rkhunter warnings, maybe yum issues?

John Horne john.horne at plymouth.ac.uk
Thu Jan 30 09:50:28 UTC 2014 

On Wed, 2014-01-29 at 20:17 -0500, William wrote:
> 
> I don't know if these are properly rkhunter questions, yum questions, or 
> F-20 questions, so I'm posting to both lists.
> 
> Last Monday, I updated my 64-bit system from Fedora-19 to Fedora-20.  
> Several minutes ago, I updated Fedora-20 by doing "yum update".  I then 
> did "rkhunter --update", and then "rkhunter --check".  I'm getting a lot 
> of issues.
> 
> 1. I get these messages in the rkhunter log:
> 
> [18:55:34] Info: The command 'rpm -qf --queryformat... 
> /usr/sbin/chkconfig' gave error code 1.
>
This means that when rkhunter (RKH) uses the 'rpm' command to check a
package it is getting an error back. All it can do is log the problem.
If you run something like 'rpm -V chkconfig' then you will probably get
an error - that is what RKH is seeing.

> 2. I get this warning in the rkhunter log:
> 
> [18:55:49]   /usr/bin/curl                                   [ Warning ]
> [18:55:49] Warning: Package manager verification has failed:
> [18:55:49]          File: /usr/bin/curl
> [18:55:49]          Try running the command 'prelink /usr/bin/curl' to 
> resolve dependency errors.
> [18:55:49]          The file hash value has changed
> [18:55:49]          The file size has changed
> 
> The warning gives me the immediate fix, and it works.  But the problem 
> recurs after almost every "yum update" (both under F-19, and since 
> updating to F-20), though not on the same packages each time. What's the 
> real problem?  Is there something yum should be doing, but isn't?  Is 
> there something I should be doing, but I don't know it?
> 
The problem here is prelinking. It will change file properties when it
runs, but RKH tries to detect this and so obtain the true values for
each file (either by using the rpm package manager or using the prelink
command to verify the file). In some cases a dependency the file has,
has changed. again, RKH cannot do anything about that, but suggests
running the prelink command. If it is occurring a lot with different
files, then you can try running 'prelink -qa', 'prelink -fa' or just
wait for the regular prelink cron job to run when it should sort out
prelinking problems. However, when I last looked the job ran about once
every two weeks :-)

> 3. Since updating to F-20, I'm seeing this warning:
> 
> [18:56:18]
> [18:56:18] Checking for GasKit Rootkit...
> [18:56:18]   Checking for file '/dev/dev/gaskit/sshd/sshdd'  [ Not found ]
> [18:56:18]   Checking for directory '/dev/dev'               [ Found ]
> [18:56:18]   Checking for directory '/dev/dev/gaskit'        [ Not found ]
> [18:56:18]   Checking for directory '/dev/dev/gaskit/sshd'   [ Not found ]
> [18:56:18] Warning: GasKit Rootkit                           [ Warning ]
> [18:56:18]          Directory '/dev/dev' found
> [18:56:18]
> 
It's a bug in F20 with the 'dracut' package, the '/dev/dev' directory is
created by mistake(see
https://bugzilla.redhat.com/show_bug.cgi?id=1045116). I got the same
problem. There is a fix, or you could wait for an update to the package.
You can whitelist this in your RKH config file (see RTKT_DIR_WHITELIST).




John.

-- 
----------------------------------------------------
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001

More information about the users mailing list