It boils down to whatever you are most comfortable with. In my case I want to be notified of every change and resolve in my own mind whether this was due to a known update or if the change was from an unknown source. But in my case updates are infrequent so it's not that much of a burden to review the list. If you have files that are updated daily and you don't want to be notified about them, then whitelist them. That's what I do with executables that have been replaced by scripts, but I want to know about all the other changes.
-Al- On Thu, Jun 08, 2017 at 03:50 AM, Sivabs via Rkhunter-users wrote: > Hi, > > of course I check logs. > > For example, I often receive this kind of warnings: > > (example from Debian server) > > Warning: The file properties have changed: > > File: /usr/bin/perl > > Current hash: 10d1463ca9952340f54f90dcf6df816d9b6e4296 > > Stored hash : d5b3b0dffdface2036d783b8770b385eb527e89f > > Current inode: 393362 Stored inode: 393364 > > Current file modification time: 1496680638 (05-Jun-2017 18:37:18) > > Stored file modification time : 1469627943 (27-Jul-2016 15:59:03) > > > > (example from CentOS with WHM server) > > ---------------------- Start Rootkit Hunter Scan ---------------------- > > Warning: Package manager verification has failed: > > File: /bin/su > > The file permissions have changed > > The file group has changed > > Warning: Package manager verification has failed: > > File: /usr/bin/newgrp > > The file permissions have changed > > I know that this is OK, as I recently upgraded perl on several Debian OS and > WHM auto-updates itself every night. > > My question is: how do you manage those situations? > > Do you disable specific tests, as they report almost every day similar > warnings? > > Do you bypass control over specific file (eg. /bin/su, /usr/bin/newgrp)? > > Thank you > > > >> Il 6 giugno 2017 alle 23.53 Dimitri Yioulos <dyiou...@netatlantic.com >> <mailto:dyiou...@netatlantic.com>> ha scritto: >> >> I hope I’m not asking the obvious, but have you had a look at rkhunter.log? >> The will probably give you some very good insight into what you may want to >> do, configuration-wise, to stop the false positives. >> >> >> >> From: Sivabs via Rkhunter-users [mailto:rkhunter-users@lists.sourceforge.net >> <mailto:rkhunter-users@lists.sourceforge.net>] >> Sent: Tuesday, June 06, 2017 5:41 PM >> To: rkhunter-users@lists.sourceforge.net >> <mailto:rkhunter-users@lists.sourceforge.net> >> Subject: [Rkhunter-users] Configuration tips? >> >> >> Hi, >> >> I run RK on several server (>50). >> >> After every update/upgrade, I receive lots of warnings, but since most OS >> are identical in my environment, I can easily determine if there is a false >> positive or not. >> >> Anyway, everyday it is a lot of work :) >> >> I wondering if someone wants to share some hints to minimize false >> positives, I mean: do you run every test? If not, what test are disabled in >> your configuration? >> >> Thank you! >> > > > >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org <http://slashdot.org/>! >> http://sdm.link/slashdot_______________________________________________ >> <http://sdm.link/slashdot_______________________________________________> >> Rkhunter-users mailing list >> Rkhunter-users@lists.sourceforge.net >> <mailto:Rkhunter-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> <https://lists.sourceforge.net/lists/listinfo/rkhunter-users> > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org <http://slashdot.org/>! > http://sdm.link/slashdot_______________________________________________ > <http://sdm.link/slashdot_______________________________________________> > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > <mailto:Rkhunter-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > <https://lists.sourceforge.net/lists/listinfo/rkhunter-users> -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
