Debian User Forums

[rhelie]

Good morning every one,

Since upgrading to Buster, I have been having issues with RKHunter that keeps thinking that my server is compromised. I have tried searching for a solution, changing the configuration all to no avail.

My server runs automated updates and often I will get entries similar to :

[00:01:08] /lib/systemd/systemd [ Warning ]
[00:01:08] Warning: The file properties have changed:
[00:01:08] File: /lib/systemd/systemd
[00:01:08] Current hash: aed423ca3157d8521d4fc30d87c06e05547eb662cbcd1489f54bc849dc92b288
[00:01:08] Stored hash : 6b5fca662bbaebb11e8bd6567aee58c2079257fc79046b27613177bf5bcdb44b
[00:01:08] Current inode: 426186 Stored inode: 400809
[00:01:08] Current file modification time: 1571232294 (16-Oct-2019 09:24:54)
[00:01:08] Stored file modification time : 1566301842 (20-Aug-2019 07:50:42)

I never had any of those in Stretch.

Any help would be appreciated.

Thanks


Robert

[pylkko]

What is the problem? You don't like to see that in the logs? Maybe you could just whitelist /lib/systemd/systemd?

If this is not satisfactory, then you really need to describe what your problem is and what exact changes you made to the configuration. You say that the solution you find don't work, but there are no solutions listed in your post???

[rhelie]

Hello Pylkko

Thanks for the reply. I have added some exclusions but the issue with rkhunter seems to be that it does not recognize the updates properly.

The setting I tried changing is this one, I remove the comment and tried but as I got the same results, I reverted back to the original default setting.

# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=DPKG

Just to start fresh, I ran the following:
rkhunter --propupd
rkhunter -c

As of just now, my rkhunter log is clean, no warning.

I have done the same before and the warnings eventually come back. What I sent was just an example, it flags many files, not some specific ones.

Thanks


Robert

[reinob]

Since upgrading to Buster, I have been having issues with RKHunter that keeps thinking that my server is compromised. I have tried searching for a solution, changing the configuration all to no avail.

Check in /etc/apt/apt.conf.d/
There should be a "90rkhunter" or similar there.

If not, you've somehow broken your installation.
If yes, you should then have a look in /etc/default/rkhunter, and look for the APT_AUTOGEN option.
The default is FALSE -- for good reason.

You may change that to

Code: Select all

APT_AUTOGEN="yes"


which means that the database will be automatically updated when packages are installed or removed.

Note that there's a good reason why it works the way it works, and why flipping that option to YES is something the administrator has to conciously consider and decide.

[rhelie]

Thanks for the reply reinob

CVurrently, the file has the following:

// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled
DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; };

The option seems to be active.

For now rkhunter is still reporting all fine. We will see after the week-end.

Robert