Re: rkhunter Question.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 16 January 2009, Paulo Cavalcanti wrote:
>On Sun, Jan 11, 2009 at 4:06 PM, Gene Heskett 
<gene.heskett@xxxxxxxxxxx>wrote:
>> On Sunday 11 January 2009, Kevin Fenzi wrote:
>> >On Thu, 08 Jan 2009 20:29:49 +0000
>> >
>> >John Horne <john.horne@xxxxxxxxxxxxxx> wrote:
>> >> On Thu, 2009-01-08 at 15:22 -0500, Gene Heskett wrote:
>> >> > On Thursday 08 January 2009, John Horne wrote:
>> >
>> >...snip...
>> >
>> >> > Should the rpm installer have over written them?  I dunno, there
>> >> > could be problems intro'd either way in this case.
>> >>
>> >> The rkhunter installer will not overwrite anything in /etc. The copies
>> >> it takes of the files are for its own use and put into a separate
>> >> secure directory. It is those files it looks for.
>> >>
>> >> Looking at the rkhunter 1.3.2 rpm spec file (as used for the Fedora
>> >> package), it does not seem to take an initial copy of the files. So
>> >> that would explain why you got the initial warning. However, as has
>> >> already been replied, the spec file for 1.3.4 FC10 does do this
>> >> initial copy (although I cannot personally verify that).
>> >
>> >Nope. Neither one does that. You need to run 'rkhunter --propupd' to
>> >get it to make copies of passwd/shadow and save file properties.
>> >
>> >The reason for that is that the package can't know anything about how
>> >much you trust your current install when it's installed. It's up to you
>> >to run the --propupd and tell it that you think the system is clean and
>> >that everything should be saved.
>> >
>> >> John.
>> >
>> >kevin
>>
>> At the time I posted the original message, I had already done that with
>> 1.3.2,
>> so I built 1.3.4, which did apparently do that properly when that
>> operation was repeated.
>
>I have run rkhunter --propupd many times, I do have  a copy of group and
>passwd
>in /var/run/rkhunter, but I always receive an email saying that there is no
>copy
>of group and passwd. Upgrading to 1.3.4 did not change anything. This
>happens on every computer I have rkhunter installed.

It is running here, silently. I added the two files it thought were funkity to 
the config and haven't had a message from it since.  And I did have the - 
copies in /etc.

I think it was these two it was fussing about:
/var/lib/rkhunter/tmp/group
/var/lib/rkhunter/tmp/passwd
But they weren't created till I did the -propupd with 1.3.4.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Zoe: "Sir, I think you have a problem with your brain being missing."
				--Episode #2, "The Train Job"

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux