#172 `saslauthd` process from Docker container marked as spam tool component (how to allow this process?)

[K. de Jong]

I'm running rkhunter 1.4.6-5 on Debian 10 (buster). I run a Jitsi Docker container which recently added a process in their container.

rkhunter marks the process saslauthd as a Possible Rootkit: Spam tool component (full output below). I don't see how I can allow this process without disabling the running_procs test.

Is this even supported? Or does rkhunter not take container hosts into account?

Warning: The following processes are using suspicious files:
         Command: saslauthd
           UID: 0    PID: 20095
           Pathname:
           Possible Rootkit: Spam tool component
         Command: saslauthd
           UID: 0    PID: 20147
           Pathname:
           Possible Rootkit: Spam tool component
         Command: saslauthd
           UID: 0    PID: 20148
           Pathname:
           Possible Rootkit: Spam tool component
         Command: saslauthd
           UID: 0    PID: 20152
           Pathname:
           Possible Rootkit: Spam tool component
         Command: saslauthd
           UID: 0    PID: 20153
           Pathname:
           Possible Rootkit: Spam tool component

[K. de Jong]

I ran rkhunter --sk -c --vl --debug and checked the log files in /tmp/rkhunter*

Probably this file below has to be added to rkhunter to suppress this warning. Will check this later, first I'll check why rkhunter thinks this file is bad.

+ INFO=Spam tool component
+ echo libkeyutils.so.1.9:Spam tool component:saslauthd                          20153                                    0  mem       REG              253,4              2097617 /lib/x86_64-linux-gnu/libkeyutils.so.1.9

[K. de Jong]

Seems like this cannot be whitelisted? Since it runs in an container environment, it's not part of the host's local path. How to fix this?

# rkhunter --sk -c --vl 
Invalid RTKT_FILE_WHITELIST configuration option: Non-existent pathname: /lib/x86_64-linux-gnu/libkeyutils.so.1.9

[Rebel2k]

I've similar issue. I ran sogo in a docker container, and rkhunter report this process as spam. I tried some configurations in rkhunter.conf, but without any success.

Invalid RTKT_FILE_WHITELIST configuration option: Non-existent pathname: /usr/sbin/sogod

Warning: The following processes are using suspicious files:
         Command: sogod
           UID: 999    PID: 10736
           Pathname:
           Possible Rootkit: Spam tool component
         Command: sogod
           UID: 999    PID: 13219
           Pathname:
           Possible Rootkit: Spam tool component
         Command: sogod
           UID: 999    PID: 13220
           Pathname:
           Possible Rootkit: Spam tool component

# ps -ef|grep sogo
systemd+ 10736  9436  0 Dez19 ?        00:09:28 /usr/sbin/sogod
systemd+ 13219 10736  0 Dez19 ?        00:00:11 /usr/sbin/sogod
systemd+ 13220 10736  0 Dez19 ?        00:00:12 /usr/sbin/sogod
systemd+ 13223 10736  0 Dez19 ?        00:00:13 /usr/sbin/sogod
systemd+ 13224 10736  0 Dez19 ?        00:00:13 /usr/sbin/sogod

As K. de Jong mentioned, this file doesn't exists on the local OS, only in a running docker container.

# ls -lia /usr/sbin/sogod
ls: cannot access '/usr/sbin/sogod': No such file or directory

[jens]

I have a similar issue. Running Nextcloud in a docker-container leading since Nextcloud version 22 to the same warning as mentioned above:

Warning: The following processes are using suspicious files:
         Command: apache2
           UID: 33    PID: 1168
           Pathname: 
           Possible Rootkit: Spam tool component

# ps -ef | grep apache2
www-data   1168 30018  0 11:19 ?        00:00:02 apache2 -DFOREGROUND

As the above users wrote, here it's the same, that the package is not installed on the local machine and therefore the corresponding file not present:

# ls -lah /usr/sbin/apache2
ls: Zugriff auf '/usr/sbin/apache2' nicht möglich: Datei oder Verzeichnis nicht gefunden

I did try to Whitelist Apache, but as expected it didn't work:

# grep apache2 /etc/rkhunter.conf.local 
ALLOWIPCPROC=/usr/sbin/apache2

[Andreas]

Same for postgres in a docker container:

         Command: postgres
           UID: 999    PID: 31952
           Pathname: 
           Possible Rootkit: Spam tool component

[Matthias]

Using rkhunter 1.4.6 on Debian bullseye 11.2 and having a Docker container in Docker swarm (20.10.11, build dea9396) running Apache (Apache/2.4.52 Debian) inside the container we see the same problem here as well:

Warning: The following processes are using suspicious files:
        Command: apache2
          UID: 0    PID: 2568218
          Pathname: 
          Possible Rootkit: Spam tool component
        Command: apache2
          UID: 33    PID: 3052411
          Pathname: 
          Possible Rootkit: Spam tool component
        Command: apache2
          UID: 33    PID: 3053967
          Pathname: 
          Possible Rootkit: Spam tool component
        Command: apache2
          UID: 33    PID: 3053968
          Pathname: 
          Possible Rootkit: Spam tool component
        Command: apache2
          UID: 33    PID: 3061719
          Pathname: 
          Possible Rootkit: Spam tool component
          ...

This produces a new message every day which has to be actively ignored on a daily basis. This is at least annoying and it would be very helpful to either find a workaround or even better fix this problem in rkhunter.

[Mathias Homann]

same for pretty much anything that i'm running in docker... postgres, saslauthd, java-based stuff, pretty much anything that runs inside containers is found as "Possible rootkit".
please do something about this.