Re: [Rkhunter-users] chattr and lsattr on el4.5 x86_64
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2008-02-23 16:32:02
|
On Sat, 2008-02-23 at 13:25 +1000, Michael Mansour wrote: > Hi, > > I have the following two warnings from rkhunter 1.3.0 on two Scientific Linux > 4.5 x86_64 servers (Red Hat Enterprise Linux 4 Update 5 derivatives): > > [14:14:10] /usr/bin/chattr [ Warning ] > [14:14:10] Warning: Package manager verification has failed: > [14:14:10] File: /usr/bin/chattr > [14:14:10] The file hash value has changed > [14:14:10] The file size has changed > [14:14:10] The file modification time has changed > > [14:14:20] /usr/bin/lsattr [ Warning ] > [14:14:20] Warning: Package manager verification has failed: > [14:14:20] File: /usr/bin/lsattr > [14:14:20] The file hash value has changed > [14:14:20] The file size has changed > [14:14:20] The file modification time has changed > > and: > > # rpm -qf /usr/bin/lsattr > e2fsprogs-1.35-12.11.el4_6.1.i386 > e2fsprogs-1.35-12.11.el4.1.x86_64 > > [root@gecko ~]# rpm -qf /usr/bin/chattr > e2fsprogs-1.35-12.11.el4_6.1.i386 > e2fsprogs-1.35-12.11.el4.1.x86_64 > > (Note: I linked /usr/local/lib to /usr/local/lib64 to test whether rkhunter > 1.3.0 works properly on this platform) > > I've also setup PKGMGR=RPM. > > When rkhunter reports "The file size has changed" etc, changed from what? the > original distribution? the last time I ran the --propupd ? > Because you are using the package manager it means that RPM verification fails for those files. If you run 'rpm -Vf /usr/bin/chattr' it will show that something has changed (same for lsattr). The file attributes do not correspond to those of what should be the currently installed files - i.e. the files have changed. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |