On Fri, Jan 22, 2021 at 03:41:07PM +1030, Tim via users wrote:
On Thu, 2021-01-21 at 15:37 -0500, Jonathan Billings wrote:
> Apparently at some point in the past, there was a rootkit that
> installed a libkeyutils.so in the past. I whitelisted it in my
> config, but I suspect that the rkhunter upstream needs to fix their
> detection,
You "whitelisted" a known problem file?! Surely that's the opposite of
what you'd want to do? (Examine it carefully, not ignore it.)
I didn't do it right away, obviously. I made sure the package that
owned the files was fine (reinstalling from upstream, checking GPG and
RPM verification) and then went to look for others who had had the
problem.
I actually spoke on IRC with the author of the software too, who said
it has happened in the past. (I have met him a couple times at
conferences and collaborated with him on patches, so I believe him.)
I agree that it is bad practice to just whitelist issues without
research. In this case, I saw enough evidence that it was a false
positive that I felt ok with whitelisting it.
--
Jonathan Billings <billings(a)negate.org>