Need insights regarding libgcrypt-devel and hmac256 file in /usr/bin

English Applications
#1

This hidden file in /usr/bin keeps on getting flagged by rkhunter, which is apparently a file owned by libgrcypt-devel:

u@localhost:~> rpm -qf /usr/bin/.hmac256.hmac
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64

I sifted through /usr/bin just for “hmac” and got this:

u@localhost:~> ls -a /usr/bin | grep -i hmac
fips_standalone_hmac
hmac256
.hmac256.hmac

Checking out the two hmac files will show that both are owned by libgcrypt-devel:

u@localhost:~> rpm -qf /usr/bin/hmac256
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64
u@localhost:~> rpm -qf /usr/bin/.hmac256.hmac
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64

I used the file command to get information about these two:

u@localhost:~> file /usr/bin/hmac256
/usr/bin/hmac256: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a9a762023ee047ef952c093e8901ef1453df4cce, for GNU/Linux 3.2.0, stripped
u@localhost:~> file /usr/bin/.hmac256.hmac
/usr/bin/.hmac256.hmac: ASCII text

Are these two files related in any way? If so, can someone enlighten me on this one? I couldn’t figure out why the hidden file is in there and it’s a little annoying to see it get flagged every time I scan my system.

Please help.

#2

There are several threads here on the forum about this file. Please search for it.

In short (as far as I can remember from seeing hem passing by):

  1. The developer of this hmac256 product thinks it is nice to have a file name starting with a . there.
  2. rkhunter mistrusts every file name starting with a . outside of user’s home directories.
#3

Are you compiling some software that needs libgcrypt? If not, just remove this package.

#4

Found a 2-year-old post which appears to be exactly the same as my concern. Sent a message to ask what the maintainer had to say since they believe it was a bug with the rkhunter available in openSUSE.

#5

Not quite sure if I should even do that @arvidjaar .

u@localhost:~> zypper info libgcrypt-devel
Loading repository data...
Reading installed packages...


Information for package libgcrypt-devel:
----------------------------------------
Repository     : Update repository with updates from SUSE Linux Enterprise 15
Name           : libgcrypt-devel
Version        : 1.9.4-150400.6.8.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Installed Size : 909.2 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : libgcrypt-1.9.4-150400.6.8.1.src
Upstream URL   : https://gnupg.org/software/libgcrypt
Summary        : The GNU Crypto Library
Description    : 
    Libgcrypt is a general purpose library of cryptographic building
    blocks.  It is originally based on code used by GnuPG.  It does not
    provide any implementation of OpenPGP or other protocols.  Thorough
    understanding of applied cryptography is required to use Libgcrypt.

    This package contains needed files to compile and link against the
    library.

Looking at the one above, the package came from SUSE and it has something to do with cryptography and sounds important. But what is it for anyway?

#6

As you seem to have problems in searching:

(hey look who is asking!)

#7

All *-devel packages are for compiling your own software. No package should need any *-devel package to simply use programs from this package.

#8

This gives you maybe a hint why this hmac file exists:

> man fipscheck
#9

Yeah, I found that Hidden apps thread and dropped a reply to ask what the maintainer had to say since they think it’s a bug with the rkhunter available in openSUSE.

#10

The thing was installed automatically (and I’m not sure what put it there). I wonder if dependencies to what I use has something to do with this, like clamav or rkhunter.

#11

Just tried that and this is what my terminal said:

u@localhost:~> man fipscheck
No manual entry for fipscheck

Not sure why it didn’t blurt out anything. Is this normal?

#12

The man page is part of package libfipscheck1 (leap-155). I do not think it is worth installing it you can just use google.

#13

I have Leap 15.4, never installed either rkhunter or clamav and have them also:

boven:/usr/bin # ls -l hmac256 .hmac256.hmac
-rw-r--r-- 1 root root    65 Mar  8 21:04 .hmac256.hmac
-rwxr-xr-x 1 root root 15136 Mar  8 21:04 hmac256
boven:/usr/bin #

Together with your investigation that they are installed by package libgcrypt-devel this shows that it is normal to have these files on a Leap 15.4 installation.

I also found another one of your concerns: What is /dev/shm/sem.haveged_sem?.

IMHO your approach of these rkhunter messages is wrong. They are just messages of things rkhunter in general flags as suspicious (like having a file name starting with a . outside user’s home directories). After ample research it can be concluded that both are “false positives”. I also think that it is strange that there is such a file, that is also not an executable of any kind, in /usr/bin, but that is what it is. I do not think any developer will change this (or the /dev/shm one) because some other developer (the one of rkhunter) gives some false positives.

You are the one that uses rkhunter and you either have to live with the false positives (ignoring them visual or by piping the output through a script that removes them), or stop using rkhunter.

#14

Fyi read the abstract of

and than ignore these files and FIPS related stuff.

#15

thanks @rawar for the reference

#16

thanks @hcvv , I suppose I’ll have to find a way to whitelist these false positives going forward.

Out of curiousity though since you also suggested stopping the use of rkhunter, are there other alternatives to that in openSUSE? Because whenever I do

zypper search -d rootkit

it’s the only thing that shows up.

Any thoughts?

#17

Depends complete on your wishes and needs. I do not run anything like that, so do not expect any advice from me on this subject.

But it is for sure that any one of such programs you want to use give you some (or even heaps of) false positives. Which might be manageable to cope with when using them once a year on a rainy day, but but might involve regular maintenance (white/black-list, whatever) to stay up-to-date.

BTW, I see you also installed clamav. I do not know why, but again, think before you invest a lot of time. IMHO virus scanners will only be of any benefit if your system is a mail-server and you want to be of service to Microsoft Windows mail clients you may have (and even then, restrict the search to the mail server part of the system, because it will detect a huge number of false positives on the rest). It will not detect Linux aimed viruses because they do not exist and if they exists those virus scanners will not know about them and thus will not detect them.

#18

To whitelist a hidden file in rkhunter add a line

ALLOWHIDDENFILE=/usr/bin/.hmac256.hmac

to your /etc/rkhunter.conf.local.
Unfortunately any security tool even a professional SIEM will give you false positives and even worse false negatives in the long run.

#19

Thanks @rawar for the suggestion on how to whitelist.

#20

Interesting to see that there are still people who believe this even if we are already in the ransomware age. Although I respect your humble opinion, you may want to broaden your perspective and read about new threats out there. Here’s a helpful link if you want to read about it:

The article may be back in 2022, but that was just 2 years ago (not 20).