On Wed, 2012-04-25 at 10:35 +0200, Silvio Knizek wrote: > Hi mailing list, > > at my company we use rkhunter on some webserver. It runs once every > day in the morning as part of a nagios check. > Yesterday a new user was added on the server and rkhunter threw a > warning about the passwd and group file as it should. > To be sure there is no real threat but only the new user, I ran > rkhunter again, but this time, it doesn't complain about the new user. > It said that all things ar well. I'm sure no script run a --produpd, > so where should I look for this else? > Hello,
The password/group check is done by comparing a copied passwd/group file to the current one. Once the test has run, and if there was a change noticed, then a new copy of the file is taken. As such any password or group change is only reported once. The change made should be in the rkhunter log file. By default the previous log file will also be kept. So, assuming default paths are used, you could look in /var/log/rkhunter.log or /var/log/rkhunter.log.old if you want to see the reported change. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
