Suspicious file types reported since rkhunter 1.4.0

breun · **Posted:** Thu May 24, 2012 4:29 am

Since the upgrade to rkhunter 1.4.0 the following is reported daily via e-mail:

Quote:

Warning: Suspicious file types found in /dev:
/dev/.udev/db/class@misc@tun: ASCII text
/dev/.udev/db/class@input@input1@event1: ASCII text
/dev/.udev/db/class@sound@seq: ASCII text
/dev/.udev/db/block@xvda1: ASCII text
/dev/.udev/db/block@xvda2: ASCII text
/dev/.udev/db/class@sound@timer: ASCII text
/dev/.udev/db/class@input@input0@event0: ASCII text
/dev/.udev/db/class@input@input0@mouse0: ASCII text
/dev/.udev/db/block@ram1: ASCII text
/dev/.udev/db/block@ram0: ASCII text
/dev/.udev/db/class@cpuid@cpu1: ASCII text
/dev/.udev/db/class@cpuid@cpu0: ASCII text
/dev/.udev/db/class@msr@msr0: ASCII text
/dev/.udev/db/class@msr@msr1: ASCII text
/dev/.udev/db/class@input@mice: ASCII text
/dev/.udev/db/class@misc@device-mapper: ASCII text
/dev/.udev/uevent_seqnum: ASCII text

/etc/rkhunter.conf contains ALLOWHIDDENDIR=/dev/.udev by default, but these files are not hidden, they are just in a hidden directory. The files seem harmless to me. Is this a bug in rkhunter 1.4.0 or does the configuration need some tweaking to not flag these files?

scott · **Posted:** Thu May 24, 2012 12:44 pm

I hesitate to use the word bug.. its something new it isnt designed for yet. Shortcoming? Limitation?

breun · **Posted:** Thu May 24, 2012 1:29 pm

Will an update whitelist/ignore these files or do users need to take care of this themselves? Should I file a bug with you? Or with the rkhunter project?

scott · **Posted:** Thu May 24, 2012 2:02 pm

Id notify upstream first

breun · **Posted:** Fri May 25, 2012 3:53 am

Since ASL installs rkhunter I thought I'd mention it to you guys, but I'll notify upstream then.

breun · **Posted:** Fri May 25, 2012 4:30 pm

Someone else reported this already on rkhunter-users: http://sourceforge.net/mailarchive/mess ... d=29230075

rkhunter's John Horne recommends adding the following to the rkhunter configuration:

Code:

ALLOWDEVFILE=/dev/.udev/db/block*
ALLOWDEVFILE=/dev/.udev/db/class*
ALLOWDEVFILE=/dev/.udev/uevent_seqnum

In another thread about this issue he mentions /dev should not contain text files according to the FHS, so this is why rkhunter is reporting these files. Would you add the statements above to the Atomic RPM package for rkhunter?

breun · **Posted:** Sun May 27, 2012 6:25 am

I've seen a couple of other files under /dev/.udev getting reported:

Quote:

/dev/.udev/queue.bin
/dev/.udev/db/input*
/dev/.udev/rules.d/99-root.rules

Right now we're whitelisting all of these in /etc/rkhunter.conf.local using ALLOWDEVFILE statements.

breun · **Posted:** Mon May 28, 2012 12:28 pm

Some more files:

Quote:

/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D0p: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@controlC0: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D1c: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D2c: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D3c: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D0c: ASCII text
/dev/.udev/db/devices@pci0000:00@0000:00:1f.5@pcmC0D4p: ASCII text
/dev/.udev/db/devices@seq: ASCII text
/dev/.udev/db/devices@timer: ASCII text

Added ALLOWDEVFILE=/dev/.udev/db/devices* for these.

breun · **Posted:** Mon May 28, 2012 5:25 pm

Also encountered /dev/.udev/db/usb* and /dev/.udev/db/net*...

breun · **Posted:** Sun Sep 09, 2012 9:09 am

I see rkhunter 1.4.0-8 has added most of the custom ALLOWDEVFILE statements I put in /etc/rkhunter.conf.local myself.

I still need to whitelist these myself though:

Quote:

/dev/.udev/db/input:event0: ASCII text
/dev/.udev/db/input:event1: ASCII text
/dev/.udev/db/input:event2: ASCII text
/dev/.udev/db/input:event3: ASCII text
/dev/.udev/db/input:event4: ASCII text
/dev/.udev/db/input:event5: ASCII text
/dev/.udev/db/input:js0: ASCII text
/dev/.udev/db/input:mouse1: ASCII text
/dev/.udev/db/net:eth0: ASCII text
/dev/.udev/db/net:eth1: ASCII text
/dev/.udev/db/net:eth2: ASCII text
/dev/.udev/db/net:eth3: ASCII text
/dev/.udev/db/usb:1-1: ASCII text
/dev/.udev/db/usb:1-1.2: ASCII text
/dev/.udev/db/usb:2-1: ASCII text
/dev/.udev/db/usb:4-1: ASCII text
/dev/.udev/db/usb:usb1: ASCII text
/dev/.udev/db/usb:usb2: ASCII text
/dev/.udev/db/usb:usb3: ASCII text
/dev/.udev/db/usb:usb4: ASCII text
/dev/.udev/db/usb:usb5: ASCII text
/dev/.udev/db/usb:usb6: ASCII text
/dev/.udev/db/usb:usb7: ASCII text
/dev/.udev/db/usb:usb8: ASCII text

Any chance of adding these to a future version of rkhunter.conf?

Suspicious file types reported since rkhunter 1.4.0

Who is online