rkhunter problem with couple of files

[stormsurfer]

cpanel change the original permission of /bin/su and /usr/bin/newgrp so we get the following warnings from rkhunter:
Warning: Package manager verification has failed:
File: /bin/su
The file permissions have changed
The file group has changed
Warning: Package manager verification has failed:
File: /usr/bin/newgrp
The file permissions have changed

I found this thread: https://www.atomicorp.com/forums/viewto ... ter#p39048
where there's a reference to the faq at: https://www.atomicorp.com/wiki/index.ph ... ve_changed

However there's no longer such question/answer in the faq.

edit: I also ran rkhunter --propupd with no success.


Please advise.

[mikeshinn]

https://www.atomicorp.com/wiki/index.ph ... ve_changed

[stormsurfer]

Those are legitimate changes that were made to the files permission.

The link doesn't explain (or I didn't see) how to disable this warning or how to insert the new permission into the rkhunter db. as I said rkhunter --propupd doesn't work.

In asl intgrity chack only /bin/su apears because I removed it's suid bit. /usr/bin/newgrp doesn't apear.

[mikeshinn]

rkhunter has no way to know if a change is legitimate, so if a file changes, you have to determine if it was legitimate and update rkhunter. To regenerate rkhunters database, the only supported option rkhunter provides is to use propupd.

rkhunter --propupd

We recommend you use ASL's file integrity monitoring system for this function. rkhunters capabilities in this area are very limited, and rkhunter is provided only for legacy purposes. It is not needed with ASL, and will be removed in a future version as it is redundant.

But maybe I'm misunderstanding your issue, after you run:

rkhunter --propupd

Are you saying that rkhunter still reports that the files have changed?

[stormsurfer]

yes. After running

rkhunter --propupd

we still see the warning about the files.

[mikeshinn]

So either that means the file changed again somehow, or rkhunter sucks. If ASL says the file changed, then it did change, if ASL says it didnt then it didnt. As for rkhunter, well this is why I recommend you dont use rkhunter for this purpose. Its only included with ASL as a legacy feature, it doesnt do anything ASL already does so if its annoying to you just remove it. You dont need it with ASL.

[stormsurfer]

# rpm -e rkhunter
error: Failed dependencies:
rkhunter >= 1.4.0-8 is needed by (installed) asl-1:3.2.14-31.el6.art.x86_64

so should I just remove it from cron.daily?

[mikeshinn]

Sure, you can remove it from cron, you could also use --nodeps to force it to be removed.