rkhunter returned warnings after upgrading to 15.4

Hi,

I need help understanding the results I got with rkhunter after upgrading to 15.4.

So my practice is that every time I do an update, I always run

sudo rkhunter --propupd --pkgmgr RPM

afterwards so that whatever was updated by me gets updated in rkhunter’s records (and thereby not inadvertently flag such updates as a warning later on). I did that after running the upgrade and just before rebooting to allow the distro upgrade changes to take effect. After rebooting, however, I got a couple of warnings (see below):

Checking for group file changes  Warning ]
Warning: Group 'sgx' has been added to the group file.
Warning: Group 'games' has been added to the group file.

Checking for passwd file changes  Warning ]
Warning: User 'games' has been added to the passwd file.
Warning: User 'brltty' has been added to the passwd file.

Checking for hidden files and directories  Warning ]
Warning: Hidden file found: /usr/bin/.hmac256.hmac: ASCII text

The warning for the group and passwd files were gone after the next reboots, but the warning for the hidden file seems to persist. My questions are:

  1. Are these changes normal after doing a distro upgrade? (This is my first time to do a distro upgrade with rkhunter in active use)
  2. What were those group file and passwd file changes for?
  3. Is that hidden file a threat? If it is, what remediation steps should I do? If not, what can I do to tell rkhunter that it should not be detected going forward?

Please advise. Thanks in advance.

No threat: https://forums.opensuse.org/showthread.php/537539-Hacker-Troubles?p=2916377#post2916377

Okay, so should I unhide it so rkhunter stops flagging it as a warning? I’m not sure what that file is.

Interesting. No help. I guess I’ll try in other Linux forums then.

I think people found this a bit strange question.

To begin with, I do not use rkhunter and did not study your original question, so this is purely a remark to what you say here.

This is Linux, no MS Windows. You can not “unhide” a so called “hidden file”. In fact there is not such a thing as a hidden file, at least not for the kernel.

From the beginning of Unix there was a wish to have files (including directories) that would not show in each and every listing. Specially a user listing what he has in his home directory does most often not want to see all sorts of configuration files for the tools/programs he may use, he wants in fact see the directories/files he is working on. Thus, a convention was made. File names where the first character is a . (dot, ASCII x’2E’) might be handled as “do not show these” by programs. Th ultimate example is the tool ls. It will not show file name starting with a . by default. One has to use the -a option to get them. Later implementations of e.g. GUI file managers followed this.

But it is only a convention. It is not in the metadata of a file (like it is in MS Windows where you can switch it).

And yes, the term hidden in Linux is probably used because many Linux users are former MS Windows users and used the terminology they knew for phenomenons that look similar, but aren’t (many more examples exist).

Thus you can only change this for a file by giving it another name (not starting with a dot). But as this seems to be an file belonging to and installed with some product, I do not think it is a good idea to change it’s name. It then most probably would be “hidden” from the product.

Thanks for the lecture. I did finish the Linux Essentials certificate program of LPI, and they also use the term Hidden for files with names beginning with a dot so I just followed their convention.

Perhaps rephrasing my question would help. I come with some security background, which is why anything flagged as a warning by security tools make me pause to think. With Leap 15.3, I don’t get any warnings (even for hidden files) whenever I run rkhunter. After upgrading to 15.4, this file was flagged by rkhunter. Since it’s now a hidden file (because it starts with a dot), I’m assuming that file named hmac256.hmac previously existed in 15.3 as a “visible” file (if we can call it that).

The file path is /usr/bin, and that path is for system tasks if I recall it right. So the rephrased question: what is this file and why was this file made hidden after upgrading to 15.4? And in case it is because it was replaced by something else, then why wasn’t it removed?

For the the first part of your question take a look at this thread on the Factory Mailing List. (It’s been around for a long time).

I understand your questions and concern. I have no idea about that file. I also find it very strange that they made that one, or any other one, in places like this, start with a dot. I do not see the logic for it. It is not a place like a home directory where end-users often browse around and thus have a use for the feature.

Just out of curiosity I did

find /usr -name '.*'

and to my surprise I got a lot of them, mostly in /usr/share.
But none in /bin, /sbin, /lib.

Fyi if libgcrypt-devel is installed in a Leap 15.3 system you can see here that the same filename is used:


r@localhost:~> cat /etc/SUSE-brand 
openSUSE
VERSION = 15.3
r@localhost:~> rpm -qf /usr/bin/.hmac256.hmac 
libgcrypt-devel-1.8.2-8.42.1.x86_64

I know this topic is quite old, but something popped in my head when I went over this again.

So I did the same commands on my Leap 15.4 (have not had time yet to upgrade to 15.5) and returned this:

u@localhost:~> cat /etc/SUSE-brand
openSUSE
VERSION = 15.4
u@localhost:~> rpm -qf /usr/bin/.hmac256.hmac
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64

When I did a grep in /usr/bin just for “hmac,” interestingly I got this:

u@localhost:~> ls -a /usr/bin | grep -i hmac
fips_standalone_hmac
hmac256
.hmac256.hmac

Then I found out that hmac256 and .hmac256.hmac are both owned by libgcrypt-devel:

u@localhost:~> rpm -qf /usr/bin/hmac256
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64
u@localhost:~> rpm -qf /usr/bin/.hmac256.hmac
libgcrypt-devel-1.9.4-150400.6.8.1.x86_64

The new mystery on my part now is this:

u@localhost:~> file /usr/bin/hmac256
/usr/bin/hmac256: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a9a762023ee047ef952c093e8901ef1453df4cce, for GNU/Linux 3.2.0, stripped
u@localhost:~> file /usr/bin/.hmac256.hmac
/usr/bin/.hmac256.hmac: ASCII text

Given that the two files are owned by the same program but have different file types, is there any relationship between these two? If so, can someone enlighten me on this one?