With openrc, rkhunter warns of a possible rootkit. This may be a "won't fix", but it might be useful to document work-around for the hapless. Reproducible: Always Steps to Reproduce: Actual Results: [21:59:31] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Possible part of Knark rootkit (Said string is substring of variable name "hidefirstroute" in the net.lo script: "local hidefirstroute=false".) Expected Results: Other than skipping the test of startup files, I do not believe rkhunter can be configured to neutralize this particular false positive. Workaround is to properly update network configuration to comply with new openrc network script architecture being phased in, after which net.lo is obsolete and may be deleted. Alternatively, user may modify net.lo, renaming the variable.
Rather than being assigned to forensics, I would think this should be assigned to the openrc folks (who can simply rename the "hidefirstroute" variable).
Another workaround is to add to to /etc/rkhunter.conf: RTKT_FILE_WHITELIST="/etc/init.d/net.lo" ... but this is less desirable than a variable name-change, since it prevents an almost universally-run init script from being scanned. Also, this should be assigned not to forensics, but to openrc, who can treat it as a low priority to address when they happen to be making other changes.
Looks like a pretty weak test that upstream (rkhunter's) should fix.