Hi Francois, Le lundi 12 novembre 2007 à 09:42 +1300, Francois Marier a écrit : > Package: rkhunter > Version: 1.3.0-2 > Severity: normal > > I was getting the following emails everyday: > > Warning: The file properties have changed: > File: /usr/bin/ldd > Current inode: 3143953 Stored inode: 866682 > Current file modification time: 1193274171 > Stored file modification time : 1191200505
The first date is the file modification stored in rkhunter file properties database (as for the last time it was updated), the second is the current file modification time. libc6 was updated between these dates (October the 1st and the 25th) according to the changelog, it thus seems quite logical rkhunter warns about this if you haven't updated its database. > and they seem to have gone away now that I have added this to > /etc/rkhunter.conf: > > ATTRWHITELIST=/usr/bin/ldd then rkhunter simply ignores this file, I don't think it is the way to solve your issue. > Is that a know false positive? I am always a little hesitant to whitelist > things when they aren't mentioned in the documentation or in the examples :) Even if stated in the documentation, could be a security risk ;-) What I do not understand in your issue is that you seem to have the automatic file properties update activated (rkhunter/apt_autogen: true), would it mean you haven't upgraded your system after the last libc6 update? To test, remove the whitelist line fomr rkhunter.conf and run: # rkhunter --propupd # rkhunter --enable attributes this updates the database, and then run a test (only the attributes are checked, it won't take long) Do you still get this warning? Cheers, Julien
