rkhunter warnings, maybe yum issues?

John Horne john.horne at plymouth.ac.uk
Fri Jan 31 10:28:39 UTC 2014 

On Thu, 2014-01-30 at 17:11 -0800, William Mattison wrote:
>
> John says (regarding "rpm -qf --queryformat..." error codes)
> > This means that when rkhunter (RKH) uses the 'rpm' command to check a
> > package it is getting an error back. All it can do is log the problem.
> > If you run something like 'rpm -V chkconfig' then you will probably get
> > an error - that is what RKH is seeing.
> 
> But why all the rpm errors?  Is yum not doing something that it should
> be doing during an update?  Am I not doing something I should be
> doing?  Is something wrong with RPM or my RPM database?  What and
> where is the real bug, and what's the permanent fix?
>             
So what happened when you ran 'rpm -V ...'? It will probably show that
the package has changed in some way. That, in turn, may be normal if
(say) a configuration file has changed (in which case look at RKH
PKGMGR_NO_VRFY). It may be due to prelinking. Unfortunately prelinking
can change things such that dependency errors occur, and this will cause
RKH and (AFAIK) rpm and prelink itself to trip up.

>     
> John says (regarding prelink issues):
> > The problem here is prelinking. It will change file properties when it
> > runs, but RKH tries to detect this and so obtain the true values for
> > each file (either by using the rpm package manager or using the prelink
> > command to verify the file). In some cases a dependency the file has,
> > has changed. again, RKH cannot do anything about that, but suggests
> > running the prelink command. If it is occurring a lot with different
> > files, then you can try running 'prelink -qa', 'prelink -fa' or just
> > wait for the regular prelink cron job to run when it should sort out
> > prelinking problems. However, when I last looked the job ran about once
> >every two weeks :-)
> 
> "prelink -qa" fixes things only until the next yum update.  Should yum
> do a "prelink -qa" at the end of each update?
>
No, because not all packages require/use prelinking. A yum update
doesn't necessarily cause a problem with prelinking. There are only
problems if some dependency fails.



John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001

More information about the users mailing list