33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

Improve this question
8
  • 38
    Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere.
    – user163495
    Commented May 28, 2019 at 11:41
  • 52
    Whenever I see a question asking whether something is safe, I'm left wondering: Safe against what?
    – Marc.2377
    Commented May 29, 2019 at 0:06
  • 3
    @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it...
    – rydwolf
    Commented May 29, 2019 at 1:50
  • 1
    Aliasing ls to ls -A can help here from a security usability perspective.
    – forest
    Commented May 29, 2019 at 3:14
  • 6
    @Marc.2377 Or equivalently, What is your threat model? ("Threat model" just being a fancy term for the things you're trying to protect against.)
    – jpmc26
    Commented May 29, 2019 at 16:56

2 Answers 2

Reset to default
65

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

Improve this answer
5
  • 2
    That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
    – eternaltyro
    Commented May 29, 2019 at 2:38
  • 18
    @eternaltyro It would affect comfort, yes, but not security.
    – Mołot
    Commented May 29, 2019 at 7:33
  • 7
    @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
    – Stig Hemmer
    Commented May 29, 2019 at 9:21
  • 1
    If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
    – Cinderhaze
    Commented May 29, 2019 at 14:34
  • 2
    @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
    – DoubleD
    Commented May 30, 2019 at 21:57
21

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .