Hi,
I am in the process of getting a better understanding of securing a linux system based on what is installed.
I started with rkhunter, setting it to use rpm for package verification. This was done a fresh installation that had only been updated a few secs before I ran the commands listed below.
To start, rkhunter was letting me know that rpm was having some issues verifying the files.
Sample of what the full log entry looks like
Code:
[14:05:27] /usr/bin/basename [ Warning ]
[14:05:27] Warning: Package manager verification has failed:
[14:05:27] File: /usr/bin/basename
[14:05:27] Try running the command 'prelink /usr/bin/basename' to resolve dependency errors.
[14:05:27] The file hash value has changed
[14:05:27] The file size has changed
[14:05:27] /usr/bin/bash [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28] File: /usr/bin/bash
[14:05:28] Try running the command 'prelink /usr/bin/bash' to resolve dependency errors.
[14:05:28] The file hash value has changed
[14:05:28] The file size has changed
[14:05:28] /usr/bin/cat [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28] File: /usr/bin/cat
[14:05:28] Try running the command 'prelink /usr/bin/cat' to resolve dependency errors.
[14:05:28] The file hash value has changed
[14:05:28] The file size has changed
[14:05:28] /usr/bin/chattr [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28] File: /usr/bin/chattr
[14:05:28] Try running the command 'prelink /usr/bin/chattr' to resolve dependency errors.
full list of files shown effected in the manner listed above
Code:
[14:05:27] /usr/bin/basename [ Warning ]
[14:05:27] /usr/bin/bash [ Warning ]
[14:05:28] /usr/bin/cat [ Warning ]
[14:05:28] /usr/bin/chattr [ Warning ]
[14:05:29] /usr/bin/chmod [ Warning ]
[14:05:30] /usr/bin/chown [ Warning ]
[14:05:30] /usr/bin/cp [ Warning ]
[14:05:31] /usr/bin/cut [ Warning ]
[14:05:31] /usr/bin/date [ Warning ]
[14:05:32] /usr/bin/df [ Warning ]
[14:05:33] /usr/bin/dirname [ Warning ]
[14:05:34] /usr/bin/du [ Warning ]
[14:05:34] /usr/bin/echo [ Warning ]
[14:05:35] /usr/bin/env [ Warning ]
[14:05:36] /usr/bin/groups [ Warning ]
[14:05:37] /usr/bin/head [ Warning ]
[14:05:37] /usr/bin/id [ Warning ]
[14:05:38] /usr/bin/killall [ Warning ]
[14:05:39] /usr/bin/less [ Warning ]
[14:05:39] /usr/bin/ls [ Warning ]
[14:05:40] /usr/bin/lsattr [ Warning ]
[14:05:40] /usr/bin/md5sum [ Warning ]
[14:05:41] /usr/bin/mktemp [ Warning ]
[14:05:42] /usr/bin/mv [ Warning ]
[14:05:43] /usr/bin/pstree [ Warning ]
[14:05:44] /usr/bin/pwd [ Warning ]
[14:05:45] /usr/bin/readlink [ Warning ]
[14:05:46] /usr/bin/runcon [ Warning ]
[14:05:46] /usr/bin/sha1sum [ Warning ]
[14:05:47] /usr/bin/sha224sum [ Warning ]
[14:05:48] /usr/bin/sha256sum [ Warning ]
[14:05:48] /usr/bin/sha384sum [ Warning ]
[14:05:49] /usr/bin/sha512sum [ Warning ]
[14:05:50] /usr/bin/sort [ Warning ]
[14:05:50] /usr/bin/stat [ Warning ]
[14:05:51] /usr/bin/tail [ Warning ]
[14:05:52] /usr/bin/test [ Warning ]
[14:05:52] /usr/bin/touch [ Warning ]
[14:05:53] /usr/bin/tr [ Warning ]
[14:05:54] /usr/bin/uname [ Warning ]
[14:05:54] /usr/bin/uniq [ Warning ]
[14:05:55] /usr/bin/users [ Warning ]
[14:05:56] /usr/bin/wc [ Warning ]
[14:05:56] /usr/bin/which [ Warning ]
[14:05:57] /usr/bin/who [ Warning ]
[14:05:57] /usr/bin/whoami [ Warning ]
[14:05:58] /usr/bin/gawk [ Warning ]
[14:06:00] /usr/sbin/chroot [ Warning ]
[14:06:03] /usr/sbin/lsof [ Warning ]
Seeing the above, I wanted to see if what rpm was reporting. Being that this was a new installation, it seemed like possible false positives. That said, I grab'ed a few of the above files to see what was going on.
In short, I can not really figure out whats going on. Yet. Any ideas?