rkhunter Question.

Paulo Cavalcanti promac at gmail.com
Fri Jan 16 14:18:47 UTC 2009 

On Sun, Jan 11, 2009 at 4:06 PM, Gene Heskett <gene.heskett at verizon.net>wrote:

> On Sunday 11 January 2009, Kevin Fenzi wrote:
> >On Thu, 08 Jan 2009 20:29:49 +0000
> >
> >John Horne <john.horne at plymouth.ac.uk> wrote:
> >> On Thu, 2009-01-08 at 15:22 -0500, Gene Heskett wrote:
> >> > On Thursday 08 January 2009, John Horne wrote:
> >
> >...snip...
> >
> >> > Should the rpm installer have over written them?  I dunno, there
> >> > could be problems intro'd either way in this case.
> >>
> >> The rkhunter installer will not overwrite anything in /etc. The copies
> >> it takes of the files are for its own use and put into a separate
> >> secure directory. It is those files it looks for.
> >>
> >> Looking at the rkhunter 1.3.2 rpm spec file (as used for the Fedora
> >> package), it does not seem to take an initial copy of the files. So
> >> that would explain why you got the initial warning. However, as has
> >> already been replied, the spec file for 1.3.4 FC10 does do this
> >> initial copy (although I cannot personally verify that).
> >
> >Nope. Neither one does that. You need to run 'rkhunter --propupd' to
> >get it to make copies of passwd/shadow and save file properties.
> >
> >The reason for that is that the package can't know anything about how
> >much you trust your current install when it's installed. It's up to you
> >to run the --propupd and tell it that you think the system is clean and
> >that everything should be saved.
> >
> >> John.
> >
> >kevin
>
> At the time I posted the original message, I had already done that with
> 1.3.2,
> so I built 1.3.4, which did apparently do that properly when that operation
> was repeated.
>
>
I have run rkhunter --propupd many times, I do have  a copy of group and
passwd
in /var/run/rkhunter, but I always receive an email saying that there is no
copy
of group and passwd. Upgrading to 1.3.4 did not change anything. This
happens on every computer I have rkhunter installed.


-- 
Paulo Roma Cavalcanti
LCG - UFRJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20090116/b24b3cba/attachment-0001.html

More information about the users mailing list