rkhunter Question.

[Gene Heskett]

On Sunday 11 January 2009, Kevin Fenzi wrote:
>On Thu, 08 Jan 2009 20:29:49 +0000
>
>John Horne <john.horne at plymouth.ac.uk> wrote:
>> On Thu, 2009-01-08 at 15:22 -0500, Gene Heskett wrote:
>> > On Thursday 08 January 2009, John Horne wrote:
>
>...snip...
>
>> > Should the rpm installer have over written them?  I dunno, there
>> > could be problems intro'd either way in this case.
>>
>> The rkhunter installer will not overwrite anything in /etc. The copies
>> it takes of the files are for its own use and put into a separate
>> secure directory. It is those files it looks for.
>>
>> Looking at the rkhunter 1.3.2 rpm spec file (as used for the Fedora
>> package), it does not seem to take an initial copy of the files. So
>> that would explain why you got the initial warning. However, as has
>> already been replied, the spec file for 1.3.4 FC10 does do this
>> initial copy (although I cannot personally verify that).
>
>Nope. Neither one does that. You need to run 'rkhunter --propupd' to
>get it to make copies of passwd/shadow and save file properties.
>
>The reason for that is that the package can't know anything about how
>much you trust your current install when it's installed. It's up to you
>to run the --propupd and tell it that you think the system is clean and
>that everything should be saved.
>
>> John.
>
>kevin

At the time I posted the original message, I had already done that with 1.3.2, 
so I built 1.3.4, which did apparently do that properly when that operation 
was repeated.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Depart not from the path which fate has assigned you.