rkhunter (root kit hunter) warning

Kevin Fenzi kevin at scrye.com
Tue Aug 19 19:57:52 UTC 2008 

On Mon, 18 Aug 2008 18:25:08 -0700 (PDT)
"Dean S. Messing" <deanm at sharplabs.com> wrote:

> Kevin Fenzi wrote:
> > On Mon, 18 Aug 2008 11:54:05 -0700 (PDT)
> > deanm at sharplabs.com ("Dean S. Messing") wrote:
> > 
> > > 
> > > I just installed rkhunter on this F7 machine
> > 
> > Sadly, F7 is no longer supported... 
> > 
> > > and am using the default config file (probably
> > > a mistake.)
> > 
> > Well, I maintain rkhunter, and some issues were found with the
> > config, but only after F7 was end of lifed. I thus wasn't able to
> > update it. ;( 
> > 
> > You could try rebuilding the F-9 src.rpm for F7. 
> > 
> > Also, make sure you run 'rkhunter -propupd' to update the
> > properties. 
> 
> Thanks a lot Kevin!
> 
> Were the changes you mention made during F8? If so I might have more
> success rebuilding and installing the latest F8 rpm (1.3.2-4.fc8, I
> think).  In the past I've had problems trying to build new packages on
> older systems due to changes in "rpm" and new package requirements
> (dependency hell).

Yeah, the changes should be in F8 as well. 
It's a very simple build/setup anyhow, so any of them should work... 

> Do you know if not having the Properties DB would cause the
> warning message I got:
> 
>    Please inspect this machine, because it may be infected.

Yes. It will do that until you run propery update. 

> I had not run  "-propupd" because the F7 machine is several
> months old and I could not guarantee what was required in the warning
> on the man page:
> 
>       WARNING: It is the users responsibility to ensure that the
> files on the system are genuine and from a  reliable  source.
> rkhunter  can only  report  if a file has changed, but not on what
> has caused the change. Hence, if a file has changed,  and  the
> --propupd  command option is used, then rkhunter will assume that the
> file is genuine.

Right. So, you might either not run it from cron, or filter those
emails, or just run the propupd anyhow. 

> Dean

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080819/74082046/attachment-0001.sig>

More information about the fedora-list mailing list