Hidden apps?

pattim · February 11, 2022, 8:28pm

I’m not sure this is the right forum… I’m wondering what the files**: [FONT=arial].fipscheck.hmac** and .hmac256.hmac are for? (and why they are “hidden” files in /usr/bin)

TYVM!

[/FONT]

kasi042 · February 11, 2022, 9:09pm

What about this:

~ # zypper if fipscheck
Loading repository data...
Reading installed packages...


Information for package fipscheck:
----------------------------------
Repository     : Main Repository
Name           : fipscheck
Version        : 1.4.1-3.3.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Installed Size : 37.1 KiB
Installed      : No
Status         : not installed
Source package : fipscheck-1.4.1-3.3.1.src
Summary        : A library for integrity verification of FIPS validated modules
Description    : 
    FIPSCheck is a library for integrity verification of FIPS validated
    modules. The package also provides helper binaries for creation and
    verification of the HMAC-SHA256 checksum files.

Sauerland · February 11, 2022, 9:24pm

rpm -q --whatprovides /usr/bin/.fipscheck.hmac
fipscheck-1.4.1-3.3.1.x86_64

malcolmlewis · February 11, 2022, 9:42pm

Hi
And if you look at the spec file, they are there…
https://build.opensuse.org/package/view_file/security/fipscheck/fipscheck.spec?expand=1

pattim · February 11, 2022, 10:16pm

Thanks! I should have known about that zypper function!!

kasi042:

What about this:

~ # zypper if fipscheck
Loading repository data...
Reading installed packages...


Information for package fipscheck:
----------------------------------
Repository     : Main Repository
Name           : fipscheck
Version        : 1.4.1-3.3.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Installed Size : 37.1 KiB
Installed      : No
Status         : not installed
Source package : fipscheck-1.4.1-3.3.1.src
Summary        : A library for integrity verification of FIPS validated modules
Description    : 
    FIPSCheck is a library for integrity verification of FIPS validated
    modules. The package also provides helper binaries for creation and
    verification of the HMAC-SHA256 checksum files.

pattim · February 11, 2022, 10:17pm

All this advanced stuff I learn sometimes!

pattim · February 11, 2022, 10:18pm

ultimately - I guess the package owner(s) just want those files hidden. That’s all. :shame:

malcolmlewis · February 11, 2022, 10:24pm

Hi
That would seem the case, there is also one in the lib directory. Is some sort of scan showing them up? If so whatever it is needs to whitelist them…

pattim · February 12, 2022, 1:57am

Yes - rkhunter - I guess different distros… :shame:
Just warnings

malcolmlewis · February 12, 2022, 2:04am

Hi
Yes, it’s a bug with rkhunter, update the whitelist…

https://gist.github.com/rothkj1022/ba0d2234eba53b815f7b7ecff5b7b741

pattim · February 12, 2022, 5:28am

Thanks, Malcom.

I’ve watched the net recently growing more and more dangerous.

pattim · February 12, 2022, 5:40pm

Thanks again for the link, Malcom…
As they say, “instructions unclear…” lol!rotfl! Does rkhunter.conf.local (which is edited to add “whitelist” info) automatically become the default .conf file for rkhunter? (It doesn’t explicitly show mv’ing the .conf.local file back to replace .conf with the updated whitelist)

(Edit: Oops… the answer(s) appear to be in the .conf file itself… well, sort of, turns out there’s a suse version or the .conf file in rkhunter.d - guess I’ll try that…)

Also, by email do they mean the user account (in /var/mail/user - I think that would be user@hostname) or an actual email account (results usually go open-text across the Internet to, say, gmail)? I guess it could be either/or…

malcolmlewis · February 12, 2022, 5:52pm

Hi
I normally just alias root to my user account and then check local mail with my email client. Seems to me it’s a bug with the openSUSE version and should be added to the whitelist?

pattim · February 12, 2022, 6:13pm

Hmmm… well the instructions didn’t work, apparently it couldn’t directly find the alternative .conf arrangement - I was going to rely on the 00-opensuse.conf file I found in rkhunter.d… I thought maybe that was somehow automatically checked since rkhunter came from the opensuse repo. The github doesn’t mention /usr/local - so I’ll go back to the default setup and edit rkhunter.conf.

(base) patti@linux-lhkc:~> sudo rkhunter --check  
[sudo] password for root:  
Unable to find configuration file: /usr/local/etc/rkhunter.conf

[FONT=monospace]**linux-lhkc:/home/patti #** rkhunter --check 
Unable to find configuration file: /usr/local/etc/rkhunter.conf 
**linux-lhkc:/home/patti #** ll /usr/local/etc/rkhunter.d 
ls: cannot access '/usr/local/etc/rkhunter.d': No such file or directory 
**linux-lhkc:/home/patti #** ll /etc/rkhunter.d 
total 108 
-rw-r----- 1 root root  1393 Feb 25  2021 00_opensuse-use.conf 
-rw------- 1 root root   156 Feb 12 09:49 .00_opensuse-use.conf.kate-swp 
-rw-r----- 1 root root  1393 Feb 25  2021 00-opensuse-use_conf_stock 
-rw-r----- 1 root root 48668 Feb 12 09:41 rkhunter_conf_local_stock 
-rw-r----- 1 root root 48668 Feb 25  2021 rkhunter_conf_stock 
**linux-lhkc:/home/patti #**

EDIT: Ok, ok - I’m getting it. All that’s needed is to edit 00-opensuse.conf - gotta leave the rkhunter.conf (etc.) in /etc…
[/FONT]

pattim · February 12, 2022, 8:22pm

OK - so what I found is you have to modify /etc/rkhunter.d/00-opensuse.conf - you can’t/shouldn’t
modify /etc rkhunter.conf or rkhunter.conf.local. That’s what the GIThub instructions didn’t show. I think
I get it now…

So it also looks like the stock rkhunter setup for opensuse includes a cron.daily entry, so rkhunter
runs daily and sends an email to $REPORT_EMAIL, at least that’s what I surmise since there’s an
file in cron.daily named suse.de-rkhunter (and I’ve noticed this running before).

So, bottom line is this seems like the install sequence:

install with YaST
run rkhunter per https://gist.github.com/rothkj1022/ba0d2234eba53b815f7b7ecff5b7b741
in those instructions, add the following to the file /etc/rkhunter.d/00-opensuse.conf
*ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.hmac256.hmac

Does that sound about right? Problem is I still get a complaint from rkhunter… (I did try removing rkhunter from
my system and reinstalling it. I thought --propupd was supposed to “fix” this warning, but maybe, given
its setup in opensuse, it’s a YaST/system-interface-related “bug”)

**linux-lhkc:/home/patti #** rkhunter --propupd 
 Rootkit Hunter version 1.4.6 ] 
File updated: searched for 176 files, found 201 
**linux-lhkc:/home/patti #** rkhunter --rwo -c  
Warning: Package manager verification has failed: 
         File: /etc/rkhunter.d/00-opensuse.conf 
         The file hash value has changed 
         The file size has changed 
         The file modification time has changed 
**linux-lhkc:/home/patti #**

Despite this one warning, very happy to have something scanning my System dirs.

malcolmlewis · February 12, 2022, 8:27pm

pattiM:

OK - so what I found is you have to modify /etc/rkhunter.d/00-opensuse.conf - you can’t/shouldn’t
modify /etc rkhunter.conf or rkhunter.conf.local. That’s what the GIThub instructions didn’t show. I think
I get it now…

So it also looks like the stock rkhunter setup for opensuse includes a cron.daily entry, so rkhunter
runs daily and sends an email to $REPORT_EMAIL, at least that’s what I surmise since there’s an
file in cron.daily named suse.de-rkhunter (and I’ve noticed this running before).

So, bottom line is this seems like the install sequence:

install with YaST

run rkhunter per https://gist.github.com/rothkj1022/ba0d2234eba53b815f7b7ecff5b7b741

in those instructions, add the following to the file /etc/rkhunter.d/00-opensuse.conf
*ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.hmac256.hmac

Does that sound about right? Problem is I still get a complaint from rkhunter… (I did try removing rkhunter from
my system and reinstalling it. I thought --propupd was supposed to “fix” this warning, but maybe, given
its setup in opensuse, it’s a YaST/system-interface-related “bug”)
**linux-lhkc:/home/patti #** rkhunter --propupd 
 Rootkit Hunter version 1.4.6 ] 
File updated: searched for 176 files, found 201 
**linux-lhkc:/home/patti #** rkhunter --rwo -c  
Warning: Package manager verification has failed: 
         File: /etc/rkhunter.d/00-opensuse.conf 
         The file hash value has changed 
         The file size has changed 
         The file modification time has changed 
**linux-lhkc:/home/patti #**
Despite this one warning, very happy to have something scanning my System dirs.

Hi
Well I would assume it has to redo it’s database, else like I said, a bug report to get it added to the openSUSE version may fix it.

pattim · February 12, 2022, 11:49pm

Where do I do the bug report? I assume the maintainer just missed those two hidden files when creating 00-opensuse.conf.

malcolmlewis · February 13, 2022, 12:25am

Hi
openSUSE:Submitting bug reports - openSUSE

I see the following, but since not installed here don’t see the changelog output, but you should to see the email address…


osc maintained rkhunter


openSUSE:Backports:SLE-15-SP3:Update/rkhunter
openSUSE:Backports:SLE-15-SP4/rkhunter


osc maintainer rkhunter


Defined in project:  security
  bugowner of rkhunter : 
   msmeissn


  maintainer of rkhunter : 
   msmeissn, lrupp, varkoly, elvigia, ahodgkinson, psmt, jjolly, duwe, WernerFink, bitshuffler, dbuss, jbohac, mseben, Alexander_Naumov, gregfreemyer, vpereirabr, jsegitz, group:factory-maintainers, group:security-team


rpm -q rkhunter --changelog | grep meissen

pattim · February 13, 2022, 5:26pm

Of course! YaST has the maintainer info in the package. I did that with OpenFoam and got help. I thought you were referring to some mythical distro-specific bug thingie, like a OS-specific-bugzilla. So my brain ignored YaST. rotfl!

markLopez9 · August 25, 2023, 7:57am

Been encountering the same problem with rkhunter when I found this old post, so was wondering what the maintainer said about this @pattim ? My rkhunter still flags the hidden hmac256 file as of today.