RKHunter — Making False Positives Go Away on Gentoo Linux

Update 2018/05/06: Updated the RKHunter links to RKHunter’s homepage and the Gentoo package.

RKHunter is a tool for detecting rootkits on Unix-like systems. I run it daily on my Gentoo server, and it emails me a report about whether it updated its database of tests as well as any warnings it comes across while running its tests. Recently, Gentoo marked rkhunter-1.3.4 as stable. After I updated it, it began reporting more false positives than the older 1.2.9 (it used to only report the existence of promiscuous network interfaces, which is caused by my network confguration).

Some were due to programs in /usr/bin being shell scripts instead of binaries, while others were complaining about the fact that I did not have the latest version of GnuPG or OpenSSH (I stick to Gentoo’s stable releases, which are currently a minor version behind). Another problem was over Linux kernel modules. I built my kernel with all module support disabled, compiling in everything I want my kernel to have.

Read on to find out how I resolved the various warnings in /var/log/rkhunter.log by editing /etc/rkhunter.conf.

Fixing changed binaries

By default, RKHunter checks the properties of files in /bin, /usr/bin, etc. Whenever a package updates, its binary executables usually change as well. For example (from rkhunter.log):

[04:50:29] /bin/netstat                                      [ Warning ]
[04:50:29] Warning: The file properties have changed:
[04:50:30]          File: /bin/netstat
[04:50:30]          Current hash: 58ad996b4c822f25760fbe4bfb9904d623aeb51b
[04:50:30]          Stored hash : 715d86e1b178c19807a315fe339e87b3e5a12c75[04:50:31]          Current inode: 16178    Stored inode: 16175
[04:50:31]          Current size: 125996    Stored size: 116940
[04:50:31]          Current file modification time: 1263850324
[04:50:32]          Stored file modification time : 1258110183

The solution for this sort of warning is straightforward. RKHunter’s properties database needs to be updated:

# rkhunter --propupd

Whitelisting Valid Scripts

It also reports that some files have been replaced by scripts. For example (again, from rkhunter.log):

[04:51:43] /usr/bin/whatis                                   [ Warning ]
[04:51:43] Warning: The command '/usr/bin/whatis' has been replaced by a script
[04:51:43] Warning: The command '/usr/bin/whatis' has been replaced by a script:
 /usr/bin/whatis: POSIX shell script text executable
...
[04:51:48] /usr/bin/lwp-request                              [ Warning ]
[04:51:48] Warning: The command '/usr/bin/lwp-request' has been replaced by a sc
ript: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable

First, I examined the programs directly to make sure that they looked okay – that is, that they are false positives and not actual positives. In order for rkhunter to not complain, I needed to either disable this test, or let the test know which files should be scripts and not binaries. To do the latter, search /etc/rkhunter.conf for ‘SCRIPTWHITELIST’ and add a line with the path for each command that you expect to be a script:

#
# Allow the specified commands to be scripts.
# One command per line (use multiple SCRIPTWHITELIST lines).
#
#SCRIPTWHITELIST=/sbin/ifup
#SCRIPTWHITELIST=/sbin/ifdown
#SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/lwp-request

Next time rkhunter runs, it will no longer complain about ldd, whatis, or lwp-request being scripts.

An Expected Promiscuous Interface

[04:57:51] Performing checks on the network interfaces
[04:57:51] Info: Starting test name 'promisc'
[04:57:52]   Checking for promiscuous interfaces             [ Warning ]
[04:57:52] Warning: Possible promiscuous interfaces:
[04:57:52]          'ifconfig' command output:           UP BROADCAST RUNNING PR
OMISC MULTICAST  MTU:1500  Metric:1
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
[04:57:53]          'ip' command output: eth0
[04:57:53]          'ip' command output: tap0[04:57:53]

My server runs openvpn on it, and I configured it to create a bridge between the openvpn “network” and the physical network. In the process, the network interfaces are in run promiscuous mode. The only way to get rid of this warning is to disable the ‘promisc’ test. Search for DISABLE_TESTS, and append promisc to the end of the list:

DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps promisc"

Complaints of Hidden Directories

[04:58:16]   Checking for hidden files and directories       [ Warning ]
[04:58:17] Warning: Hidden directory found: /dev/.udev

This hidden directory (prefixed with a dot hidden, not hidden from opendir/readdir function calls) is part of how udev operates. To tell rkhunter to ignore it, search for ALLOWHIDDENDIR and uncomment or add the following line:

ALLOWHIDDENDIR=/dev/.udev

Disregarding Warnings About Outdated Applications

[04:58:17] Checking application versions...
[04:58:17] Info: Starting test name 'apps'
...
[04:58:21]   Checking version of GnuPG                       [ Warning ]
[04:58:21] Warning: Application 'gpg', version '2.0.11', is out of date, and pos
sibly a security risk.
...
[04:58:25]   Checking version of OpenSSH                     [ Warning ]
[04:58:25] Warning: Application 'sshd', version '5.2p1', is out of date, and possibly a security risk.

I mostly stick to Gentoo’s stable branch. This means that sometimes applications are not at the latest version. I regularly check my system for updates, and I do not need rkhunter complaining on a daily basis that these programs are outdated. To make these warnings go away, I changed the APP_WHITELIST option:

#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option is a space-separated list consisting of the
# application names. If a specific version is to be whitelisted, then the
# name must be followed by a colon and then the version number.
#
# For example: APP_WHITELIST="openssl:0.9.7d gpg"
#
APP_WHITELIST="gpg sshd"

My choice makes it never complain about outdated versions of gpg or sshd, although I could specify any versions I believe to be “safe.”

Disregarding the Kernel Module Checks

[04:57:31] Performing Linux specific checks[04:57:32] Info: Starting test name 'os_specific'
[04:57:32]   Checking loaded kernel modules                  [ Warning ]
[04:57:32] Warning: The modules file '/proc/modules' is missing.
[04:57:32] Info: Using modules pathname of '/lib/modules'
[04:57:33]   Checking kernel module names                    [ Warning ]
[04:57:33] Warning: The kernel modules directory '/lib/modules' is missing or em
pty.

As I mentioned above, my kernel compiles in all kernel modules it uses, and I deactivated the kernel module loading interface, so it makes sense that these are giving warnings (about there being no modules). It is possible to specify an alternative location for the kernel modules directory with the MODULES_DIR configuration directive, but I have no modules. I turned these checks off the same way I turned off the promiscuous interface check – by appending them to the list of disabled tests:

DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps promisc avail_modules loaded_modules"

Conclusion

After making the above changes in the configuration file, I ran

# rkhunter --check

and it no longer found any warnings.