Hidden apps?

I’m not sure this is the right forum… I’m wondering what the files**: [FONT=arial].fipscheck.hmac** and .hmac256.hmac are for? (and why they are “hidden” files in /usr/bin)

TYVM! :slight_smile:


What about this:

~ # zypper if fipscheck
Loading repository data...
Reading installed packages...

Information for package fipscheck:
Repository     : Main Repository
Name           : fipscheck
Version        : 1.4.1-3.3.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Installed Size : 37.1 KiB
Installed      : No
Status         : not installed
Source package : fipscheck-1.4.1-3.3.1.src
Summary        : A library for integrity verification of FIPS validated modules
Description    : 
    FIPSCheck is a library for integrity verification of FIPS validated
    modules. The package also provides helper binaries for creation and
    verification of the HMAC-SHA256 checksum files.

rpm -q --whatprovides /usr/bin/.fipscheck.hmac

And if you look at the spec file, they are there…

Thanks! I should have known about that zypper function!!

All this advanced stuff I learn sometimes! :slight_smile:

ultimately - I guess the package owner(s) just want those files hidden. That’s all. :shame:

That would seem the case, there is also one in the lib directory. Is some sort of scan showing them up? If so whatever it is needs to whitelist them…

Yes - rkhunter - I guess different distros… :shame:
Just warnings

Yes, it’s a bug with rkhunter, update the whitelist…


Thanks, Malcom. :slight_smile:

I’ve watched the net recently growing more and more dangerous.

Thanks again for the link, Malcom…
As they say, “instructions unclear…” lol!rotfl! Does rkhunter.conf.local (which is edited to add “whitelist” info) automatically become the default .conf file for rkhunter? (It doesn’t explicitly show mv’ing the .conf.local file back to replace .conf with the updated whitelist)

(Edit: Oops… the answer(s) appear to be in the .conf file itself… well, sort of, turns out there’s a suse version or the .conf file in rkhunter.d - guess I’ll try that…)

Also, by email do they mean the user account (in /var/mail/user - I think that would be user@hostname) or an actual email account (results usually go open-text across the Internet to, say, gmail)? I guess it could be either/or…

I normally just alias root to my user account and then check local mail with my email client. Seems to me it’s a bug with the openSUSE version and should be added to the whitelist?

Hmmm… well the instructions didn’t work, apparently it couldn’t directly find the alternative .conf arrangement - I was going to rely on the 00-opensuse.conf file I found in rkhunter.d… I thought maybe that was somehow automatically checked since rkhunter came from the opensuse repo. The github doesn’t mention /usr/local - so I’ll go back to the default setup and edit rkhunter.conf.

(base) patti@linux-lhkc:~> sudo rkhunter --check  
[sudo] password for root:  
Unable to find configuration file: /usr/local/etc/rkhunter.conf

[FONT=monospace]**linux-lhkc:/home/patti #** rkhunter --check 
Unable to find configuration file: /usr/local/etc/rkhunter.conf 
**linux-lhkc:/home/patti #** ll /usr/local/etc/rkhunter.d 
ls: cannot access '/usr/local/etc/rkhunter.d': No such file or directory 
**linux-lhkc:/home/patti #** ll /etc/rkhunter.d 
total 108 
-rw-r----- 1 root root  1393 Feb 25  2021 00_opensuse-use.conf 
-rw------- 1 root root   156 Feb 12 09:49 .00_opensuse-use.conf.kate-swp 
-rw-r----- 1 root root  1393 Feb 25  2021 00-opensuse-use_conf_stock 
-rw-r----- 1 root root 48668 Feb 12 09:41 rkhunter_conf_local_stock 
-rw-r----- 1 root root 48668 Feb 25  2021 rkhunter_conf_stock 
**linux-lhkc:/home/patti #**

EDIT: Ok, ok - I’m getting it. All that’s needed is to edit 00-opensuse.conf - gotta leave the rkhunter.conf (etc.) in /etc…

OK - so what I found is you have to modify /etc/rkhunter.d/00-opensuse.conf - you can’t/shouldn’t
modify /etc rkhunter.conf or rkhunter.conf.local. That’s what the GIThub instructions didn’t show. I think
I get it now…

So it also looks like the stock rkhunter setup for opensuse includes a cron.daily entry, so rkhunter
runs daily and sends an email to $REPORT_EMAIL, at least that’s what I surmise since there’s an
file in cron.daily named suse.de-rkhunter (and I’ve noticed this running before).

So, bottom line is this seems like the install sequence:

  1. install with YaST
  2. run rkhunter per https://gist.github.com/rothkj1022/ba0d2234eba53b815f7b7ecff5b7b741
  3. in those instructions, add the following to the file /etc/rkhunter.d/00-opensuse.conf

Does that sound about right? Problem is I still get a complaint from rkhunter… (I did try removing rkhunter from
my system and reinstalling it. I thought --propupd was supposed to “fix” this warning, but maybe, given
its setup in opensuse, it’s a YaST/system-interface-related “bug”)

**linux-lhkc:/home/patti #** rkhunter --propupd 
 Rootkit Hunter version 1.4.6 ] 
File updated: searched for 176 files, found 201 
**linux-lhkc:/home/patti #** rkhunter --rwo -c  
Warning: Package manager verification has failed: 
         File: /etc/rkhunter.d/00-opensuse.conf 
         The file hash value has changed 
         The file size has changed 
         The file modification time has changed 
**linux-lhkc:/home/patti #**

Despite this one warning, very happy to have something scanning my System dirs. :slight_smile:

Well I would assume it has to redo it’s database, else like I said, a bug report to get it added to the openSUSE version may fix it.

Where do I do the bug report? I assume the maintainer just missed those two hidden files when creating 00-opensuse.conf.

openSUSE:Submitting bug reports - openSUSE

I see the following, but since not installed here don’t see the changelog output, but you should to see the email address…

osc maintained rkhunter


osc maintainer rkhunter

Defined in project:  security
  bugowner of rkhunter : 

  maintainer of rkhunter : 
   msmeissn, lrupp, varkoly, elvigia, ahodgkinson, psmt, jjolly, duwe, WernerFink, bitshuffler, dbuss, jbohac, mseben, Alexander_Naumov, gregfreemyer, vpereirabr, jsegitz, group:factory-maintainers, group:security-team

rpm -q rkhunter --changelog | grep meissen

Of course! YaST has the maintainer info in the package. I did that with OpenFoam and got help. I thought you were referring to some mythical distro-specific bug thingie, like a OS-specific-bugzilla. So my brain ignored YaST. rotfl!

Been encountering the same problem with rkhunter when I found this old post, so was wondering what the maintainer said about this @pattim ? My rkhunter still flags the hidden hmac256 file as of today. :confused: