Rk Hunter Warnings...

Support for security such as Firewalls and securing linux
Post Reply
magicalwonders
Posts: 3
Joined: 2014/02/26 11:29:50

Rk Hunter Warnings...

Post by magicalwonders » 2014/09/26 06:30:40

I've got a new VPS and have been working my way through the warnings produced by RkHunter over the last week. I've managed to reduce the number of warnings from dozens to 8. However, I'm a bit stumped on the following warnings -
Warning: Hidden file found: /etc/.zabbix_agent.conf.swp: Vim swap file, version 7.2
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
From what I can find out from searching, they all appear to be false positives, but no advice found on how to stop them appearing on the report.

Also, this one is proving to be a bit tricky -
Warning: Suspicious file types found in /dev:
/dev/.udev/queue.bin: data
I found a reference to that warning here - https://atomicorp.com/forums/viewtopic.php?f=3&t=6025
It seems to suggest that this was an issue with rkHunter and provides a work-around. But that was two years ago.

I'm hoping someone can advise on how to stop the above messages being reported each day ?

Many thanks,

Myles

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Rk Hunter Warnings...

Post by unspawn » 2014/09/29 06:00:40

See the RKH FAQ or rkhunter-users mailing list archive for "ALLOWHIDDENFILE".

magicalwonders
Posts: 3
Joined: 2014/02/26 11:29:50

Re: Rk Hunter Warnings...

Post by magicalwonders » 2014/09/29 07:39:47

unspawn wrote:See the RKH FAQ or rkhunter-users mailing list archive for "ALLOWHIDDENFILE".
Yes, I found a reference to that earlier today, so I think I may have that fixed now. I'll see what happens in the report tomorrow!

The only warning I'm stuck on now is this one -
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
I've found a few references to it on Google, but not what the fix is! If anyone has any ideas?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Rk Hunter Warnings...

Post by TrevorH » 2014/09/29 07:48:40

It's also normal on CentOS machines.

Code: Select all

[root@trevor4 ]# file /usr/bin/whatis 
/usr/bin/whatis: POSIX shell script text executable
[root@trevor4 ]# rpm -qf /usr/bin/whatis
man-1.6f-32.el6.x86_64
[root@trevor4 ]# rpm -V man
[root@trevor4 ]# 
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

magicalwonders
Posts: 3
Joined: 2014/02/26 11:29:50

Re: Rk Hunter Warnings...

Post by magicalwonders » 2014/09/29 08:26:51

TrevorH wrote:It's also normal on CentOS machines.

Code: Select all

[root@trevor4 ]# file /usr/bin/whatis 
/usr/bin/whatis: POSIX shell script text executable
[root@trevor4 ]# rpm -qf /usr/bin/whatis
man-1.6f-32.el6.x86_64
[root@trevor4 ]# rpm -V man
[root@trevor4 ]# 
Yes, but how do I stop rkHunter reporting it as a problem every day?

Post Reply