rkhunter: right way to handle warnings further?

rkhunter

Using debsums is a very clever idea with one major flaw: If something were to overwrite a root-owned file such as /bin/which, it could also rewrite /var/lib/dpkg/info/*.md5sums with an updated checksum. There is no chain of custody back to a Debian/Ubuntu signature, as far as I can see. Which is a real shame because that would be a really simple, really quick way to verify the authenticity of a live file.

Instead to truly verify a file, you need to download a fresh copy of that deb, extract the internal control.tar.gz and then look at its md5sums file to compare against a real md5sum /bin/which. It's a painful process.

What has most likely happened here is that you've had some system updates (a distribution upgrade even) and you haven't asked rkhunter to update its profiles. rkhunter needs to know what files should be like so any system updates are going to upset it.

Once you know something is safe, you can run sudo rkhunter --propupd /bin/which to update its reference of the file.

This is one of the problems with rkhunter. It needs deep integration into the deb process so that when trusted, signed packages are installed, rkhunter updates its references to files.

And no, I wouldn't whitelist things like this because this is exactly the sort of thing a rootkit would go after.


zuba, the whitelist idea is a bad one; it is unassigning a file to be checked which should be visible to you and your anti-malware, the idea is used though and viewing the message is harmless. Could we create a writethrough instead would be better. somewhere along the lines of \lines beginning with \ will be ignored; but that takes some coding experience and intimate knowledge of the workings of rkhunter.

The bin/which will be rewritten when needed to accommodate programming changes; In general one file may be replaced or files may be temporarily created and change or disappear after a reboot, and that may trick the rkhunter software.

There is a line where software/updates or antimalware resembles a rootkit, and I believe these are one of those.

The method you employ is dangerous only if it changes a program or file that will (act to) somehow affect the computers operation. Sometimes we are worse that our machines in that respect. Proving this for your computer is really unfair to ask, as I could if it were mine. I would know, document the warnings and checksums and would note whenever there was a change.

Related

How can I change the time zone of bandwidthd?
How do I undo an accidental installation of all Perl modules?
Move ecryptfs .Private directory to another partition
How do I install video4linux2 in Ubuntu 12.10, and do I need to?
How would one address a female priest in the Anglican Community?
The state of being melancholic is called melancholia. What are similar words for other 3 Graeco-Roman temperaments?
If Oswald didn’t shoot Kennedy someone else will have
Is there a word for not being sympathetic to a position, but also not being ardent towards it? [closed]
Having ablution(wudu)
What is it called when one believes to be superior but objectively is not?
Why does "too [adjective] a [noun]" require the determiner to come *after* the adjective?
How to express the idea that "improve performance" [closed]