Hi John, > > Hi, > > > > In the daily run I keep getting the following: > > > > Warning: Package manager verification has failed: > > File: /usr/bin/chattr > > The file hash value has changed > > The file size has changed > > The file modification time has changed > > Warning: Package manager verification has failed: > > File: /usr/bin/lsattr > > The file hash value has changed > > The file size has changed > > The file modification time has changed > > > > I use the option: > > > > RTKT_FILE_WHITELIST="/usr/bin/chattr /usr/bin/lsattr" > > > This option applies to 'rootkit' checks. > > > while I have my PKGMGR set to RPM. > > > > Why aren't these two files whitelisted? > > > Because the warnings are about 'file properties', not rootkits. You > can't whitelist files from the package manager. Did you run 'rpm > -Vf /usr/bin/chatter'? What did it show?
# rpm -Vf /usr/bin/chattr S.5....T /sbin/badblocks S.5....T /sbin/blkid S.5....T /sbin/debugfs S.5....T /sbin/dumpe2fs S.5....T /sbin/e2fsck S.5....T /sbin/e2image S.5....T /sbin/e2label S.5....T /sbin/findfs S.5....T /sbin/fsck S.5....T /sbin/fsck.ext2 S.5....T /sbin/fsck.ext3 S.5....T /sbin/logsave S.5....T /sbin/mke2fs S.5....T /sbin/mkfs.ext2 S.5....T /sbin/mkfs.ext3 S.5....T /sbin/resize2fs S.5....T /sbin/tune2fs S.5....T /usr/bin/chattr S.5....T /usr/bin/lsattr S.5....T /usr/bin/uuidgen S.5....T /usr/sbin/ext2online S.5....T /usr/sbin/filefrag S.5....T /usr/sbin/mklost+found .......T /usr/share/locale/cs/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/de/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/es/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/it/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/pl/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/sv/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/tr/LC_MESSAGES/e2fsprogs.mo .......T d /usr/share/man/man1/chattr.1.gz .......T d /usr/share/man/man1/lsattr.1.gz .......T d /usr/share/man/man1/uuidgen.1.gz .......T d /usr/share/man/man8/badblocks.8.gz .......T d /usr/share/man/man8/blkid.8.gz .......T d /usr/share/man/man8/debugfs.8.gz .......T d /usr/share/man/man8/dumpe2fs.8.gz .......T d /usr/share/man/man8/e2fsck.8.gz .......T d /usr/share/man/man8/e2image.8.gz .......T d /usr/share/man/man8/e2label.8.gz .......T d /usr/share/man/man8/ext2online.8.gz .......T d /usr/share/man/man8/filefrag.8.gz .......T d /usr/share/man/man8/findfs.8.gz .......T d /usr/share/man/man8/fsck.8.gz .......T d /usr/share/man/man8/fsck.ext2.8.gz .......T d /usr/share/man/man8/fsck.ext3.8.gz .......T d /usr/share/man/man8/logsave.8.gz .......T d /usr/share/man/man8/mke2fs.8.gz .......T d /usr/share/man/man8/mkfs.ext2.8.gz .......T d /usr/share/man/man8/mkfs.ext3.8.gz .......T d /usr/share/man/man8/mklost+found.8.gz .......T d /usr/share/man/man8/resize2fs.8.gz .......T d /usr/share/man/man8/tune2fs.8.gz and: # rpm -Vf /usr/bin/lsattr S.5....T /sbin/badblocks S.5....T /sbin/blkid S.5....T /sbin/debugfs S.5....T /sbin/dumpe2fs S.5....T /sbin/e2fsck S.5....T /sbin/e2image S.5....T /sbin/e2label S.5....T /sbin/findfs S.5....T /sbin/fsck S.5....T /sbin/fsck.ext2 S.5....T /sbin/fsck.ext3 S.5....T /sbin/logsave S.5....T /sbin/mke2fs S.5....T /sbin/mkfs.ext2 S.5....T /sbin/mkfs.ext3 S.5....T /sbin/resize2fs S.5....T /sbin/tune2fs S.5....T /usr/bin/chattr S.5....T /usr/bin/lsattr S.5....T /usr/bin/uuidgen S.5....T /usr/sbin/ext2online S.5....T /usr/sbin/filefrag S.5....T /usr/sbin/mklost+found .......T /usr/share/locale/cs/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/de/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/es/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/it/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/pl/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/sv/LC_MESSAGES/e2fsprogs.mo .......T /usr/share/locale/tr/LC_MESSAGES/e2fsprogs.mo .......T d /usr/share/man/man1/chattr.1.gz .......T d /usr/share/man/man1/lsattr.1.gz .......T d /usr/share/man/man1/uuidgen.1.gz .......T d /usr/share/man/man8/badblocks.8.gz .......T d /usr/share/man/man8/blkid.8.gz .......T d /usr/share/man/man8/debugfs.8.gz .......T d /usr/share/man/man8/dumpe2fs.8.gz .......T d /usr/share/man/man8/e2fsck.8.gz .......T d /usr/share/man/man8/e2image.8.gz .......T d /usr/share/man/man8/e2label.8.gz .......T d /usr/share/man/man8/ext2online.8.gz .......T d /usr/share/man/man8/filefrag.8.gz .......T d /usr/share/man/man8/findfs.8.gz .......T d /usr/share/man/man8/fsck.8.gz .......T d /usr/share/man/man8/fsck.ext2.8.gz .......T d /usr/share/man/man8/fsck.ext3.8.gz .......T d /usr/share/man/man8/logsave.8.gz .......T d /usr/share/man/man8/mke2fs.8.gz .......T d /usr/share/man/man8/mkfs.ext2.8.gz .......T d /usr/share/man/man8/mkfs.ext3.8.gz .......T d /usr/share/man/man8/mklost+found.8.gz .......T d /usr/share/man/man8/resize2fs.8.gz .......T d /usr/share/man/man8/tune2fs.8.gz I don't think any of the above is a problem since: # rpm -qf /usr/bin/chattr e2fsprogs-1.35-12.11.el4_6.1.i386 e2fsprogs-1.35-12.11.el4.1.x86_64 When I rpm -ql each of these: # rpm -ql e2fsprogs-1.35-12.11.el4_6.1.i386 /lib/evms /lib/evms/libe2fsim.1.2.1.so /lib/libblkid.so.1 /lib/libblkid.so.1.0 /lib/libcom_err.so.2 /lib/libcom_err.so.2.1 /lib/libe2p.so.2 /lib/libe2p.so.2.3 /lib/libext2fs.so.2 /lib/libext2fs.so.2.4 /lib/libss.so.2 /lib/libss.so.2.0 /lib/libuuid.so.1 /lib/libuuid.so.1.2 /sbin/badblocks /sbin/blkid /sbin/debugfs /sbin/dumpe2fs /sbin/e2fsck /sbin/e2image /sbin/e2label /sbin/findfs /sbin/fsck /sbin/fsck.ext2 /sbin/fsck.ext3 /sbin/logsave /sbin/mke2fs /sbin/mkfs.ext2 /sbin/mkfs.ext3 /sbin/resize2fs /sbin/tune2fs /usr/bin/chattr /usr/bin/lsattr /usr/bin/uuidgen /usr/sbin/ext2online /usr/sbin/filefrag /usr/sbin/mklost+found /usr/share/doc/e2fsprogs-1.35 /usr/share/doc/e2fsprogs-1.35/AUTHORS.ext2resize /usr/share/doc/e2fsprogs-1.35/COPYING.ext2resize /usr/share/doc/e2fsprogs-1.35/HOWTO.ext2resize /usr/share/doc/e2fsprogs-1.35/NEWS.ext2resize /usr/share/doc/e2fsprogs-1.35/README /usr/share/doc/e2fsprogs-1.35/README.ext2resize /usr/share/doc/e2fsprogs-1.35/RELEASE-NOTES /usr/share/locale/cs/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/de/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/es/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/it/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/pl/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/sv/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/tr/LC_MESSAGES/e2fsprogs.mo /usr/share/man/man1/chattr.1.gz /usr/share/man/man1/lsattr.1.gz /usr/share/man/man1/uuidgen.1.gz /usr/share/man/man8/badblocks.8.gz /usr/share/man/man8/blkid.8.gz /usr/share/man/man8/debugfs.8.gz /usr/share/man/man8/dumpe2fs.8.gz /usr/share/man/man8/e2fsck.8.gz /usr/share/man/man8/e2image.8.gz /usr/share/man/man8/e2label.8.gz /usr/share/man/man8/ext2online.8.gz /usr/share/man/man8/filefrag.8.gz /usr/share/man/man8/findfs.8.gz /usr/share/man/man8/fsck.8.gz /usr/share/man/man8/fsck.ext2.8.gz /usr/share/man/man8/fsck.ext3.8.gz /usr/share/man/man8/logsave.8.gz /usr/share/man/man8/mke2fs.8.gz /usr/share/man/man8/mkfs.ext2.8.gz /usr/share/man/man8/mkfs.ext3.8.gz /usr/share/man/man8/mklost+found.8.gz /usr/share/man/man8/resize2fs.8.gz /usr/share/man/man8/tune2fs.8.gz and: # rpm -ql e2fsprogs-1.35-12.11.el4.1.x86_64 /lib64/evms /lib64/evms/libe2fsim.1.2.1.so /lib64/libblkid.so.1 /lib64/libblkid.so.1.0 /lib64/libcom_err.so.2 /lib64/libcom_err.so.2.1 /lib64/libe2p.so.2 /lib64/libe2p.so.2.3 /lib64/libext2fs.so.2 /lib64/libext2fs.so.2.4 /lib64/libss.so.2 /lib64/libss.so.2.0 /lib64/libuuid.so.1 /lib64/libuuid.so.1.2 /sbin/badblocks /sbin/blkid /sbin/debugfs /sbin/dumpe2fs /sbin/e2fsck /sbin/e2image /sbin/e2label /sbin/findfs /sbin/fsck /sbin/fsck.ext2 /sbin/fsck.ext3 /sbin/logsave /sbin/mke2fs /sbin/mkfs.ext2 /sbin/mkfs.ext3 /sbin/resize2fs /sbin/tune2fs /usr/bin/chattr /usr/bin/lsattr /usr/bin/uuidgen /usr/sbin/ext2online /usr/sbin/filefrag /usr/sbin/mklost+found /usr/share/doc/e2fsprogs-1.35 /usr/share/doc/e2fsprogs-1.35/AUTHORS.ext2resize /usr/share/doc/e2fsprogs-1.35/COPYING.ext2resize /usr/share/doc/e2fsprogs-1.35/HOWTO.ext2resize /usr/share/doc/e2fsprogs-1.35/NEWS.ext2resize /usr/share/doc/e2fsprogs-1.35/README /usr/share/doc/e2fsprogs-1.35/README.ext2resize /usr/share/doc/e2fsprogs-1.35/RELEASE-NOTES /usr/share/locale/cs/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/de/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/es/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/it/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/pl/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/sv/LC_MESSAGES/e2fsprogs.mo /usr/share/locale/tr/LC_MESSAGES/e2fsprogs.mo /usr/share/man/man1/chattr.1.gz /usr/share/man/man1/lsattr.1.gz /usr/share/man/man1/uuidgen.1.gz /usr/share/man/man8/badblocks.8.gz /usr/share/man/man8/blkid.8.gz /usr/share/man/man8/debugfs.8.gz /usr/share/man/man8/dumpe2fs.8.gz /usr/share/man/man8/e2fsck.8.gz /usr/share/man/man8/e2image.8.gz /usr/share/man/man8/e2label.8.gz /usr/share/man/man8/ext2online.8.gz /usr/share/man/man8/filefrag.8.gz /usr/share/man/man8/findfs.8.gz /usr/share/man/man8/fsck.8.gz /usr/share/man/man8/fsck.ext2.8.gz /usr/share/man/man8/fsck.ext3.8.gz /usr/share/man/man8/logsave.8.gz /usr/share/man/man8/mke2fs.8.gz /usr/share/man/man8/mkfs.ext2.8.gz /usr/share/man/man8/mkfs.ext3.8.gz /usr/share/man/man8/mklost+found.8.gz /usr/share/man/man8/resize2fs.8.gz /usr/share/man/man8/tune2fs.8.gz The only thing that differs between them is the lib and lib64 directories, while the binaries and man pages are the same. So for the 64bit (RH) Linux install, it's not in my control that the i386 and x86_64 versions get installed together, that's what Red Hat do. So I know this isn't a problem. This is why I was trying to whitelist these, otherwise I'll continually get these warnings daily when they're not really valid warnings. Thanks. Michael. > John. > > -- > --------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 > E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Rkhunter-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------- End of Original Message ------- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
