2

We run here a (new) CentOS 7 system. To observe the system against invalid changes / hacker attacks we running rkhunter every night. Also after each (yum) update we prelinking all and running "rkhunter --propupd".

This runs fine. But after some days we getting following error:

[03:55:02] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
           is used, all the files on their system are known to be genuine, and installed from a
           reliable source. The rkhunter '--check' option will compare the current file properties
           against previously stored values, and report if any values differ. However, rkhunter
           cannot determine what has caused the change, that is for the user to do.
...
...
...
[03:55:04] Warning: Checking for prerequisites               [ Warning ]
[03:55:04]          The local host configuration or operating system has changed.
[03:55:05]   /usr/sbin/adduser                               [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chkconfig                             [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/chkconfig' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chroot                                [ Warning ]

We are sure that the server is not hacked. Because we have checked the date and size of some of the binary files. We have also create a checksum of some of these files. All files are identical and unchanged after the rkhunter warning occurred.

But we want to find out whats the reason for the rkhunter warnings ...

Any ideas?

EDIT:

There is also a other warning in the rkhunter log files:

[03:55:05] Warning: The system has changed to not using prelinking since the last run.
[03:55:05]          Because of the change(s) the file properties checks may give some false-positive results.
[03:55:05]          You may need to re-run rkhunter with the '--propupd' option.

And that's also the solution. See at my answer below ....

Steffen
  • 929
  • 3
  • 13
  • 28

1 Answers1

1

Found it! Today I have look into several log files. And so I have found a prelink log file. The log file shows that there was running a prelink process. After searching a prelink job in the cron files I found it in /etc/cron.daily. I'm sure that this is the reason for the rkhunter warning ... :-)

Steffen
  • 929
  • 3
  • 13
  • 28