Hi, John.
Thanks for the response. I am using prelink, so removing the cache file is a
no-go. However, I edited /etc/sysconfig/prelink, as follows:
# Set this to no to disable prelinking altogether
# (if you change this from yes to no prelink -ua
# will be run next night to undo prelinking)
PRELINKING=yes
<-- changed from no to yes
# Options to pass to prelink
# -m Try to conserve virtual memory by allowing overlapping
# assigned virtual memory slots for libraries which
# never appear together in one binary
# -R Randomize virtual memory slot assignments for libraries.
# This makes it slightly harder for various buffer overflow
# attacks, since library addresses will be different on each
# host using -R.
PRELINK_OPTS=-mR
# How often should full prelink be run (in days)
# Normally, prelink will be run in quick mode, every
# $PRELINK_FULL_TIME_INTERVAL days it will be run
# in normal mode. Comment it out if it should be run
# in normal mode always.
#PRELINK_FULL_TIME_INTERVAL=14 <-- commented
out
# How often should prelink run (in days) even if
# no packages have been upgraded via rpm.
# If $PRELINK_FULL_TIME_INTERVAL days have not elapsed
# yet since last normal mode prelinking, last
# quick mode prelinking happened less than
# $PRELINK_NONRPM_CHECK_INTERVAL days ago
# and no packages have been upgraded by rpm
# since last quick mode prelinking, prelink
# will not do anything.
# Change to
# PRELINK_NONRPM_CHECK_INTERVAL=0
# if you want to disable the rpm database timestamp
# check (especially if you don't use rpm/up2date/yum/apt-rpm
# exclusively to upgrade system libraries and/or binaries).
#PRELINK_NONRPM_CHECK_INTERVAL=7 <-- commented out
That seemed to fix the problem. Funny, though, that on CentOS 6 systems, only
the first directive is set to yes, and those directives I commented out in the
CentOS 7 systems are uncommented in the 6 systems. Might be something special
I did to the 7 systems to make RKH act as it did. Or not.
Best,
Dimitri
-----Original Message-----
From: John Horne [mailto:john.ho...@plymouth.ac.uk]
Sent: Monday, October 02, 2017 6:11 PM
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] False positive due to prelink
On Mon, 2017-10-02 at 14:01 +0000, Dimitri Yioulos wrote:
> Thank you for the response. Yes, of course, I'm familiar with --
> propupd. However, I run rkhunter via a cron job every hour (0 * * * *
> /bin/rkhunter --cronjob --rwo --noappend-log). Having to run
> --propupd prior to it, or any time I do a check when no system changes
> have been made, doesn't make sense to me. I've gone through
> /etc/sysconfig/prelink, and changed some settings there, and will see
> if they make a difference. But, I don't recall having had to do that when I
> was running RKhunter version 1.4.2.
>
Check your /etc directory to see if you have anything left relating to prelink.
In particular a prelink.cache file. If you are not using prelink, then delete
the cache file.
John.
>
> -----Original Message-----
> From: ellanios82 [mailto:ellanio...@gmail.com]
> Sent: Monday, October 02, 2017 9:50 AM
> To: rkhunter-users@lists.sourceforge.net
> Subject: Re: [Rkhunter-users] False positive due to prelink
>
> On 02/10/17 16:17, Dimitri Yioulos wrote:
> >
> > [09:00:03]You may need to re-run rkhunter with the '--propupd' option.
> >
> > As I recall, I didn't get this error with version 1.4.2.Any idea
> > what I need to do to get this resolved?
> >
>
> as root , run :
>
>
> # rkhunter --propupd
>
>
> regards
>
>
>
> ----------------------------------------------------------------------
> -----
> ---
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
> ----------------------------------------------------------------------
> -----
> ---
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, Plymouth University accepts no responsibility for viruses and it is your
responsibility to scan emails and their attachments. Plymouth University does
not accept responsibility for any changes made after it was sent. Nothing in
this email or its attachments constitutes an order for goods or services unless
accompanied by an official order form.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech
sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
