Hi John,
I have systems with rkhunter 1.4.0, 1.4.2 and 1.4.6 as I use the rkhunter from 
the official Ubuntu repos.
I have tested it on a latest Ubuntu 18.04 LTS which has rkhunter 1.4.6 as shown 
below in the propupd segment.
The --debug option gave no output and the problem with the cron job is still 
there if I run it without the --debug option.
Strange to me though the latest output did give slightly different warnings as 
shown below.

Peter

...
DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd
...

# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 181 files, found 155
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --enable properties --debug
# rkhunter --cronjob --rwo
Warning: The file properties have changed:
         File: /etc/passwd
         Current hash: 
62c4b7b0c08c72ece48f1bfcf4c5d17c84371b5cc7ea3d31bde0a8c781905068
         Stored hash : 
bbbc0647692a5a98a7aafd5c0a5910dbef4d41ee6f1e96c565a98c2ce5013dae
         Current inode: 1577114    Stored inode: 1577115
         Current size: 3044    Stored size: 3045
         Current file modification time: 1529487378 (20-Jun-2018 11:36:18)
         Stored file modification time : 1529487306 (20-Jun-2018 11:35:06)
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo --debug
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo --debug
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo
Warning: The file properties have changed:
         File: /etc/passwd
         Current inode: 1577114    Stored inode: 1577115
         Current file modification time: 1529488189 (20-Jun-2018 11:49:49)
         Stored file modification time : 1529487306 (20-Jun-2018 11:35:06)



-----Original Message-----
Sent: Mittwoch, 20. Juni 2018 11:08
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Wed, 2018-06-20 at 04:47 +0000, Kielbasiewicz, Peter wrote:
> Sorry John,
> no change.
> Did YOU ever try it on your machine?
>
Yes. It worked fine.

You are running rkhunter version 1.4.6?

Can you leave the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file 
and make a change to the /etc/passwd file. Then run 'rkhunter --enable 
properties --debug' and send me the output file found in /tmp please.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services 
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK 
________________________________ 
[https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=upoV3eNOCSN1l%2BBkvzElOfj%2B9DF73ykw4u1oCsNEzH0%3D&reserved=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=BY4uRdWs92lUEoWyDuOnJ5gIqRNBTGBwc9ZI1Ag%2BQfw%3D&reserved=0>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! 
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=4AE%2BAqdnTgfnIDbTbm91feEoimDan6o885mmVhEsyoo%3D&reserved=0
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Frkhunter-users&data=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350&sdata=sTOIkeNRWkwa6RY%2BNKUc9hXMUYfrlFZMpuzsP0H6lnI%3D&reserved=0

________________________________
The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to