rkhunter: right way to handle warnings further?

Using debsums is a very clever idea with one major flaw: If something were to overwrite a root-owned file such as /bin/which, it could also rewrite /var/lib/dpkg/info/*.md5sums with an updated checksum. There is no chain of custody back to a Debian/Ubuntu signature, as far as I can see. Which is a real shame because that would be a really simple, really quick way to verify the authenticity of a live file.

Instead to truly verify a file, you need to download a fresh copy of that deb, extract the internal control.tar.gz and then look at its md5sums file to compare against a real md5sum /bin/which. It's a painful process.

What has most likely happened here is that you've had some system updates (a distribution upgrade even) and you haven't asked rkhunter to update its profiles. rkhunter needs to know what files should be like so any system updates are going to upset it.

Once you know something is safe, you can run sudo rkhunter --propupd /bin/which to update its reference of the file.

This is one of the problems with rkhunter. It needs deep integration into the deb process so that when trusted, signed packages are installed, rkhunter updates its references to files.


And no, I wouldn't whitelist things like this because this is exactly the sort of thing a rootkit would go after.


zuba, the whitelist idea is a bad one; it is unassigning a file to be checked which should be visible to you and your anti-malware, the idea is used though and viewing the message is harmless. Could we create a writethrough instead would be better. somewhere along the lines of \lines beginning with \ will be ignored; but that takes some coding experience and intimate knowledge of the workings of rkhunter.

The bin/which will be rewritten when needed to accommodate programming changes; In general one file may be replaced or files may be temporarily created and change or disappear after a reboot, and that may trick the rkhunter software.

There is a line where software/updates or antimalware resembles a rootkit, and I believe these are one of those.

The method you employ is dangerous only if it changes a program or file that will (act to) somehow affect the computers operation. Sometimes we are worse that our machines in that respect. Proving this for your computer is really unfair to ask, as I could if it were mine. I would know, document the warnings and checksums and would note whenever there was a change.