0

so there is this situation, which is annoying since it sends email with warning during every rkhunter check on some of the servers.

Basically, the error is this:

Warning: Suspicious file types found in /dev:
         /dev/null : ASCII text

I have no idea how this could happen since this is a special character file:

# /usr/bin/file /dev/null
/dev/null: character special

I have already tried to surpress this warning by trying these lines in rkhunter.conf:

EXISTWHITELIST=/dev/null
ALLOWHIDDENFILE=/dev/null
ALLOWPROCDELFILE=/dev/null
ALLOWPROCDELFILE=/dev/null
ALLOWDEVFILE=/dev/null

Yet still none of it gets rid of this warning.

Also found this bug raised: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866373

It is back from 2017 and 1.4.2-6 version, and I get exact warning with 1.4.6.

Does anyone have any idea how to get rid of this warning? I have an idea to "un"-grep the /dev/null from the output and pass it to email but that would require quite an effort and muuuch better approach would be to whitelist it in conf file.

[]# ls -ld /dev/null
crw-rw-rw- 1 root root 1, 3 Sep  6  2019 /dev/null

As seen from this output, it is special character indeed.

P.s. this is very easily reproducable: rkhunter --check --report-warnings-only --no-mail-on-warning --enable filesystem

Sarunas Zilinskas
  • 23
  • 3

2 Answers2

2

@Mircea Vutcovici

Your answer made me ls the /dev but this time I did $(ls -l /dev) rather than $(ls -l /dev/null) And guess what! Found this:

crw-rw-rw-  1 root root      1,   3 Sep  6  2019 null
-rw-r--r--  1 root root          54 Mar 18 21:41 null

Thank you! :)

P.s. the most funny thing is:

[]# ls -lh /dev/null
crw-rw-rw- 1 root root 1, 3 Sep  6  2019 /dev/null

[]# ls -lh /dev/nul*
crw-rw-rw- 1 root root 1, 3 Sep  6  2019 /dev/null
-rw-r--r-- 1 root root   54 Mar 18 21:41 /dev/null
Sarunas Zilinskas
  • 23
  • 3
  • There is a file called "/dev/null " with a trailing space. You should be able to see its content with: `less "/dev/null "`. This is strange as filename. It could be a broken script or maybe a malicious user. – Mircea Vutcovici Apr 21 '20 at 14:45
0

Check if /dev/null is character device, if not you need to move it then recreate it:

# Switch to "root" user
sudo -i
# Check if /dev/null is a character device
if [[ ! -c /dev/null ]];then
    # Backup/rename the current file
    mv -vi /dev/null{,-$(date +%F_%H%M%S).backup}
    # Create the character device /dev/null
    mknod /dev/null -m a=rw c 1 3
    # Restore SELinux permissions (needed only for RHEL, Fedora, CentOS)
    restorecon -v /dev/null
fi
Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80