Derek,
Warning: The file properties have changed: File: /usr/bin/systemctl Current
> inode: 100883675 Stored inode: 101104379 Warning: The file properties have
> changed: File: /usr/lib/systemd/systemd Current inode: 35069854 Stored
> inode: 33716503
> There are two users on this server with a login: root and the maintenace
> account. And root cannot login over SSH. Every other account is a "nologin"
> system account..
> So the three questions I have are: 1. How can I tell if these rkhunter
> warnings false-positives?
Check the logs of your package manage to see what was recently upgraded.
Some servers have auto-updates set to run for security packages. Whether
you apply updates manually or automatically, there should be a record of
what was changed on the system.
In this case, the 'systemd' package was recently updated, which caused
binaries like /usr/bin/systemctl to be updated, which rkhunter tracks.
> 1. How I fix the actual problem, whether it is a genuine file
> corruption or a false-positive?
>
>
> 1. Are there troubleshooting steps I can follow to analyse the cause
> of this?
>
> I have applied all available yum updates to the system too, so maybe it's
ahead of the rkhunter repositories?
In man rkhunter, you'll find the --produpd option, which is documented
thusly:
One of the checks rkhunter performs is to compare various current file
> properties of various commands, against those it has previously stored.
> This command option causes rkhunter to update its data file of stored
> values with the current values.
You ran run 'rkhunter --propupd` once you've confirm that the new state of
the binaries is a valid state.
You could automate running the command, in which case you would be relying
on making sure you didn't missing reading one of tne notification emails
about the binaries changing.
Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
