Re: [Rkhunter-users] whitelisted file but still warning
So what is the fix? Sorry if this is a silly question and I'm aware I may be going away from RKH support but do I need to somehow re-sync the RPM package manager? Or can I whitelist this in RKH? This is not something that RKH can sort out. By using the package manager you are telling RKH just to check the package manager to see if a file has changed. In this case /sbin/ifup has changed. You can't whitelist these because it is the package manager telling RKH that the file has changed - not RKH checking its own values to see if the file has changed. Fair enough, thank you for the quick responses. I have changed PKGMGR to NONE and RKH is working great. I'm not worried about /sbin/ifup as it's some manual changes that we did to the file for some control panel software. Thanks again for a great tool :-) Dan - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] whitelisted file but still warning
On Mon, 2007-11-05 at 16:12 +, Dogsbody wrote: Hi, Just upgrading to 1.3.0 and it's looking great so far. A few warnings to start with but after checking things out and adding things to the config file I am just left with one... [15:53:58] /sbin/ifup[ Warning ] [15:53:58] Warning: Package manager verification has failed: [15:53:59] File: /sbin/ifup [15:53:59] The file hash value has changed [15:53:59] The file size has changed [15:53:59] The file modification time has changed [15:53:59] Info: Found file '/sbin/ifup': it is whitelisted for the 'script replacement' check. ... as you can see, I have added /sbin/ifup to SCRIPTWHITELIST however it still seems to show as a warning!? Is it because I am using PKGMGR=RPM? Yes. If you run 'rpm -Vf /sbin/ifup' it will show that the RPM package manager thinks the file has changed (probably showing 5, S and T as having changed). If the file was updated recently, then the package manager database does not seem to have been correspondingly changed. You may want to ensure that the rest of the package is valid (although the 'rpm -Vf' command will check the whole package anyway). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] whitelisted file but still warning
... as you can see, I have added /sbin/ifup to SCRIPTWHITELIST however it still seems to show as a warning!? Is it because I am using PKGMGR=RPM? Yes. If you run 'rpm -Vf /sbin/ifup' it will show that the RPM package manager thinks the file has changed (probably showing 5, S and T as having changed). If the file was updated recently, then the package manager database does not seem to have been correspondingly changed. You may want to ensure that the rest of the package is valid (although the 'rpm -Vf' command will check the whole package anyway). Thank you, your right... # rpm -Vf /sbin/ifup .M.. c /etc/adjtime S.5T c /etc/inittab SM5T c /etc/rc.d/init.d/halt S.5T c /etc/rc.d/rc.local ...T c /etc/rc.d/rc.sysinit S.5T c /sbin/ifup So what is the fix? Sorry if this is a silly question and I'm aware I may be going away from RKH support but do I need to somehow re-sync the RPM package manager? Or can I whitelist this in RKH? Regards, Dan - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] whitelisted file but still warning
On Mon, 2007-11-05 at 17:12 +, Dogsbody wrote: ... as you can see, I have added /sbin/ifup to SCRIPTWHITELIST however it still seems to show as a warning!? Is it because I am using PKGMGR=RPM? Yes. If you run 'rpm -Vf /sbin/ifup' it will show that the RPM package manager thinks the file has changed (probably showing 5, S and T as having changed). If the file was updated recently, then the package manager database does not seem to have been correspondingly changed. You may want to ensure that the rest of the package is valid (although the 'rpm -Vf' command will check the whole package anyway). Thank you, your right... # rpm -Vf /sbin/ifup .M.. c /etc/adjtime S.5T c /etc/inittab SM5T c /etc/rc.d/init.d/halt S.5T c /etc/rc.d/rc.local ...T c /etc/rc.d/rc.sysinit S.5T c /sbin/ifup So what is the fix? Sorry if this is a silly question and I'm aware I may be going away from RKH support but do I need to somehow re-sync the RPM package manager? Or can I whitelist this in RKH? This is not something that RKH can sort out. By using the package manager you are telling RKH just to check the package manager to see if a file has changed. In this case /sbin/ifup has changed. You can't whitelist these because it is the package manager telling RKH that the file has changed - not RKH checking its own values to see if the file has changed. The question is have the files been modified by someone else, or is this just a package update that has gone a little wrong? Personally I would check the yum.log (or whatever log file you have that records package updates) to see if the initscripts package was updated recently. If it has not, then I would investigate why the files such as rc.local have changed. (It is a script so just by 'cat'-ing it you may see something indicating that someone has changed it.) If initscripts was updated recently, then it is possible that the update didn't complete successfully. I would obtain a known good copy of the initscripts RPM, and manually/forcibly install it (if you are using 'yum' then it may be possible to tell yum to reinstall a package - the man page might say). Run 'rpm -V initscripts' afterwards. If a package had several modified files in it, then I would have suggested perhaps re-installing the package from a good source. In this case though the package is 'initscripts' as far as I can tell, and that involves a lot of the system startup scripts. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
