rkhunter warnings, maybe yum issues?

William Mattison mattison.computer at yahoo.com
Fri Jan 31 01:11:40 UTC 2014 

Joe says:

> If it helps, I don't have either a /dev/dev or a /root/.readahead. 
> However, I'm running F19 on my desktop, with Xfce, although I never use 
> a GUI as root.  I also don't have rkhunter installed, so that might be 
> significant.

The file is not "/root/.readahead".  The mystery file is "/.readahead".  What is this mystery file?


Frank asks:

> Did you run rkhunter prior to update? to check for nasties? # if not too late now.

yes.

> did you run "rkhunter --propupd" after FN+1 which would be required

yes.

John says (regarding "rpm -qf --queryformat..." error codes)
> This means that when rkhunter (RKH) uses the 'rpm' command to check a
> package it is getting an error back. All it can do is log the problem.
> If you run something like 'rpm -V chkconfig' then you will probably get
> an error - that is what RKH is seeing.

But why all the rpm errors?  Is yum not doing something that it should be doing during an update?  Am I not doing something I should be doing?  Is something wrong with RPM or my RPM database?  What and where is the real bug, and what's the permanent fix?
                
John says (regarding prelink issues):
> The problem here is prelinking. It will change file properties when it
> runs, but RKH tries to detect this and so obtain the true values for
> each file (either by using the rpm package manager or using the prelink
> command to verify the file). In some cases a dependency the file has,
> has changed. again, RKH cannot do anything about that, but suggests
> running the prelink command. If it is occurring a lot with different
> files, then you can try running 'prelink -qa', 'prelink -fa' or just
> wait for the regular prelink cron job to run when it should sort out
> prelinking problems. However, when I last looked the job ran about once
>every two weeks :-)

"prelink -qa" fixes things only until the next yum update.  Should yum do a "prelink -qa" at the end of each update?

John says (regarding the GasKit rootkit warning):
> It's a bug in F20 with the 'dracut' package, the '/dev/dev' directory is
> created by mistake(see
> https://bugzilla.redhat.com/show_bug.cgi?id=1045116). I got the same
> problem. There is a fix, or you could wait for an update to the package.
> You can whitelist this in your RKH config file (see RTKT_DIR_WHITELIST).

Good.  Thank-you, John.

Bill.

More information about the users mailing list