我们在这里运行一个(新的)CentOS 7 系统。为了观察系统免受无效更改/黑客攻击,我们每晚运行 rkhunter。同样在每次(yum)更新之后,我们预先链接所有并运行“rkhunter --propupd”。
这运行良好。但是几天后我们收到以下错误:
[03:55:02] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
...
...
...
[03:55:04] Warning: Checking for prerequisites [ Warning ]
[03:55:04] The local host configuration or operating system has changed.
[03:55:05] /usr/sbin/adduser [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
[03:55:05] /usr/sbin/chkconfig [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/chkconfig' in the 'rkhunter.dat' file.
[03:55:05] /usr/sbin/chroot [ Warning ]
我们确信服务器没有被黑客入侵。因为我们检查了一些二进制文件的日期和大小。我们还创建了其中一些文件的校验和。发生 rkhunter 警告后,所有文件都相同且未更改。
但我们想找出 rkhunter 警告的原因是什么......
有任何想法吗?
编辑:
rkhunter 日志文件中还有其他警告:
[03:55:05] Warning: The system has changed to not using prelinking since the last run.
[03:55:05] Because of the change(s) the file properties checks may give some false-positive results.
[03:55:05] You may need to re-run rkhunter with the '--propupd' option.
这也是解决方案。请参阅下面我的答案....
找到了!今天我查看了几个日志文件。所以我找到了一个预链接日志文件。日志文件显示正在运行预链接进程。在 cron 文件中搜索预链接作业后,我在
/etc/cron.daily. 我确定这是 rkhunter 警告的原因... :-)