rkhunter Question.

John Horne john.horne at plymouth.ac.uk
Thu Jan 8 20:29:49 UTC 2009 

On Thu, 2009-01-08 at 15:22 -0500, Gene Heskett wrote:
> On Thursday 08 January 2009, John Horne wrote:
> >On Thu, 2009-01-08 at 16:42 +0000, John Horne wrote:
> >> On Thu, 2009-01-08 at 09:38 -0500, Gene Heskett wrote:
> >> > They say a little paranoia is a good thing, so I installed the rkhunter
> >> > rpm, which in turn apparently sets itself up as a cron job.
> >> >
> >> > I got emails from it bitching about a couple of perfectly legit files,
> >> > and I found out where to whitelist them, so that warning is gone.  While
> >> > I was at it I enabled another set of tests that weren't by default, the
> >> > additional_rkts.
> >> >
> >> > Now it is complaining about the lack of copies for passwd and group, but
> >> > they do exist as name- files.  Is this a foible of rkhunter, or a
> >> > redhatism?
> >> >
> >> > Recommended fix?
> >>
> >> Do nothing. When rkhunter is first run it has no copy of the
> >> passwd/group files to check against for changes. Hence the warning. As
> >> it runs, it will take a copy. When it runs again, it then has a copy, so
> >> the warning goes away.
> >
> >Hmm, actually thinking about it the rkhunter.spec file specifies to
> >install copies of the files when the rpm is installed. As such the error
> >should not have occurred. May want to raise that with the packager of
> >the rpm (i.e. report it via the fedora bugzilla).
> >
> If they previously exist as name- files due to being edited with vim, they 
> apparently are not over written.  Each was a generation old, not containing 
> my latest additions.  I have over written them now & we'll see.
> 
> Should the rpm installer have over written them?  I dunno, there could be 
> problems intro'd either way in this case.
> 
The rkhunter installer will not overwrite anything in /etc. The copies
it takes of the files are for its own use and put into a separate secure
directory. It is those files it looks for.

Looking at the rkhunter 1.3.2 rpm spec file (as used for the Fedora
package), it does not seem to take an initial copy of the files. So that
would explain why you got the initial warning. However, as has already
been replied, the spec file for 1.3.4 FC10 does do this initial copy
(although I cannot personally verify that).




John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: John.Horne at plymouth.ac.uk       Fax: +44 (0)1752 587001

More information about the fedora-list mailing list