LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Rkhunter warnings. (http://www.linuxquestions.org/questions/slackware-14/rkhunter-warnings-904911/)

scam 09-25-2011 08:58 AM

Rkhunter warnings.
 
Hi all, I use rkhunter and I'm getting these warning on commands ..adduser,ldd and whereis and was wondering if this is normal for Slackware. I use rkhunter on FreeBSD and don't get these warnings, this happens even with a fresh install of Slackware. Wondered if anyone else get the same warnings as I do....

http://pastebin.com/0nXQNUNB

hua 09-25-2011 09:20 AM

I get the same warnings on every Slackware installation. I cannot remember the exact cause but it has something to do with the modifications of those files. When you are performing system updates or other system maintenance you modify some of those files (or its properties). After this (you actually don't know what is modified) you confirm that those modifications are something that you know about. Then you use the rkhunter --propund to update this information.
From man:
Quote:

rkhunter --propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to compare various current file properties of various
commands, against those it has previously stored. This command option causes rkhunter to
update its data file of stored values with the current values.
...
It is the users responsibility to ensure that the files on the system are genuine
and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
EDITED:
OK, here are some new results. There are these warnings in new Slackware installation:
Allow the specified commands to be scripts:
Quote:

/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis
It looks like these files are not usual binary executable files but some script like files.
Solution:
Quote:

SCRIPTWHITELIST="/usr/sbin/adduser /usr/bin/ldd /usr/bin/whatis"
rkhunter.conf file modification. Since you change the configuration file.
Solution:
Quote:

rkhunter --propupd
SSH root login allowed, week SSH protocol Version1 allowed.
Solution: in /etc/sshd_config
Quote:

Protocol 2
PermitRootLogin=no
Hidden directory in /dev/.udev.
Solution: Whitelist in rkhunter.conf
Quote:

ALLOWHIDDENDIR="/dev/.udev"
Application version checks. Depends on Slackware version.
Solution: either upgrade the listed applications (or OS) or whitelist them.
Quote:

APP_WHITELIST="gpg sshd"
I think thats all.

scam 09-26-2011 11:30 AM

Thanks hua, that solved it.. Don't know if anyone uses chkrootkit, but I haven't noticed an update like rkhunter(rkhunter --update).


All times are GMT -5. The time now is 03:26 AM.