我们在这里运行一个(新的)CentOS 7 系统。为了观察系统是否受到无效更改/黑客攻击,我们每晚都会运行 rkhunter。此外,每次(yum)更新后,我们都会预链接所有内容并运行“rkhunter --propupd”。
运行正常。但几天后我们收到以下错误:
[03:55:02] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
...
...
...
[03:55:04] Warning: Checking for prerequisites [ Warning ]
[03:55:04] The local host configuration or operating system has changed.
[03:55:05] /usr/sbin/adduser [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
[03:55:05] /usr/sbin/chkconfig [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/chkconfig' in the 'rkhunter.dat' file.
[03:55:05] /usr/sbin/chroot [ Warning ]
我们确信服务器没有被黑客入侵。因为我们已经检查了一些二进制文件的日期和大小。我们还对其中一些文件进行了校验。rkhunter 警告发生后,所有文件都相同且未发生任何变化。
但我们想找出 rkhunter 警告的原因......
有任何想法吗?
编辑:
rkhunter 日志文件中还有其他警告:
[03:55:05] Warning: The system has changed to not using prelinking since the last run.
[03:55:05] Because of the change(s) the file properties checks may give some false-positive results.
[03:55:05] You may need to re-run rkhunter with the '--propupd' option.
这也是解决方案。请参阅下面的回答...
答案1
找到了!今天我查看了几个日志文件。所以我找到了一个预链接日志文件。日志文件显示正在运行预链接进程。在 cron 文件中搜索预链接作业后,我在 中找到了它/etc/cron.daily。我确信这就是 rkhunter 警告的原因... :-)