Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On Monday 26 Jan 2015 22:53:53 Neil Bothwick wrote: On Mon, 26 Jan 2015 11:27:05 -0500, Alec Ten Harmsel wrote: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? Upstream changed egrep and fgrep from binaries to shell scripts. This happened a while ago on testing portage but the version with the change only hit stable at the weekend. You can tell rkhunter to ignore them. % grep grep /etc/rkhunter.conf.local SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep I've also been getting the same warning for: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable Should I treat them the same? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On Sat, 31 Jan 2015 12:17:47 +, Mick wrote: You can tell rkhunter to ignore them. % grep grep /etc/rkhunter.conf.local SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep I've also been getting the same warning for: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script, ASCII text executable Should I treat them the same? I do, here's my full list of whitelisted scripts % grep SCRIPT /etc/rkhunter.conf.local SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/bin/whatis SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep Check that the files are as installed by portage, using something like qcheck, before you whitelist anything. -- Neil Bothwick A wok is what you throw at a wabbit. pgp2YDFHmx14X.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On 1/26/2015 5:53 PM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 26 Jan 2015 11:27:05 -0500, Alec Ten Harmsel wrote: script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? Upstream changed egrep and fgrep from binaries to shell scripts. This happened a while ago on testing portage but the version with the change only hit stable at the weekend. You can tell rkhunter to ignore them. % grep grep /etc/rkhunter.conf.local SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep Perfect, thanks Alec/Neil, problem solved... :)
[gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
Hello all, Been on rkhunter 1.4.2 for a while, no changes made to its config file, been running nightly for years without these warnings... I recently did some Gentoo updates after almost 2 months of no updates (was out of town), and now, even after running --propupd, I continue to get these warnings: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo?
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On Mon, Jan 26, 2015 at 6:21 PM, Tanstaafl tansta...@libertytrek.org wrote: Hello all, Been on rkhunter 1.4.2 for a while, no changes made to its config file, been running nightly for years without these warnings... I recently did some Gentoo updates after almost 2 months of no updates (was out of town), and now, even after running --propupd, I continue to get these warnings: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? As stated in the previous response to your original thread, /bin/[ef]grep come with the grep package: file `equery -q f grep|grep /bin/` /bin/egrep: POSIX shell script, ASCII text executable /bin/fgrep: POSIX shell script, ASCII text executable /bin/grep: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.16, stripped The shell scripts in question call the grep binary with the flags shown below: grep exec /bin/[ef]grep /bin/egrep:exec $grep -E $@ /bin/fgrep:exec $grep -F $@
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On Mon, Jan 26, 2015 at 11:21 AM, Tanstaafl tansta...@libertytrek.org wrote: Hello all, Been on rkhunter 1.4.2 for a while, no changes made to its config file, been running nightly for years without these warnings... I recently did some Gentoo updates after almost 2 months of no updates (was out of town), and now, even after running --propupd, I continue to get these warnings: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? Well, for the 'not updated recently enough' baseline: ~ $ eix grep -I [I] sys-apps/grep Available versions: 2.16 ~2.20 ~2.20-r1 ~2.21 {nls pcre static} Installed versions: 2.16(20:37:55 04/11/14)(nls pcre -static) Homepage:http://www.gnu.org/software/grep/ Description: GNU regular expression matcher ~ $ file /bin/*grep /bin/egrep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped /bin/fgrep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped /bin/grep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped ~ $ ls -l /bin/*grep -rwxr-xr-x 1 root root 208096 Apr 11 2014 /bin/egrep -rwxr-xr-x 1 root root 105472 Apr 11 2014 /bin/fgrep -rwxr-xr-x 1 root root 212256 Apr 11 2014 /bin/grep - And after a quick update: ~ $ eix grep -I [I] sys-apps/grep Available versions: 2.16 ~2.20 ~2.20-r1 ~2.21 2.21-r1 {nls pcre static} Installed versions: 2.21-r1(11:28:57 01/26/15)(nls pcre -static) Homepage:http://www.gnu.org/software/grep/ Description: GNU regular expression matcher ~ $ file /bin/*grep /bin/egrep: POSIX shell script, ASCII text executable /bin/fgrep: POSIX shell script, ASCII text executable /bin/grep: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, stripped ~ $ ls -l /bin/*grep -rwxr-xr-x 1 root root158 Jan 26 11:28 /bin/egrep -rwxr-xr-x 1 root root158 Jan 26 11:28 /bin/fgrep -rwxr-xr-x 1 root root 154856 Jan 26 11:28 /bin/grep -- Poison [BLX] Joshua M. Murphy
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On 01/26/2015 11:21 AM, Tanstaafl wrote: Hello all, Been on rkhunter 1.4.2 for a while, no changes made to its config file, been running nightly for years without these warnings... I recently did some Gentoo updates after almost 2 months of no updates (was out of town), and now, even after running --propupd, I continue to get these warnings: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? Upstream changed egrep and fgrep from binaries to shell scripts. Alec
Re: [gentoo-user] Rkhunter now showing Warnings for two files: /bin/egrep fgrep
On Mon, 26 Jan 2015 11:27:05 -0500, Alec Ten Harmsel wrote: # grep Warning /var/log/rkhunter.log [03:10:32] Info: Emailing warnings to 'root' using command '/bin/mail -s [rkhunter] Warnings found for ${HOST_NAME}' [03:10:45] /bin/egrep [ Warning ] [03:10:45] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable [03:10:45] /bin/fgrep [ Warning ] [03:10:45] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable Anyone know if this is due to something changing in Gentoo? Upstream changed egrep and fgrep from binaries to shell scripts. This happened a while ago on testing portage but the version with the change only hit stable at the weekend. You can tell rkhunter to ignore them. % grep grep /etc/rkhunter.conf.local SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep -- Neil Bothwick I work with User-Surly Software. pgpSfZw308uis.pgp Description: OpenPGP digital signature