Re: [Rkhunter-users] Rootkit Hunter on Oracle Linux 8
Brought to you by:
dogsbody
Menu
▾
▴
Re: [Rkhunter-users] Rootkit Hunter on Oracle Linux 8
|
From: Rootkit H. <opa...@do...> - 2021-05-21 03:41:20
|
On 5/20/21 7:22 AM, John Dodson [Masked] wrote: > I can only think to ask, what does, > > ls -laRZ /usr/libexec/*awk > > say on each machine, are they different (& binary wise?), are remote filesystems > involved, do the gawk package/binaries on each server verify, does/did a package > update occur when rkhunter ran causing a race, etc. On a machine where it works correctly |$ ls -laRZ /usr/libexec/*awk lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 16 Mar 15 2019 /usr/libexec/gawk -> /usr/libexec/awk /usr/libexec/awk: total 32 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 4096 Apr 7 13:14 . drwxr-xr-x. 27 root root system_u:object_r:bin_t:s0 4096 May 6 15:53 .. -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9240 Mar 15 2019 grcat -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9224 Mar 15 2019 pwcat | On one where it doesn’t |$ ls -laRZ /usr/libexec/*awk lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 16 Mar 15 2019 /usr/libexec/gawk -> /usr/libexec/awk /usr/libexec/awk: total 32 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 32 Apr 6 11:22 . drwxr-xr-x. 34 root root system_u:object_r:bin_t:s0 4096 May 6 15:57 .. -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9240 Mar 15 2019 grcat -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9224 Mar 15 2019 pwcat | Honestly, they look pretty similar to me. RPM tells me none of the files were altered. No remote filesystems are involved. > Cheers > > John > > > On Wed, 2021-05-19 at 15:17 -0700, opa...@do... wrote: >> On some of my OL8 servers, rkhunter throws this warning: >> >> Warning: No hash value found for file '/usr/libexec/gawk' in the >> 'rkhunter.dat' file. >> >> /usr/libexec/gawk is a symlink to /usr/libexec/awk. Which, in turn, is >> a directory >> >> $ file /usr/libexec/gawk >> /usr/libexec/gawk: symbolic link to /usr/libexec/awk >> >> $ file /usr/libexec/awk >> /usr/libexec/awk: directory >> >> This does not affect all the nodes. Some seem to behave normally. >> >> Running rkhunter on the affected nodes with --propupd does not fix it. >> >> I am using rkhunter 1.4.6 >> >> Suggestions? >> > |