Page 1 of 1

Rk Hunter Warnings...

Posted: 2014/09/26 06:30:40
by magicalwonders
I've got a new VPS and have been working my way through the warnings produced by RkHunter over the last week. I've managed to reduce the number of warnings from dozens to 8. However, I'm a bit stumped on the following warnings -
Warning: Hidden file found: /etc/.zabbix_agent.conf.swp: Vim swap file, version 7.2
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
From what I can find out from searching, they all appear to be false positives, but no advice found on how to stop them appearing on the report.

Also, this one is proving to be a bit tricky -
Warning: Suspicious file types found in /dev:
/dev/.udev/queue.bin: data
I found a reference to that warning here - https://atomicorp.com/forums/viewtopic.php?f=3&t=6025
It seems to suggest that this was an issue with rkHunter and provides a work-around. But that was two years ago.

I'm hoping someone can advise on how to stop the above messages being reported each day ?

Many thanks,

Myles

Re: Rk Hunter Warnings...

Posted: 2014/09/29 06:00:40
by unspawn
See the RKH FAQ or rkhunter-users mailing list archive for "ALLOWHIDDENFILE".

Re: Rk Hunter Warnings...

Posted: 2014/09/29 07:39:47
by magicalwonders
unspawn wrote:See the RKH FAQ or rkhunter-users mailing list archive for "ALLOWHIDDENFILE".
Yes, I found a reference to that earlier today, so I think I may have that fixed now. I'll see what happens in the report tomorrow!

The only warning I'm stuck on now is this one -
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
I've found a few references to it on Google, but not what the fix is! If anyone has any ideas?

Re: Rk Hunter Warnings...

Posted: 2014/09/29 07:48:40
by TrevorH
It's also normal on CentOS machines.

Code: Select all

[root@trevor4 ]# file /usr/bin/whatis 
/usr/bin/whatis: POSIX shell script text executable
[root@trevor4 ]# rpm -qf /usr/bin/whatis
man-1.6f-32.el6.x86_64
[root@trevor4 ]# rpm -V man
[root@trevor4 ]# 

Re: Rk Hunter Warnings...

Posted: 2014/09/29 08:26:51
by magicalwonders
TrevorH wrote:It's also normal on CentOS machines.

Code: Select all

[root@trevor4 ]# file /usr/bin/whatis 
/usr/bin/whatis: POSIX shell script text executable
[root@trevor4 ]# rpm -qf /usr/bin/whatis
man-1.6f-32.el6.x86_64
[root@trevor4 ]# rpm -V man
[root@trevor4 ]# 
Yes, but how do I stop rkHunter reporting it as a problem every day?