rkhunter Warnings [SOLVED]

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
ajgringo619
Level 4
Level 4
Posts: 296
Joined: Thu Mar 01, 2018 8:36 pm
Location: San Diego, California

rkhunter Warnings [SOLVED]

Post by ajgringo619 » Mon Aug 13, 2018 4:32 pm

Got a bunch (100+) of these on different files - should I be worried?

Code: Select all

[13:25:50] Warning: The file properties have changed:
[13:25:50]          File: /usr/sbin/usermod
[13:25:50]          Current inode: 12603    Stored inode: 26223246
Nevermind - needed to update the rkhunter database.
[Mint 19 XFCE, AMD FX-8350 Eight-Core w/16 GB RAM, 4.15.0-34-generic, Nvidia 396.54/GeForce GTX 960]

User avatar
karlchen
Level 19
Level 19
Posts: 9190
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: rkhunter Warnings [SOLVED]

Post by karlchen » Mon Aug 13, 2018 7:00 pm

So you have executed the terminal command

Code: Select all

sudo rkhunter --propupd
Thereby you confirm that all differences, which rkhunter has detected between the previous run and the current run, are all right and no cause for alarm.

For those users, who are not well acquainted with the way, how rkhunter works, but who would like to know, here is the section about --propupd from man rkhunter:

Code: Select all

man rkhunter
[...]
       --propupd [{filename | directory | package name},...]
              One of the checks rkhunter performs is to compare various current file properties  of  various  commands,  against
              those  it has previously stored. This command option causes rkhunter to update its data file of stored values with
              the current values.

              If the filename option is used, then it must either be a full pathname, or a plain file name (for example, 'awk').
              When  used,  then  only  the entry in the file properties database for that file will be updated. If the directory
              option is used, then only those files listed in the database that are in the given directory will be updated. Sim‐
              ilarly,  if the package name option is used, then only those files in the database which are part of the specified
              package will be updated. The package name must be the base part of the name, no version numbers should be included
              -  for  example,  'coreutils'.  Package names will, of course, only be stored in the file properties database if a
              package manager is being used. If a package name is the same as a file name - for example, 'file' could  refer  to
              the  'file'  command  or  to the RPM 'file' package (which contains the 'file' command) - the package name will be
              used.  If no specific option is given, then the entire database is updated.

              WARNING: It is the users responsibility to ensure that the files on the system are genuine  and  from  a  reliable
              source.  rkhunter  can  only report if a file has changed, but not on what has caused the change. Hence, if a file
              has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
The paragraph, which should be taken into account, before executing sudo rkhunter --propupd, is the last paragraph, the WARNING.

If you blindly run sudo rkhunter --propupd, whenever rkhunter has detected changes between the previous run and the current run, then you do not need to execute rkhunter at all. :wink:
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

ajgringo619
Level 4
Level 4
Posts: 296
Joined: Thu Mar 01, 2018 8:36 pm
Location: San Diego, California

Re: rkhunter Warnings [SOLVED]

Post by ajgringo619 » Mon Aug 13, 2018 7:29 pm

karlchen wrote:
Mon Aug 13, 2018 7:00 pm
So you have executed the terminal command

Code: Select all

sudo rkhunter --propupd
Thereby you confirm that all differences, which rkhunter has detected between the previous run and the current run, are all right and no cause for alarm.

For those users, who are not well acquainted with the way, how rkhunter works, but who would like to know, here is the section about --propupd from man rkhunter:

Code: Select all

man rkhunter
[...]
       --propupd [{filename | directory | package name},...]
              One of the checks rkhunter performs is to compare various current file properties  of  various  commands,  against
              those  it has previously stored. This command option causes rkhunter to update its data file of stored values with
              the current values.

              If the filename option is used, then it must either be a full pathname, or a plain file name (for example, 'awk').
              When  used,  then  only  the entry in the file properties database for that file will be updated. If the directory
              option is used, then only those files listed in the database that are in the given directory will be updated. Sim‐
              ilarly,  if the package name option is used, then only those files in the database which are part of the specified
              package will be updated. The package name must be the base part of the name, no version numbers should be included
              -  for  example,  'coreutils'.  Package names will, of course, only be stored in the file properties database if a
              package manager is being used. If a package name is the same as a file name - for example, 'file' could  refer  to
              the  'file'  command  or  to the RPM 'file' package (which contains the 'file' command) - the package name will be
              used.  If no specific option is given, then the entire database is updated.

              WARNING: It is the users responsibility to ensure that the files on the system are genuine  and  from  a  reliable
              source.  rkhunter  can  only report if a file has changed, but not on what has caused the change. Hence, if a file
              has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
The paragraph, which should be taken into account, before executing sudo rkhunter --propupd, is the last paragraph, the WARNING.

If you blindly run sudo rkhunter --propupd, whenever rkhunter has detected changes between the previous run and the current run, then you do not need to execute rkhunter at all. :wink:
Agreed. I did make a cursory check of the updates I've done since I installed Mint 19, but not as thorough as I should have been. Not blind, but maybe a little glassy-eyed. :oops:
[Mint 19 XFCE, AMD FX-8350 Eight-Core w/16 GB RAM, 4.15.0-34-generic, Nvidia 396.54/GeForce GTX 960]

Post Reply

Return to “Software & Applications”