rkhunter warnings, maybe yum issues?

Mon Feb 3 01:27:43 UTC 2014

Michael asks:

 > Could you give an example showing the queries you've performed?
 >
 > "whereis" looks for files available on the file-system in various paths.
 > "rpm" only covers files included in installed RPM packages as tracked by
 > the local RPM database.

I'll show rkhunter log entries, "rpm -V" output, and "whereis" output 
for 6 packages...
Here are 6 of the messages from the rkhunter log:
[18:55:34] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/chkconfig' gave error code 1.
[18:55:39] Info: The command 'rpm -qf --queryformat... /usr/sbin/fuser' 
gave error code 1.
[18:55:40] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/ifconfig' gave error code 1.
[18:55:44] Info: The command 'rpm -qf --queryformat... /usr/sbin/route' 
gave error code 1.
[18:55:44] Info: The command 'rpm -qf --queryformat... 
/usr/sbin/rsyslogd' gave error code 1.
[18:56:07] Info: The command 'rpm -qf --queryformat... /usr/bin/mailx' 
gave error code 1.

Here's the rpm -V output for those same 6 packages:
bash.11[~]: rpm -V chkconfig
bash.12[~]: rpm -V fuser
package fuser is not installed
bash.13[~]: rpm -V ifconfig
package ifconfig is not installed
bash.14[~]: rpm -V route
package route is not installed
bash.15[~]: rpm -V rsyslogd
package rsyslogd is not installed
bash.16[~]:
bash.32[~]: rpm -V mail
package mail is not installed

Here's the whereis output for those same 6 packages:
bash.16[~]: whereis chkconfig
chkconfig: /usr/sbin/chkconfig /etc/chkconfig.d 
/usr/share/man/man8/chkconfig.8.gz
bash.17[~]: whereis fuser
fuser: /usr/sbin/fuser /usr/share/man/man1/fuser.1.gz 
/usr/share/man/man1p/fuser.1p.gz
bash.18[~]: whereis ifconfig
ifconfig: /usr/sbin/ifconfig /usr/share/man/man8/ifconfig.8.gz
bash.19[~]: whereis route
route: /usr/sbin/route /usr/share/man/man8/route.8.gz
bash.20[~]: whereis rsyslogd
rsyslogd: /usr/sbin/rsyslogd /usr/share/man/man8/rsyslogd.8.gz
bash.21[~]:
bash.37[~]: whereis mail
mail: /usr/bin/mail /etc/mail /etc/mail.rc /usr/share/man/man1/mail.1.gz

(By the way, the "mail" command does work.  I am not familiar with the 
others, so I have not tried them.)

As best as I recall at the moment, the only way packages have been 
installed on this system was (1) the initial install when the hardware 
was new, with the install coming from the f-18 install dvd burned from 
the Fedora web site; (2) by using yum (in most cases) or rpm (in a few 
cases); and (3) by using fedup.

John says:
 >> I consider parts 2 and 3 of my original post closed.  But I remain
 >> puzzled that rpm doesn't find packages that "whereis" finds in the
 >> places that rkhunter has rpm looking.
 > I don't follow that.

My original post had 3 parts.
* The third part reported a warning about GasKit rootkit.  People 
responded that it's a false alarm, and that a bugzilla has been 
submitted.  So this part of my original post is closed.
* The second part asked about package manager verification warnings that 
suggested prelinking to resolve dependency issues.  I wondered if yum 
should be doing something more.  People convinced me otherwise.  So this 
part of my original post is closed.
* The first part asked about error code 1 being returned by "rpm -qf 
--queryformat...".  Discussion in this list has me convinced that 
there's not an rkhunter issue here.  But I'm wondering if I have a 
non-rkhunter problem, based on the output that I included in the first 
part of *this* message.

Bill.