On Wed, 2014-01-29 at 20:17 -0500, William wrote: > > I don't know if these are properly rkhunter questions, yum questions, or > F-20 questions, so I'm posting to both lists. > > Last Monday, I updated my 64-bit system from Fedora-19 to Fedora-20. > Several minutes ago, I updated Fedora-20 by doing "yum update". I then > did "rkhunter --update", and then "rkhunter --check". I'm getting a lot > of issues. > > 1. I get these messages in the rkhunter log: > > [18:55:34] Info: The command 'rpm -qf --queryformat... > /usr/sbin/chkconfig' gave error code 1. > This means that when rkhunter (RKH) uses the 'rpm' command to check a package it is getting an error back. All it can do is log the problem. If you run something like 'rpm -V chkconfig' then you will probably get an error - that is what RKH is seeing. > 2. I get this warning in the rkhunter log: > > [18:55:49] /usr/bin/curl [ Warning ] > [18:55:49] Warning: Package manager verification has failed: > [18:55:49] File: /usr/bin/curl > [18:55:49] Try running the command 'prelink /usr/bin/curl' to > resolve dependency errors. > [18:55:49] The file hash value has changed > [18:55:49] The file size has changed > > The warning gives me the immediate fix, and it works. But the problem > recurs after almost every "yum update" (both under F-19, and since > updating to F-20), though not on the same packages each time. What's the > real problem? Is there something yum should be doing, but isn't? Is > there something I should be doing, but I don't know it? > The problem here is prelinking. It will change file properties when it runs, but RKH tries to detect this and so obtain the true values for each file (either by using the rpm package manager or using the prelink command to verify the file). In some cases a dependency the file has, has changed. again, RKH cannot do anything about that, but suggests running the prelink command. If it is occurring a lot with different files, then you can try running 'prelink -qa', 'prelink -fa' or just wait for the regular prelink cron job to run when it should sort out prelinking problems. However, when I last looked the job ran about once every two weeks :-) > 3. Since updating to F-20, I'm seeing this warning: > > [18:56:18] > [18:56:18] Checking for GasKit Rootkit... > [18:56:18] Checking for file '/dev/dev/gaskit/sshd/sshdd' [ Not found ] > [18:56:18] Checking for directory '/dev/dev' [ Found ] > [18:56:18] Checking for directory '/dev/dev/gaskit' [ Not found ] > [18:56:18] Checking for directory '/dev/dev/gaskit/sshd' [ Not found ] > [18:56:18] Warning: GasKit Rootkit [ Warning ] > [18:56:18] Directory '/dev/dev' found > [18:56:18] > It's a bug in F20 with the 'dracut' package, the '/dev/dev' directory is created by mistake(see https://bugzilla.redhat.com/show_bug.cgi?id=1045116). I got the same problem. There is a fix, or you could wait for an update to the package. You can whitelist this in your RKH config file (see RTKT_DIR_WHITELIST). John. -- ---------------------------------------------------- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org