rkhunter warning package manager verification has failed

ronaldst

• August 25, 2018 05:59

I am seeing repeated warnings in rkhunter for /usr/bin/newgrp /usr/bin/su I'm running an updated rkhunter and --propupd have been completed prior to running the check. rkhunter.log [03:16:28] /usr/bin/newgrp [ Warning ] [03:16:28] Warning: Package manager verification has failed: [03:16:28] File: /usr/bin/newgrp [03:16:28] The file permissions have changed [03:16:33] /usr/bin/su [ Warning ] [03:16:33] Warning: Package manager verification has failed: [03:16:33] File: /usr/bin/su [03:16:33] The file permissions have changed [03:16:33] The file group has changed
Should I be worried or is this normal?

• 

  cPanelMichael

  • August 28, 2018 16:35

  Hello @ronaldst, The first step when encountering this type of warning is to verify which RPM controls those files and to see if that RPM was recently updated. For example: # rpm -qf /usr/bin/su util-linux-2.23.2-52.el7_5.1.x86_64 # grep "util-linux" /var/log/yum.log Aug 21 00:27:21 Updated: util-linux-2.23.2-52.el7_5.1.x86_64
  For this file, it shows that it's part of the util-linux RPM and that RPM was last updated through YUM on August 21. Next, check the permission and ownership values on those files to see if they match a comparable system. Here's the output from a CentOS 7 test machine running cPanel & WHM version 74: # ls -al /usr/bin/su -rwsr-x--- 1 root wheel 32184 Aug 16 13:47 /usr/bin/su # ls -al /usr/bin/newgrp -rwxr-xr-x. 1 root root 41776 Nov 5 2016 /usr/bin/newgrp
  Thank you.

  0
• 

  ronaldst

  • August 29, 2018 22:36

  I'm getting similar results (that you have posted). However, there is one exception, yum logs shows an update at May 12th. [root@host ~]# rpm -qf /usr/bin/su util-linux-2.23.2-52.el7_5.1.x86_64 [root@host ~]# grep "util-linux" /var/log/yum.log May 12 01:04:58 Updated: util-linux-2.23.2-52.el7.x86_64 Aug 21 01:04:38 Updated: util-linux-2.23.2-52.el7_5.1.x86_64 [root@host ~]# ls -al /usr/bin/su -rwsr-x---. 1 root wheel 32184 Aug 16 20:47 /usr/bin/su [root@host ~]# ls -al /usr/bin/newgrp -rwxr-xr-x. 1 root root 41776 Nov 5 2016 /usr/bin/newgrp
  I don't know what to read into this, really.

  0
• 

  cPanelMichael

  • August 30, 2018 14:06

  Hi @ronaldst, The May 12th entry appears because your server was setup before the test server I utilized in the example. The command is simply showing the times when the package was updated through YUM. It's possible this is a false positive from the RKHunter application. Here are some links where this is discussed: Update only upgraded packages with rkhunter --propupd Rootkit Hunter / Re: [Rkhunter-users] baffling warning Thank you.

  0
• 

  Glexia

  • February 21, 2019 01:14

  I'm having a similar issue with the "su" alerting on package verification. I've done a hash checksum and the file appears fine (in fact its a brand new server install from source). To suppress this warning you'll need to add the following directive to /etc/rkhunter.conf PKGMGR_NO_VRFY=/usr/bin/su then run: rkhunter --propupd

  0

Please sign in to leave a comment.