On Mon, 2007-11-05 at 17:12 +0000, Dogsbody wrote: > >> ... as you can see, I have added /sbin/ifup to SCRIPTWHITELIST however > >> it still seems to show as a warning!? > >> Is it because I am using PKGMGR=RPM? > > > > Yes. If you run 'rpm -Vf /sbin/ifup' it will show that the RPM package > > manager thinks the file has changed (probably showing 5, S and T as > > having changed). If the file was updated recently, then the package > > manager database does not seem to have been correspondingly changed. You > > may want to ensure that the rest of the package is valid (although the > > 'rpm -Vf' command will check the whole package anyway). > > Thank you, your right... > > # rpm -Vf /sbin/ifup > .M...... c /etc/adjtime > S.5....T c /etc/inittab > SM5....T c /etc/rc.d/init.d/halt > S.5....T c /etc/rc.d/rc.local > .......T c /etc/rc.d/rc.sysinit > S.5....T c /sbin/ifup > > So what is the fix? Sorry if this is a silly question and I'm aware I > may be going away from RKH support but do I need to somehow "re-sync" > the RPM package manager? Or can I whitelist this in RKH? > This is not something that RKH can sort out. By using the package manager you are telling RKH just to check the package manager to see if a file has changed. In this case /sbin/ifup has changed. You can't whitelist these because it is the package manager telling RKH that the file has changed - not RKH checking its own values to see if the file has changed.
The question is have the files been modified by someone else, or is this just a package update that has gone a little wrong? Personally I would check the yum.log (or whatever log file you have that records package updates) to see if the initscripts package was updated recently. If it has not, then I would investigate why the files such as rc.local have changed. (It is a script so just by 'cat'-ing it you may see something indicating that someone has changed it.) If initscripts was updated recently, then it is possible that the update didn't complete successfully. I would obtain a known good copy of the initscripts RPM, and manually/forcibly install it (if you are using 'yum' then it may be possible to tell yum to reinstall a package - the man page might say). Run 'rpm -V initscripts' afterwards. If a package had several modified files in it, then I would have suggested perhaps re-installing the package from a good source. In this case though the package is 'initscripts' as far as I can tell, and that involves a lot of the system startup scripts. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
