Rkhunter Warnings on Fresh Install

Software PureOS
1

Hello, I just reinstalled PureOS and ran sudo rkhunter -c, which produced the following warnings:

[04:27:12] /usr/bin/egrep [ Warning ]
[04:27:12] Warning: The command ‘/usr/bin/egrep’ has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[04:27:13] /usr/bin/fgrep [ Warning ]
[04:27:13] Warning: The command ‘/usr/bin/fgrep’ has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[04:27:18] /usr/bin/which [ Warning ]
[04:27:18] Warning: The command ‘/usr/bin/which’ has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
[04:27:18] /usr/bin/lwp-request [ Warning ]
[04:27:18] Warning: The command ‘/usr/bin/lwp-request’ has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
[04:30:11] Checking for suspicious (large) shared memory segments [ Warning ]

I figure this is due to the commands being different from standard Linux versions, but why are these scripts different?

2

Probably because those aren’t actually binaries, they’re scripts.

$ cat /usr/bin/fgrep

And you’ll see what it is.

3

I would put it the other way: this is due to rkhunter complaining about something it ought not to be.

If you want to investigate further, fgrep on my system is

#!/bin/sh
exec grep -F “$@”

and egrep is

#!/bin/sh
exec grep -E “$@”

These trivial scripts are harmless. If you get the same result then you can ignore the warning.

On the one hand, it is good that these two scripts exist in order to provide compatibility with Linux environments that happen to assume that egrep or fgrep exist as commands. On the other hand, the fact that no path is specified for the first argument to exec means that it opens up the possibility that an unexpected executable for grep is used. (For personal use, I would alias egrep and fgrep but that is no good for running someone else’s scripts, in the general case.)

1 Like
4

PS I obtained the first script contents with

view `which fgrep`
5

Thanks everyone, it is clear now.