ROSA Linux Bugzilla – Bug 3530
[UPDATE REQUEST] rkhunter 1.4.0
Last modified: 2014-01-10 11:43:12 MSK
Rootkit Hunter release 1.4.0 obsoletes all previous releases.
Added the '--list propfiles' command-line option. This will dump out the list of filenames that will be searched for when building the file properties database. By default the list is not shown if just '--list' is used.
Added Jynx rootkit check.
Added Turtle/Turtle2 rootkit check.
Added KBeast rootkit check.
The installer now supports the Slackware TXZ package layout option.
Allow the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options to use '%' as the space character. (Note: This is a temporary fix).
The ALLOWPROCDELFILE option can now use wildcards in the file names.
The '--list perl' command-line option now shows whether the perl command itself is installed or not.
The 'shared_libs' test now allows whitelisting of the preloading environment variables.
The '-r/--rootdir' command-line options, and the ROOTDIR configuration option are now deprecated. If they are used then an error message will be displayed. The options will have no effect, but rkhunter will continue. The options will be completely removed at the next release.
The 'hidden_ports' test will now show if a found port is TCP or UDP.
It is now possible to whitelist ports in the 'hidden_ports' test using the PORT_WHITELIST configuration option.
Allow the ALLOWPROCDELFILE option to work again.
Correct the check of the ProFTPD version number.
Fix the FreeBSD 'sockstat' command check to ensure that the correct fields are used.
Fix for newer version of the 'file' command when reporting scripts.
Fix the ALLOWHIDDENFILE option to allow hidden symbolic links.
The 'filesystem' check now handles files and directories with spaces in their names correctly.
The 'startup_files' test was displaying file names with spaces in them incorrectly. Also the test was not checking files which were in hidden directories.
Ensure that the ALLOWDEVFILE, ALLOWHIDDENFILE and ALLOWHIDDENDIR options re-evaluate their whitelisting lists to ensure that any wildcard entries are the most recent. (A time window previously existed which meant that the list was processed, but new files could be created before the test was run. As such they were reported as false-positive warnings, when they should have been whitelisted.)
Allow the EXISTWHITELIST option to work with symbolic links.
The test of whether prelinking is being used or not was sometimes causing the file properties hash test to be skipped, without the real reason being stated. Now the hash test will proceed but the user will still get a warning (because it detects that prelinking was used and is not now, or vice-versa).
Rkhunter will now check to see if the 'head' and 'tail' commands understand the '-n' option. If they do, then it will be used. If they do not, then the older 'head -1' and 'tail -1' commands will be used.
Done, rkhunter 1.4.0 has been backported from Desktop Fresh. rkhunter is in contrib repo, so I have pushed this update without QA.
(In reply to comment #1)
> Done, rkhunter 1.4.0 has been backported from Desktop Fresh. rkhunter is in
> contrib repo, so I have pushed this update without QA.
It seems to work fine, but it thinks that kfd from Heimdal Kerberos is a Root Kit called Adore. (Heimdal also caused rkhunter to be considered the Xzibit Rootkit in 1.3.8.)
(In reply to comment #2)
> (In reply to comment #1)
> > Done, rkhunter 1.4.0 has been backported from Desktop Fresh. rkhunter is in
> > contrib repo, so I have pushed this update without QA.
> It seems to work fine, but it thinks that kfd from Heimdal Kerberos is a
> Root Kit called Adore. (Heimdal also caused rkhunter to be considered the
> Xzibit Rootkit in 1.3.8.)
It's a False Positive.
Yes, it has been a known false positive for years:
You can try to add the following lines to your config file:
If this works, I will add these lines to our default config.