Description of problem: ======================= Last night a yum upgrade installed rkhunter 1.4.2, replacing 1.4.0, and today rkhunter says: Warning: The file '/usr/sbin/sshd' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file. Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file. This is because /var/lib/rkhunter/db/rkhunter.dat does not contain entries for ssh, sshd or telnet. Nor does rkhunter.dat.old Both files are dated Jan 25. Yesterday was March 21, so the package installation process clearly made no attempt to align /var/lib/rkhunter/db/rkhunter.dat with either the version used by 1.4.0 or to check whether these common programs were installed. The three programs were installed from Fedora 20 packages when I installed Fedora 20. Previous runs since then but using using rkhunter 1.4.0 did not have this problem. Version-Release number of selected component (if applicable): ============================================================= 1.4.2 How reproducible: ================= Just upgrade from the rkhunter package containing 1.4.0 to the package containing 1.4.2. Steps to Reproduce: =================== 1. Install Fedora 20, making sure that the RPM packages containing ssh, sshd and telnet are installed 2. Install the RPM package containing rkhunter 1.4.0 3. Run rkhunter checks after running "rkhunter --propupd" ssh, sshd and telnet will be checked and passed without comment 4. Install the RPM package containing rkhunter 1.4.2 Warnings about the existence of sshd, ssh and telnet will be output. Actual results: =============== Warnings about the existence of sshd, ssh and telnet are output Expected results: ================= These warnings should not be output.
That's very strange. I am not seeing that on rawhide and I do not remember seeing that on F20 either (but let me check this) and report back. partial output below - # egrep "sshd|ssh|telnet" rkhunter.dat rkhunter.dat.old rkhunter.dat:File:0:/usr/sbin/sshd: rkhunter.dat:File:0:/usr/bin/ssh: rkhunter.dat:File:0:/usr/bin/telnet: rkhunter.dat.old:File:0:/usr/sbin/sshd: rkhunter.dat.old:File:0:/usr/bin/ssh: rkhunter.dat.old:File:0:/usr/bin/telnet:
I forgot to attach copies of the two files. as they appear in my system, Copies follow: I have done nothing to them apart from copying them to my user so I can attach them to this bug. This is how ls sees them as installed: $ ll /var/lib/rkhunter/db/rkhunter* -rw-r-----. 1 root root 14909 Jan 25 20:15 /var/lib/rkhunter/db/rkhunter.dat -rw-r-----. 1 root root 14909 Jan 25 19:53 /var/lib/rkhunter/db/rkhunter.dat.old And this is how the copies look to ls: $ ll rkhunter.dat* -rw-r-----. 1 kiwi kiwi 14909 Mar 22 16:05 rkhunter.dat -rw-r-----. 1 kiwi kiwi 14909 Mar 22 16:05 rkhunter.dat.old
Created attachment 877612 [details] Copy of rkhunter.dat as installed by yum
Created attachment 877613 [details] Copy of rkhunter.dat.old as it currently appears
When rhkunter's scheduled run occurred last night it one again reported that ssh, sshd and telnet existed but weren'y in rkhunter.dat. So, I tried an experiment. I edited the line: File:0:/us/sbin/sshd::::::::net-tools::: into its appropriate alphabetic place in rkhunter.dat. As I didn't know what should go in the 11th field, I copied it from the line for /usr/sbin/route. Then I ran rkhunter --propupd /usr/sbin/sshd which seemed to work ok though it reported only searching for 3 programs. The following run of rkhunter -c ran fine until it came to the program checks, when it reported almost everything with a red objection "[ Warning ]". I killed the run before it had said what the warning was about and, wondering if rkhunter had decided to scrub details of everything *except* /usr/sbin/sshd, ran rkhunter --propupd to see if that would fix it. Apparently it did, because the following run of rkhunter -c reported no errors or warnings and this time checked ssh, sshd and telnet, which had all been added to rkhunter.dat with field 11 set, respectively, to ssh-server, openssh-clients and telnet. So, as far as I'm concerned the problem is now solved but, of course, you may still want to fix some things, in particular: - fixing anything odd about the rkhunter package installer's configuration script (which is where I think my initial problem was caused) - determining why the option '--propupd /usr/sbin/sshd' corrupted almost all the other program entries in rkhunter.dat - adding instructions for editing rkhunter.dat to the manpage. I hope this extra info is useful.
Hi. So, two things to note: 1) The rkhunter.dat file is NOT shipped with the rkhunter package. This file is created/updated when you run 'rkhunter --propupd'. You need to do this when you update packages or rkhunter itself. This tells rkhunter that the changes it's noting are fine and should be folded back into the data as 'normal'. 2) With the upgrade to 1.4.2, from the Changelog: " New: - The 'ssh', 'sshd' and 'telnet' commands are now checked as part of the file properties test." So, these were not checked in that test before, but are now. Again, a 'rkhunter --propupd' should be run after the 1.4.2 upgrade (after checking any changes it notes). This is likely why you saw weird behavior running just a --propupd on that one file, as it's moved what tests were involved. So, I'm not sure how we can better communicate this, but open to ideas. Perhaps a wiki page on common usage of rkhunter would be of help?
I know that its necessary to run 'rkhunter --propupd' after a clean install, though IIRC that wasn't immediately obvious when I first installed it. Similarly, it wasn't obvious that this is also needed after an upgrade. Apologies if the comments attached to my attachments were confusing. So, yes, a wiki page on common rkhunter usage would be very helpful. I'd like such a wiki page to be in rkhunter's home web pages because that's where I look first for extra information about a program if its manpage doesn't tell me enough to sort out my problem. An equivalent addition to the manpage would also be a good idea. I like rkhunter a lot, but its documentation is somewhat lacking one or two areas. 1) A discussion of when --propupd must be used would be great. As an alternative, maybe it could automatically force --propupdt on if rkhunter.dat doesn't list any commands that should always be tested. This would improve its operation both on initial install and also in this case (upgrading to 1.4.2). 2) In general its very hard to find out anything about the rootkits it detects. I don't know why this is, but it does make it difficult to decide what to do after a rootkit is discovered, particularly when merely rebooting F20 apparently generates an FP for GasKit. Just a list of the rootkits it detects isn't enough: we really need to know what a rootkit does, where it is installed and, if possible, how it can be removed. For instance, it it installs itself in /boot, /var/lib/ etc a clean reinstall is sort of easy enough, but I, and others, tend to put /home in its own partition and not reformat it when doing a clean install, so if a rootkit installs itself there we need to know about it. I put a request for (2) on the rkhunter Bugzilla a week or three ago, but it apparently hasn't been looked at: at least I haven't had any e-mails saying the bug was assigned/rejected/etc.
I can start work on a simple wiki page (basically a selection from man rkhunter) sometime this week and then we can add on with more information (that I am sure I do not know) Additionally, would it be advisable at all to run --propupd in %post (for update versions that need it)? I do not know if this is good/bad - just thinking out loud, I guess.
Yeah, so I think it might be good to close this and move the discussion to the rkhunter-users list upstream? These suggestions all make sense, but it would be ideal to get them done upstream rather than anything Fedora specific? We don't want to ever run --propupd automatically. When you run that you are asserting that your system is clean and that the current state is known valid. There's no way a scriptlet should be able to assert that, it should be left to the admin. IMHO. ;)
FYI - the GasKit FP is triggered by bug 1045704 in dracut