Hi John, I have systems with rkhunter 1.4.0, 1.4.2 and 1.4.6 as I use the rkhunter from the official Ubuntu repos. I have tested it on a latest Ubuntu 18.04 LTS which has rkhunter 1.4.6 as shown below in the propupd segment. The --debug option gave no output and the problem with the cron job is still there if I run it without the --debug option. Strange to me though the latest output did give slightly different warnings as shown below.
Peter ... DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd ... # rkhunter --propupd [ Rootkit Hunter version 1.4.6 ] File updated: searched for 181 files, found 155 # vipw You have modified /etc/passwd. You may need to modify /etc/shadow for consistency. Please use the command 'vipw -s' to do so. # rkhunter --enable properties --debug # rkhunter --cronjob --rwo Warning: The file properties have changed: File: /etc/passwd Current hash: 62c4b7b0c08c72ece48f1bfcf4c5d17c84371b5cc7ea3d31bde0a8c781905068 Stored hash : bbbc0647692a5a98a7aafd5c0a5910dbef4d41ee6f1e96c565a98c2ce5013dae Current inode: 1577114 Stored inode: 1577115 Current size: 3044 Stored size: 3045 Current file modification time: 1529487378 (20-Jun-2018 11:36:18) Stored file modification time : 1529487306 (20-Jun-2018 11:35:06) # vipw You have modified /etc/passwd. You may need to modify /etc/shadow for consistency. Please use the command 'vipw -s' to do so. # rkhunter --cronjob --rwo --debug # vipw You have modified /etc/passwd. You may need to modify /etc/shadow for consistency. Please use the command 'vipw -s' to do so. # rkhunter --cronjob --rwo --debug # vipw You have modified /etc/passwd. You may need to modify /etc/shadow for consistency. Please use the command 'vipw -s' to do so. # rkhunter --cronjob --rwo Warning: The file properties have changed: File: /etc/passwd Current inode: 1577114 Stored inode: 1577115 Current file modification time: 1529488189 (20-Jun-2018 11:49:49) Stored file modification time : 1529487306 (20-Jun-2018 11:35:06) -----Original Message----- Sent: Mittwoch, 20. Juni 2018 11:08 To: rkhunter-users@lists.sourceforge.net Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes On Wed, 2018-06-20 at 04:47 +0000, Kielbasiewicz, Peter wrote: > Sorry John, > no change. > Did YOU ever try it on your machine? > Yes. It worked fine. You are running rkhunter version 1.4.6? Can you leave the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file and make a change to the /etc/passwd file. Then run 'rkhunter --enable properties --debug' and send me the output file found in /tmp please. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=upoV3eNOCSN1l%2BBkvzElOfj%2B9DF73ykw4u1oCsNEzH0%3D&reserved=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=BY4uRdWs92lUEoWyDuOnJ5gIqRNBTGBwc9ZI1Ag%2BQfw%3D&reserved=0> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=4AE%2BAqdnTgfnIDbTbm91feEoimDan6o885mmVhEsyoo%3D&reserved=0 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Frkhunter-users&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=sTOIkeNRWkwa6RY%2BNKUc9hXMUYfrlFZMpuzsP0H6lnI%3D&reserved=0 ________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users