Re: rkhunter warnings, maybe yum issues?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2014-01-29 at 20:17 -0500, William wrote:
> 
> I don't know if these are properly rkhunter questions, yum questions, or 
> F-20 questions, so I'm posting to both lists.
> 
> Last Monday, I updated my 64-bit system from Fedora-19 to Fedora-20.  
> Several minutes ago, I updated Fedora-20 by doing "yum update".  I then 
> did "rkhunter --update", and then "rkhunter --check".  I'm getting a lot 
> of issues.
> 
> 1. I get these messages in the rkhunter log:
> 
> [18:55:34] Info: The command 'rpm -qf --queryformat... 
> /usr/sbin/chkconfig' gave error code 1.
>
This means that when rkhunter (RKH) uses the 'rpm' command to check a
package it is getting an error back. All it can do is log the problem.
If you run something like 'rpm -V chkconfig' then you will probably get
an error - that is what RKH is seeing.

> 2. I get this warning in the rkhunter log:
> 
> [18:55:49]   /usr/bin/curl                                   [ Warning ]
> [18:55:49] Warning: Package manager verification has failed:
> [18:55:49]          File: /usr/bin/curl
> [18:55:49]          Try running the command 'prelink /usr/bin/curl' to 
> resolve dependency errors.
> [18:55:49]          The file hash value has changed
> [18:55:49]          The file size has changed
> 
> The warning gives me the immediate fix, and it works.  But the problem 
> recurs after almost every "yum update" (both under F-19, and since 
> updating to F-20), though not on the same packages each time. What's the 
> real problem?  Is there something yum should be doing, but isn't?  Is 
> there something I should be doing, but I don't know it?
> 
The problem here is prelinking. It will change file properties when it
runs, but RKH tries to detect this and so obtain the true values for
each file (either by using the rpm package manager or using the prelink
command to verify the file). In some cases a dependency the file has,
has changed. again, RKH cannot do anything about that, but suggests
running the prelink command. If it is occurring a lot with different
files, then you can try running 'prelink -qa', 'prelink -fa' or just
wait for the regular prelink cron job to run when it should sort out
prelinking problems. However, when I last looked the job ran about once
every two weeks :-)

> 3. Since updating to F-20, I'm seeing this warning:
> 
> [18:56:18]
> [18:56:18] Checking for GasKit Rootkit...
> [18:56:18]   Checking for file '/dev/dev/gaskit/sshd/sshdd'  [ Not found ]
> [18:56:18]   Checking for directory '/dev/dev'               [ Found ]
> [18:56:18]   Checking for directory '/dev/dev/gaskit'        [ Not found ]
> [18:56:18]   Checking for directory '/dev/dev/gaskit/sshd'   [ Not found ]
> [18:56:18] Warning: GasKit Rootkit                           [ Warning ]
> [18:56:18]          Directory '/dev/dev' found
> [18:56:18]
> 
It's a bug in F20 with the 'dracut' package, the '/dev/dev' directory is
created by mistake(see
https://bugzilla.redhat.com/show_bug.cgi?id=1045116). I got the same
problem. There is a fix, or you could wait for an update to the package.
You can whitelist this in your RKH config file (see RTKT_DIR_WHITELIST).




John.

-- 
----------------------------------------------------
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux