Re: [Rkhunter-users] Configuration tips?

Sivabs via Rkhunter-users Thu, 08 Jun 2017 03:55:04 -0700

Hi,

of course I check logs.


For example, I often receive this kind of warnings:

(example from Debian server)

Warning: The file properties have changed:

         File: /usr/bin/perl

         Current hash: 10d1463ca9952340f54f90dcf6df816d9b6e4296

         Stored hash : d5b3b0dffdface2036d783b8770b385eb527e89f

         Current inode: 393362  Stored inode: 393364

         Current file modification time: 1496680638 (05-Jun-2017 18:37:18)

         Stored file modification time : 1469627943 (27-Jul-2016 15:59:03)


(example from CentOS with WHM server)

---------------------- Start Rootkit Hunter Scan ----------------------

Warning: Package manager verification has failed:

         File: /bin/su

         The file permissions have changed

         The file group has changed

Warning: Package manager verification has failed:

         File: /usr/bin/newgrp

         The file permissions have changed

I know that this is OK, as I recently upgraded perl on several Debian OS and 
WHM auto-updates itself every night.

My question is: how do you manage those situations?

Do you disable specific tests, as they report almost every day similar warnings?

Do you bypass control over specific file (eg. /bin/su, /usr/bin/newgrp)?

Thank you


> Il 6 giugno 2017 alle 23.53 Dimitri Yioulos <dyiou...@netatlantic.com> ha 
> scritto:
> 
> 
>     I hope I’m not asking the obvious, but have you had a look at 
> rkhunter.log?  The will probably give you some very good insight into what 
> you may want to do, configuration-wise, to stop the false positives.
> 
>      
> 
>      
> 
>     From: Sivabs via Rkhunter-users 
> [mailto:rkhunter-users@lists.sourceforge.net]
>     Sent: Tuesday, June 06, 2017 5:41 PM
>     To: rkhunter-users@lists.sourceforge.net
>     Subject: [Rkhunter-users] Configuration tips?
> 
>      
> 
>     Hi,
> 
>     I run RK on several server (>50).
> 
>     After every update/upgrade, I receive lots of warnings, but since most OS 
> are identical in my environment, I can easily determine if there is a false 
> positive or not.
> 
>     Anyway, everyday it is a lot of work :)
> 
>     I wondering if someone wants to share some hints to minimize false 
> positives, I mean: do you run every test? If not, what test are disabled in 
> your configuration?
> 
>     Thank you!
> 


 

----------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Configuration tips?

Reply via email to