Good morning every one,
Since upgrading to Buster, I have been having issues with RKHunter that keeps thinking that my server is compromised. I have tried searching for a solution, changing the configuration all to no avail.
My server runs automated updates and often I will get entries similar to :
[00:01:08] /lib/systemd/systemd [ Warning ]
[00:01:08] Warning: The file properties have changed:
[00:01:08] File: /lib/systemd/systemd
[00:01:08] Current hash: aed423ca3157d8521d4fc30d87c06e05547eb662cbcd1489f54bc849dc92b288
[00:01:08] Stored hash : 6b5fca662bbaebb11e8bd6567aee58c2079257fc79046b27613177bf5bcdb44b
[00:01:08] Current inode: 426186 Stored inode: 400809
[00:01:08] Current file modification time: 1571232294 (16-Oct-2019 09:24:54)
[00:01:08] Stored file modification time : 1566301842 (20-Aug-2019 07:50:42)
I never had any of those in Stretch.
Any help would be appreciated.
Thanks
Robert
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
rkhunter false reporting
Re: rkhunter false reporting
What is the problem? You don't like to see that in the logs? Maybe you could just whitelist /lib/systemd/systemd?
If this is not satisfactory, then you really need to describe what your problem is and what exact changes you made to the configuration. You say that the solution you find don't work, but there are no solutions listed in your post???
If this is not satisfactory, then you really need to describe what your problem is and what exact changes you made to the configuration. You say that the solution you find don't work, but there are no solutions listed in your post???
Re: rkhunter false reporting
Hello Pylkko
Thanks for the reply. I have added some exclusions but the issue with rkhunter seems to be that it does not recognize the updates properly.
The setting I tried changing is this one, I remove the comment and tried but as I got the same results, I reverted back to the original default setting.
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=DPKG
Just to start fresh, I ran the following:
rkhunter --propupd
rkhunter -c
As of just now, my rkhunter log is clean, no warning.
I have done the same before and the warnings eventually come back. What I sent was just an example, it flags many files, not some specific ones.
Thanks
Robert
Thanks for the reply. I have added some exclusions but the issue with rkhunter seems to be that it does not recognize the updates properly.
The setting I tried changing is this one, I remove the comment and tried but as I got the same results, I reverted back to the original default setting.
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=DPKG
Just to start fresh, I ran the following:
rkhunter --propupd
rkhunter -c
As of just now, my rkhunter log is clean, no warning.
I have done the same before and the warnings eventually come back. What I sent was just an example, it flags many files, not some specific ones.
Thanks
Robert
Re: rkhunter false reporting
Check in /etc/apt/apt.conf.d/rhelie wrote:Since upgrading to Buster, I have been having issues with RKHunter that keeps thinking that my server is compromised. I have tried searching for a solution, changing the configuration all to no avail.
There should be a "90rkhunter" or similar there.
If not, you've somehow broken your installation.
If yes, you should then have a look in /etc/default/rkhunter, and look for the APT_AUTOGEN option.
The default is FALSE -- for good reason.
You may change that to
Code: Select all
APT_AUTOGEN="yes"
Note that there's a good reason why it works the way it works, and why flipping that option to YES is something the administrator has to conciously consider and decide.
Re: rkhunter false reporting
Thanks for the reply reinob
CVurrently, the file has the following:
// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled
DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; };
The option seems to be active.
For now rkhunter is still reporting all fine. We will see after the week-end.
Robert
CVurrently, the file has the following:
// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled
DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; };
The option seems to be active.
For now rkhunter is still reporting all fine. We will see after the week-end.
Robert