Issue Rootkit Hunter log shows Invalid SCRIPTWHITELIST configuration option

[PrimeSites]

Hi Guys,
I've recently spun up two new VPS servers (Ubuntu 18.04.4 LTS‬ + Plesk Obsidian 18.0.28 Update #3) and the Watchdog function is enabled. When a watchdog security scan is run the system returns a warning saying "Considerable existing/potential security problems were detected in the system", with log contents below:

~~~~~~~~~~~
[ Rootkit Hunter version 1.4.4 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request
~~~~~~~~~~~

I've not been able to find any info on how to effectively troubleshoot this issue.
Any help/suggestions would be much appreciated.

 

[trialotto]

@PrimeSites

In essence, this is a (very) old rkhunter bug that apparently has returned in version 1.4.4 somehow.

It is safe to ignore the "invalid configuration" notification and to get rkhunter running by following the steps :

1 - check for existence of the lwp-request file, run command : find / -name lwp-request

2 - if the lwp-request file is not present at all, uncomment the offending line by using the command : vi +607 /opt/psa/etc/modules/watchdog/rkhunter.conf (read: add # in front of the offending line)

and that is all.

Please note that you can configuration overrides by just adding a config file with the name rkhunter.conf.local in the /opt/psa/etc/modules/watchdog/ directory.

I hope the above helps.

Kind regards...........

 

[TRILOS new media]

This ("Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request") happened on a server which has been updated to 18.0.37 #2 automatically today. First try was to remove the Watchdog extension and adding it again, but now, Watchdog can´t be found anymore on plesk.com/extensions ...

 

[IgorG]

but now, Watchdog can´t be found anymore on plesk.com/extensions ...

Find this extension here:

 

[TRILOS new media]

(...)

Thanks Igor. I remember... It´s still confusing how the installation of this extension is being handled like a component. I´d expect to find extensions under Extensions.
Anyway, your hint regarding lwp-request works, but now we have a warning in the scan report
/opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ]
though I´ve changed rights for the file from 0660 to 0607.

 

[TRILOS new media]

P.S.:
[10:27:34] /opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ]
[10:27:34] Warning: Package manager verification has failed:
[10:27:34] File: /opt/psa/etc/modules/watchdog/rkhunter.conf
[10:27:34] The file hash value has changed
[10:27:34] Warning: Write permission is set on file '/opt/psa/etc/modules/watchdog/rkhunter.conf' for all users.

 

[IgorG]

Warning: Package manager verification has failed:

What Watchdog warnings can be safely ignored on a Plesk server

Applicable to: Plesk for Linux Question What Watchdog warnings can be safely ignored? Answer The following list of warnings can be safely ignored: The file has changed - This warning appears i...

support.plesk.com

 

[mow]

though I´ve changed rights for the file from 0660 to 0607.

You changed permissions from -rw-rw---- to -rw----rwx? Why?

 

[TRILOS new media]

You changed permissions from -rw-rw---- to -rw----rwx? Why?

Well that was really dumb, sorry... vi +607 <file> jumps to line 607 after opening <file>, but I thought about rights (0607)... m-|

 

[trialotto]

Well that was really dumb, sorry... vi +607 <file> jumps to line 607 after opening <file>, but I thought about rights (0607)... m-|

@TRILOS new media

You should not alter file permissions, there is no need to do so.

In essence, the error notification

P.S.:
[10:27:34] /opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ]
[10:27:34] Warning: Package manager verification has failed:
[10:27:34] File: /opt/psa/etc/modules/watchdog/rkhunter.conf
[10:27:34] The file hash value has changed
[10:27:34] Warning: Write permission is set on file '/opt/psa/etc/modules/watchdog/rkhunter.conf' for all users.

will be absent by applying the following steps :

1 - go to directory /opt/psa/etc/modules/watchdog

2 - create the file rkhunter.conf.local by running the command : vi rkhunter.conf.local

3 - add the lines :

## Insert test for passing rkhunter.conf file check
PKGMGR_NO_VRFY=/opt/psa/etc/modules/watchdog/rkhunter.conf

# suppress warning for the check whether SSH protocol v1 is allowed - comment if you like
#ALLOW_SSH_PROT_V1=0

## Plesk related Xinetd services to be allowed
XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

4 - save and close the file rkhunter.conf.local

In short, the above line will suppress most of the common false positives generated by rkhunter, including the notification concerning rkhunter.conf

Please note that you can and should add all customisations of rkhunter in the rkhunter.conf.local file.

Also note that, when migrating to another server, these customisations should be transferred manually by rsyncing the rkhunter.conf.local file.

I hope the above helps a bit.

Kind regards.........

 

[21Matze]

putty ssh terminal
dpkg -l | grep libwww-perl

apt-get update && apt-get upgrade
apt-get install libwww-perl