Friday, March 4, 2011

Getting Rid of rkhunter's False Warning about Xzibit Rootkit

I've installed rkhunter a long while ago, mostly because it seemed irresponsible not to install some sort of "protection". But, as is the case with any such tool, I started getting warnings, which, after I got over the induced anxiety attacks, were invariably confirmed as false positives.

It was usually rather simple to silence these warnings from the rkhunter configuration file /etc/rkhunter.conf - most of the time it was just a matter of un-commenting one or more lines, and occasionally updating rkhunter:
rkhunter --propupd
(say, for instance, after upgrading packages).

One false positive that was somewhat more complicated to disable was a warning about the Xzibit Rootkit. This warning is triggered by files containing the string hdparm - it's a known bug (see Debian bug #576680), and the workaround is to "use the RTKT_FILE_WHITELIST option to whitelist initscripts stating this string" - e.g. /etc/init.d/hdparm ...

The comments in the configuration file, suggest that the proper method of whitelisting a file is to also add it to USER_FILEPROP_FILES_DIRS and then update rkhunter. But this makes rkhunter complain that /etc/init.d/hdparm is an executable script, so I had to also add it to SCRIPTWHITELIST.

Bottom line - add the following lines to /etc/rkhunter.conf:
USER_FILEPROP_FILES_DIRS="/etc/init.d/hdparm /etc/init.d/.depend.boot"
RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"
and the run
rkhunter --propupd
Verify by running:
rkhunter --check
I can only hope that I won't hit any false negatives...

1 comment:

  1. Thank you. I had the same error, and tried solving it yesterday without success. It clicked into place when I added the 'SCRIPTWHITELIST' entry for '/etc/init.d/hdparm'.