Re: [Rkhunter-users] chattr and lsattr on el4.5 x86_64

Sat, 23 Feb 2008 08:32:05 -0800 

On Sat, 2008-02-23 at 13:25 +1000, Michael Mansour wrote:
> Hi,
> 
> I have the following two warnings from rkhunter 1.3.0 on two Scientific Linux
> 4.5 x86_64 servers (Red Hat Enterprise Linux 4 Update 5 derivatives):
> 
> [14:14:10] /usr/bin/chattr                                   [ Warning ]
> [14:14:10] Warning: Package manager verification has failed:
> [14:14:10]          File: /usr/bin/chattr
> [14:14:10]          The file hash value has changed
> [14:14:10]          The file size has changed
> [14:14:10]          The file modification time has changed
> 
> [14:14:20] /usr/bin/lsattr                                   [ Warning ]
> [14:14:20] Warning: Package manager verification has failed:
> [14:14:20]          File: /usr/bin/lsattr
> [14:14:20]          The file hash value has changed
> [14:14:20]          The file size has changed
> [14:14:20]          The file modification time has changed
> 
> and:
> 
> # rpm -qf /usr/bin/lsattr
> e2fsprogs-1.35-12.11.el4_6.1.i386
> e2fsprogs-1.35-12.11.el4.1.x86_64
> 
> [EMAIL PROTECTED] ~]# rpm -qf /usr/bin/chattr
> e2fsprogs-1.35-12.11.el4_6.1.i386
> e2fsprogs-1.35-12.11.el4.1.x86_64
> 
> (Note: I linked /usr/local/lib to /usr/local/lib64 to test whether rkhunter
> 1.3.0 works properly on this platform)
> 
> I've also setup PKGMGR=RPM.
> 
> When rkhunter reports "The file size has changed" etc, changed from what? the
> original distribution? the last time I ran the --propupd ?
> 
Because you are using the package manager it means that RPM verification
fails for those files. If you run 'rpm -Vf /usr/bin/chattr' it will show
that something has changed (same for lsattr). The file attributes do not
correspond to those of what should be the currently installed files -
i.e. the files have changed.


John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]       Fax: +44 (0)1752 233839

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to