On Tue, 2013-04-02 at 17:27 +0100, Nick Warr wrote:
>
> I run 20+ servers with CentOS 5.9 and 6.3 and I have a small problem
> with the way rootkithunter decides whether to report /etc/passwd
> and /etc/group changes. Last week I ran some updates to the system
> which added some users. I religiously run rkhunter --propupd after
> installing, but invariably I will get a warning email
> about /etc/passwd and or /etc/group having changed. While I understand
> that it is an important change on a system, having run the property
> update should indicate that the system is in a known state, and I
> don’t need to get warnings. I can run the propupd command two or three
> times, but it will always send me a warning email, afterwards, it will
> stay quiet. I just don’t need 20+ emails every time I make a change to
> my servers.
>
Hello,
The 'propupd' option is for use with the file properties test
('properties'). The passwd/group file checks are part of a different
test ('local_host'). So it is true that running '--propupd' will have no
affect on the passwd/group checks. When differences in the passwd/group
files are found, then it is reported. However, the next time the test is
run the check will pass. This way you don't get warnings every time the
test runs. You will get a warning per server running RKH though.
Obviously not all O/S updates are going to modify the passwd/group
files. So it is possible that an update is applied, no passwd/group
change occurs, someone modifies the passwd/group files, and then the
sysadmin runs '--propupd' having seen that updates have been applied.
The change to the passwd/groups file is then lost and unnoticed. (Okay,
it's a little far fetched, but then security is about being
paranoid :-))
We could make the passwd/group test give no warning when '--propupd' has
run (unless some other change has modified the passwd/group files), but
I'm not sure how others would feel about that. I'll see what the
developers say about this.
>
> I s there any other way I can tell rkhunter to not warn me, a –
> no-I’m-really-serious-don’t –warn-me flag after propupd maybe?
>
There is no way at the moment I'm afraid.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
