[SOLVED] rkhunter false positive on slackware64-current
by af7567 from LinuxQuestions.org on (#56TJD)
Hi
I have had rkhunter running nightly for years on my 32 bit Slackware server with no problems. I recently upgraded the server and installed slackware64-current and now rkhunter always finds a rootkit component
Code:[12:22:38] Checking for file '/lib64/libkeyutils.so.1.9' [ Warning ]
[12:22:47] Warning: Checking for possible rootkit files and directories [ Warning ]
[12:22:47] Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer componentThis seems to be a common problem, I found a few posts about it on Google but the solutions didn't work for me. I added the following to /etc/rkhunter.conf
Code:EXCLUDE_USER_FILEPROP_FILES_DIRS="/lib64/libkeyutils.so.1.9"
RTKT_FILE_WHIETLIST="/lib64/libkeyutils.so.1.9"
SHARED_LIB_WHITELIST="/lib64/libkeyutils.so.1.9"But they don't seem to make any difference. I also added the symlink libkeyutils.so.1 to the whitelist too. Does anyone have any idea why my whitelists don't work?
Unrelated, but one possible problem that rkhunter did bring up is that the package krb5-1.18.2-x86_64-1 contains 2 hidden files in /usr/man
Code:usr/man/man5/.k5identity.5
usr/man/man5/.k5login.5Should they really be in the package?
I have had rkhunter running nightly for years on my 32 bit Slackware server with no problems. I recently upgraded the server and installed slackware64-current and now rkhunter always finds a rootkit component
Code:[12:22:38] Checking for file '/lib64/libkeyutils.so.1.9' [ Warning ]
[12:22:47] Warning: Checking for possible rootkit files and directories [ Warning ]
[12:22:47] Found file '/lib64/libkeyutils.so.1.9'. Possible rootkit: Sniffer componentThis seems to be a common problem, I found a few posts about it on Google but the solutions didn't work for me. I added the following to /etc/rkhunter.conf
Code:EXCLUDE_USER_FILEPROP_FILES_DIRS="/lib64/libkeyutils.so.1.9"
RTKT_FILE_WHIETLIST="/lib64/libkeyutils.so.1.9"
SHARED_LIB_WHITELIST="/lib64/libkeyutils.so.1.9"But they don't seem to make any difference. I also added the symlink libkeyutils.so.1 to the whitelist too. Does anyone have any idea why my whitelists don't work?
Unrelated, but one possible problem that rkhunter did bring up is that the package krb5-1.18.2-x86_64-1 contains 2 hidden files in /usr/man
Code:usr/man/man5/.k5identity.5
usr/man/man5/.k5login.5Should they really be in the package?