cpanel change the original permission of /bin/su and /usr/bin/newgrp so we get the following warnings from rkhunter:
Warning: Package manager verification has failed:
File: /bin/su
The file permissions have changed
The file group has changed
Warning: Package manager verification has failed:
File: /usr/bin/newgrp
The file permissions have changed
I found this thread: https://www.atomicorp.com/forums/viewto ... ter#p39048
where there's a reference to the faq at: https://www.atomicorp.com/wiki/index.ph ... ve_changed
However there's no longer such question/answer in the faq.
edit: I also ran rkhunter --propupd with no success.
Please advise.
rkhunter problem with couple of files
-
- Forum User
- Posts: 10
- Joined: Wed Nov 27, 2013 6:35 am
- Location: israel
-
- Forum User
- Posts: 10
- Joined: Wed Nov 27, 2013 6:35 am
- Location: israel
Re: rkhunter problem with couple of files
Those are legitimate changes that were made to the files permission.
The link doesn't explain (or I didn't see) how to disable this warning or how to insert the new permission into the rkhunter db. as I said rkhunter --propupd doesn't work.
In asl intgrity chack only /bin/su apears because I removed it's suid bit. /usr/bin/newgrp doesn't apear.
The link doesn't explain (or I didn't see) how to disable this warning or how to insert the new permission into the rkhunter db. as I said rkhunter --propupd doesn't work.
In asl intgrity chack only /bin/su apears because I removed it's suid bit. /usr/bin/newgrp doesn't apear.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: rkhunter problem with couple of files
rkhunter has no way to know if a change is legitimate, so if a file changes, you have to determine if it was legitimate and update rkhunter. To regenerate rkhunters database, the only supported option rkhunter provides is to use propupd.
rkhunter --propupd
We recommend you use ASL's file integrity monitoring system for this function. rkhunters capabilities in this area are very limited, and rkhunter is provided only for legacy purposes. It is not needed with ASL, and will be removed in a future version as it is redundant.
But maybe I'm misunderstanding your issue, after you run:
rkhunter --propupd
Are you saying that rkhunter still reports that the files have changed?
rkhunter --propupd
We recommend you use ASL's file integrity monitoring system for this function. rkhunters capabilities in this area are very limited, and rkhunter is provided only for legacy purposes. It is not needed with ASL, and will be removed in a future version as it is redundant.
But maybe I'm misunderstanding your issue, after you run:
rkhunter --propupd
Are you saying that rkhunter still reports that the files have changed?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 10
- Joined: Wed Nov 27, 2013 6:35 am
- Location: israel
Re: rkhunter problem with couple of files
yes. After running
rkhunter --propupd
we still see the warning about the files.
rkhunter --propupd
we still see the warning about the files.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: rkhunter problem with couple of files
So either that means the file changed again somehow, or rkhunter sucks. If ASL says the file changed, then it did change, if ASL says it didnt then it didnt. As for rkhunter, well this is why I recommend you dont use rkhunter for this purpose. Its only included with ASL as a legacy feature, it doesnt do anything ASL already does so if its annoying to you just remove it. You dont need it with ASL.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 10
- Joined: Wed Nov 27, 2013 6:35 am
- Location: israel
Re: rkhunter problem with couple of files
# rpm -e rkhunter
error: Failed dependencies:
rkhunter >= 1.4.0-8 is needed by (installed) asl-1:3.2.14-31.el6.art.x86_64
so should I just remove it from cron.daily?
error: Failed dependencies:
rkhunter >= 1.4.0-8 is needed by (installed) asl-1:3.2.14-31.el6.art.x86_64
so should I just remove it from cron.daily?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: rkhunter problem with couple of files
Sure, you can remove it from cron, you could also use --nodeps to force it to be removed.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone