Re: [Rkhunter-users] baffling warning
Dick Gevers wrote: On Fri, 7 Dec 2007 00:15:32 +0100, Nils Breunese (Lemonbit) wrote about Re: [Rkhunter-users] baffling warning: Of course: # rpm -Vf /usr/bin/who S.5T c /etc/DIR_COLORS S.5T c /etc/pam.d/su .MG./usr/bin/who Looks okay to me. But I'll appreciate any ideas. For the first two files the file size, MD5 and Mtime tests fail. For the last one the mode and group tests failed. Why does that look okay to you? Did you modify these files yourself? Well, I don't see the warnings, but I'll take your word for it. That's what the letters S (file size), M (mode), 5 (MD5), G (group) and T (Mtime) indicate. The rpm verify only gives output about files that are different from the packaged versions. I know all 3 files changed by a few upgrades in Cooker. But this was not done manually but by package coreutils being upgraded. A package being upgraded is no reason for this, as the package manager knows what it installed. The only thinh I could imagine is that /usr/bin/who might have changed group due to msec running, but I didn't see an error with rpm. Obviously, you know more than I do. Is there a suggested way to deal with this? I am no Mandrake user and not familiar with msec, but it could be that that changes the mode of the who binary. If it does, then yes, rpm will tell you who is not the original version and rkhunter will notify you of this. Nils Breunese. PGP.sig Description: This is a digitally signed message part - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Fri, 7 Dec 2007 09:53:12 +0100, Nils Breunese (Lemonbit) wrote about Re: [Rkhunter-users] baffling warning: I am no Mandrake user and not familiar with msec, but it could be that that changes the mode of the who binary. If it does, then yes, rpm will tell you who is not the original version and rkhunter will notify you of this. Thanks very much for your explanations. Best regards, =Dick Gevers= - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] baffling warning
I've been meaning to ask this since rkh 1.3.0 came out, but never got around to it. When one of the checked binaries changes, obviously a warning appears, which goes away if I run rkh with '--propupd'. There's one set of exceptions: [23:50:37] /bin/rpm [ Warning ] [23:50:37] Warning: Package manager verification has failed: [23:50:37] File: /bin/rpm [23:50:37] The file permissions have changed snip [23:51:20] Warning: Package manager verification has failed: [23:51:20] File: /usr/bin/w [23:51:20] The file permissions have changed [23:51:20] The file group has changed snip [23:51:25] /usr/bin/who [ Warning ] [23:51:25] Warning: Package manager verification has failed: [23:51:25] File: /usr/bin/who [23:51:25] The file permissions have changed [23:51:25] The file group has changed snip No matter if I run --propupd and a check right after, these 3 files always show up with these warnings everyday. rpm -Vvv will show them to be okay. So, how can I avoid this kind of warning? Perhaps I missed something essential in the documentation, but I wouldn't know what. I run Mandriva Cooker (development version) which is updated daily, so I often have to run '--propupd', but these 3 keep haunting me. Thanks i.a. for any ideas Cheers, =Dick Gevers= - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Thu, 2007-12-06 at 17:49 +, Dick Gevers wrote: I've been meaning to ask this since rkh 1.3.0 came out, but never got around to it. When one of the checked binaries changes, obviously a warning appears, which goes away if I run rkh with '--propupd'. There's one set of exceptions: [23:50:37] /bin/rpm [ Warning ] [23:50:37] Warning: Package manager verification has failed: [23:50:37] File: /bin/rpm [23:50:37] The file permissions have changed snip [23:51:20] Warning: Package manager verification has failed: [23:51:20] File: /usr/bin/w [23:51:20] The file permissions have changed [23:51:20] The file group has changed snip [23:51:25] /usr/bin/who [ Warning ] [23:51:25] Warning: Package manager verification has failed: [23:51:25] File: /usr/bin/who [23:51:25] The file permissions have changed [23:51:25] The file group has changed snip No matter if I run --propupd and a check right after, these 3 files always show up with these warnings everyday. rpm -Vvv will show them to be okay. So, how can I avoid this kind of warning? Perhaps I missed something essential in the documentation, but I wouldn't know what. Hmm, this doesn't make much sense. The warnings are caused by the RPM package manager saying that the files are NOT correct. Can you run 'rpm -Vf /usr/bin/who' and let me know what the output is (if any) please. When using a package manager the '--propupd' will have no affect on some of the file properties - for RPM this will include file permissions and group. As such running 'rkhunter --propupd' will make no difference to the warnings. The warnings will only go away when the RPM package manager database is happy that the files are valid. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Thu, 06 Dec 2007 21:42:53 +, John Horne wrote about Re: [Rkhunter-users] baffling warning: Hmm, this doesn't make much sense. The warnings are caused by the RPM package manager saying that the files are NOT correct. Yes, but the rpmdb changes when packages are upgraded. So rkh needs a new baseline to check, which --propupd takes care of. At least that's how I understand it. Can you run 'rpm -Vf /usr/bin/who' and let me know what the output is (if any) please. Of course: # rpm -Vf /usr/bin/who S.5T c /etc/DIR_COLORS S.5T c /etc/pam.d/su .MG./usr/bin/who Looks okay to me. But I'll appreciate any ideas. Thank and BFN =Dick Gevers= - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
Dick Gevers wrote: On Thu, 06 Dec 2007 21:42:53 +, John Horne wrote about Re: [Rkhunter-users] baffling warning: Can you run 'rpm -Vf /usr/bin/who' and let me know what the output is (if any) please. Of course: # rpm -Vf /usr/bin/who S.5T c /etc/DIR_COLORS S.5T c /etc/pam.d/su .MG./usr/bin/who Looks okay to me. But I'll appreciate any ideas. For the first two files the file size, MD5 and Mtime tests fail. For the last one the mode and group tests failed. Why does that look okay to you? Did you modify these files yourself? Nils Breunese. PGP.sig Description: This is a digitally signed message part - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Fri, 7 Dec 2007 00:15:32 +0100, Nils Breunese (Lemonbit) wrote about Re: [Rkhunter-users] baffling warning: Of course: # rpm -Vf /usr/bin/who S.5T c /etc/DIR_COLORS S.5T c /etc/pam.d/su .MG./usr/bin/who Looks okay to me. But I'll appreciate any ideas. For the first two files the file size, MD5 and Mtime tests fail. For the last one the mode and group tests failed. Why does that look okay to you? Did you modify these files yourself? Well, I don't see the warnings, but I'll take your word for it. I know all 3 files changed by a few upgrades in Cooker. But this was not done manually but by package coreutils being upgraded. The only thinh I could imagine is that /usr/bin/who might have changed group due to msec running, but I didn't see an error with rpm. Obviously, you know more than I do. Is there a suggested way to deal with this? Thanks v.m. =Dick Gevers= - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Thu, 2007-12-06 at 23:01 +, Dick Gevers wrote: On Thu, 06 Dec 2007 21:42:53 +, John Horne wrote about Re: [Rkhunter-users] baffling warning: Hmm, this doesn't make much sense. The warnings are caused by the RPM package manager saying that the files are NOT correct. Yes, but the rpmdb changes when packages are upgraded. So rkh needs a new baseline to check, which --propupd takes care of. At least that's how I understand it. No. If a package manager is used then all RKH does is ask the package manager if the files are okay. It (rkhunter) does not use any stored file attributes when the package manager is used. Hence, using '--propupd' makes no difference to packaged files in this instance. Can you run 'rpm -Vf /usr/bin/who' and let me know what the output is (if any) please. Of course: # rpm -Vf /usr/bin/who S.5T c /etc/DIR_COLORS S.5T c /etc/pam.d/su .MG./usr/bin/who Looks okay to me. But I'll appreciate any ideas. If you look at the 'rpm' man page, under the verification section it will tell you what the various letters mean. For the 'who' file the mode/permissions and group ownership have changed from what the RPM database expects. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] baffling warning
On Thu, 06 Dec 2007 23:57:05 +, John Horne wrote about Re: [Rkhunter-users] baffling warning: If you look at the 'rpm' man page, under the verification section it will tell you what the various letters mean. For the 'who' file the mode/permissions and group ownership have changed from what the RPM database expects. Ah; thanks for that: I was not aware of that; sorry. Best regards, =Dick Gevers= - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users