rkhunter warnings - Should I be concerned and if so how so I fix this?
 

I just downloaded and ran rkhunter on OpenSuse 13.2 in the XFCE desktop and got these warning messages:

Checking for prerequisites [ Warning ]
/usr/sbin/ifup [ Warning ]
/usr/bin/chkconfig [ Warning ]
/usr/bin/egrep [ Warning ]
/usr/bin/fgrep [ Warning ]
/usr/bin/ldd [ Warning ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for running syslog daemon [ Warning ]
Checking for hidden files and directories [ Warning ]

Am I screwed or how can I fix the problems claimed to be affecting my system? I'm pretty new to Linux these days. I remember the old days prior to Slackware but it's all new to me again with modern twists because I got lazy and used Windows too long. Heck, I started on Plato back in 1973 and so much has changed!

Any help for a 50 year young guy would be appreciated!

Thanks,

Rolland

so you did not use the version that is already in the suse repos

did you read the manual ???
did you read the opensuse wiki page ?
https://en.opensuse.org/Rootkit_Hunter
did you set up the database and then run a "update" , to update the rules ?

Thanks for your helpful reply John. No, I didn't use the version already in the repos at first. I tried to install it from the web but the install failed. It was only then that I searched for the program in the SUSE repos and installed it from there.

Take care,

Rolland

I had expected something more, well, verbose from Rkhunter, are you sure that is all the detail it provided and have you turned the verbosity up to maximum (whatever that takes)? anyway...

First problem (and its not your problem): If you want to be that little bit paranoid about security - and you should - you should really run Rkh before doing anything else. Given that it isn't on the openSUSE install disk (last time I checked), you can't; you have to connect to the network, and you have to grab it via Yast/Zypper, etc.

This is important because you want to run it on a pristine, clean, system before making any updates, and use that as a reference (the appropriate switch is documented in the man page). This reference is then used to say 'if there are any changes - deltas to the original reference system - have they occurred as a result of deliberate, known, explicitly requested, updates, or is there some unknown thing causing them? If answer = 'unknown thing', then worry.

If there is any chance that someone makes a change before you capture the reference state, then that is bad, as that change will be under the radar, for all time (or, at least, 'till a re-install). This is why getting that snapshot early is vital. And that's what I need to complain to them about.

(After that, when you make a deliberate update, that changes the reference system, but you capture a new reference state, but only when you have made sure that you understand what has gone on.)

OK, that said...

Is that all the detail that you've got? ifup is probably called out because either

• you are using nm/wicd in its stead
• you have a link to ifup

Both of which could be suspicious, but practically aren't (assuming that you know what is going on, and it is all deliberate on your part).

I think egrep/fgrep and ldd are used by Rkh, and it is a link to those (which could be misdirection to a 'tricked up' executable that does something bad) which is causing suspicion. Check any link points to a sensible place, and that the executable there is the one known to, eg, yast. Anything else would trigger real suspicions. (Although there is a 'brute force and ignorance' way of dealing with this, which is to use, eg, Yast to overwrite these executables and ensure that the location that Yast has just used is the one pointed to by the links. Not a pretty way of dealing with it, but at least you are sure...or sure-ish.)

You have probably added a user or changed a password. Not a problem if you can pinpoint the exact action that caused it, otherwise suspicious.

If you don't need ssh, disable it. If you do

• root ssh is dangerous and unnecessary; disable
• ssh protocol v1 is obsolete and buggy (vulnerable) and can be disabled in the config file; I can't see any reason for not disabling V1, these days, and would be a bit surprised if V1 = disabled (or whatever the exact invocation is) isn't the openSUSE default

Would need more detail, but I have a suspicion that the syslog daemon thing may be due to the changes (various things change names) with systemd. The hidden files and directories; well, it is absolutely normal for there to be some, so you'd have to review exactly what it found suspicious in order to progress from there (inevitably, there will be a big list, to most of which you will respond 'Of course!', but are there any others? Are there unexplained ones?)

What you should be concerned about is clearly identified in /var/log/rkhunter.log
Have a look.

Next to what Habitual pointed to, one thing that hasn't changed since the old days is the power of documentation: the README, FAQ will point you to most things you want to know about and where you can find more nfo.