I get the same warnings on every Slackware installation. I cannot remember the exact cause but it has something to do with the modifications of those files. When you are performing system updates or other system maintenance you modify some of those files (or its properties). After this (you actually don't know what is modified) you confirm that those modifications are something that you know about. Then you use the rkhunter --propund to update this information.
From man:
Quote:
rkhunter --propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to compare various current file properties of various
commands, against those it has previously stored. This command option causes rkhunter to
update its data file of stored values with the current values.
...
It is the users responsibility to ensure that the files on the system are genuine
and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
|
EDITED:
OK, here are some new results. There are these warnings in new Slackware installation:
Allow the specified commands to be scripts:
Quote:
/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis
|
It looks like these files are not usual binary executable files but some script like files.
Solution:
Quote:
|
SCRIPTWHITELIST="/usr/sbin/adduser /usr/bin/ldd /usr/bin/whatis"
|
rkhunter.conf file modification. Since you change the configuration file.
Solution:
SSH root login allowed, week SSH protocol Version1 allowed.
Solution: in /etc/sshd_config
Quote:
Protocol 2
PermitRootLogin=no
|
Hidden directory in /dev/.udev.
Solution: Whitelist in rkhunter.conf
Quote:
|
ALLOWHIDDENDIR="/dev/.udev"
|
Application version checks. Depends on Slackware version.
Solution: either upgrade the listed applications (or OS) or whitelist them.
I think thats all.
