Description of problem: after updating rkhunter-1.4.4-1.el6.noarch from repo epel today (updating the previously installed version, 1.4.2) on an otherwise up-to-date CentOS release 6.9 (Final) system, we found that our Nagios monitoring is complaining about warnings. This turns out to be due to some missing prerequisites (or some related issue): # rkhunter --list [...] Perl module installation status: perl command Installed File::stat Installed Getopt::Long Installed Crypt::RIPEMD160 MISSING Digest::MD5 Installed Digest::SHA Installed Digest::SHA1 Installed Digest::SHA256 MISSING Digest::SHA::PurePerl MISSING Digest::Whirlpool MISSING LWP Installed URI Installed HTTP::Status Installed HTTP::Date Installed Socket Installed Carp Installed [...] Something changed in the way rkhunter deals with the prerequisites; these modules were missing till now as well, but so far rkhunter was exiting with 0 despite the missing prerequisites, whereas now it exits with code 1. While the missing modules might well be available via CPAN, I'd rather prefer to stay with the packages available in the CentOS repos on our production servers. Unfortunately, these perl-X modules are NOT available in any of the usual repos, so it seems that there is no choice then to use CPAN...?! On the other hand, the version I found on CPAN for Digest::SHA256 is 0.01, and the module is dated 2001. What happens here...? If these Perl modules are necessary, they should be available as packages from the repos, I think. But I rather consider that the warnings are misleading and exit 1 should be avoided for this. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: when running #rkhunter --check from the terminal, [...] System checks summary ===================== File properties checks... Required commands check failed Files checked: 138 Suspect files: 0 Rootkit checks... Rootkits checked : 478 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 26 seconds All results have been written to the log file: /var/log/rkhunter/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter/rkhunter.log) Expected results: when running #rkhunter --check from the terminal, NO warnings. Additional info: The relevant part of the log file: [...] [18:05:41] Info: Starting test name 'properties' [18:05:41] Performing file properties checks [18:05:41] Warning: Checking for prerequisites [ Warning ] [18:05:41] All file hash checks will be skipped because: [18:05:41] This system uses prelinking, but the hash function command does not look like SHA1 or MD5. [...] There are no other warnings in the logs.
Turns out that the missing modules were a red herring... Adding HASH_CMD=sha1sum to /etc/rkhunter.conf to avoid using the default SHA256 checksum solves the issue. Sort of. It still would be nice to get a clue about this, or having rkhunter working 'out of the box', tryinc to sync with what prelink does when it is used on the system. Thank you.
I encountered the same issue ( i.e. "This system uses prelinking, but the hash function command does not look like SHA1 or MD5." ) but I solved it by just not using prelinking any more. I'll give "HASH_CMD=sha1sum" a spin , too.
echo "HASH_CMD=sha1sum" >> /etc/rkhunter.conf.local solved the problem for me, too. Kevin, can you please add that as a default in rkhunter.conf ?
rkhunter-1.4.4-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-bc4003cb37
The solution "HASH_CMD=sha1sum" worked. Thank you, Iosif Fettich, for posting the fix.
rkhunter-1.4.4-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.