TMPDIR=/var/lib/rkhunter/tmp
UPDATE_LANG=""
UPDATE_MIRRORS=1
USE_LOCKING=0
WHITELISTED_IS_WHITE=0

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: rkhunter 1.3.8-10
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Sat May 26 09:33:18 2012
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-color
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: rkhunter
UpgradeStatus: Upgraded to precise on 2012-05-04 (21 days ago)
modified.conffile..etc.rkhunter.conf: [modified]
mtime.conffile..etc.rkhunter.conf: 2012-05-26T09:32:58.943101

Revision history for this message
Jens (jens-launchpad-net) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.