This how to fix Rkhunter sudo Warning focuses on a Rkhunter warning that potentially results from an updated sudo package.
After receiving 2 new rkhunter messages I have investigated to find the root cause. I thought its maybe helpful for you to understand how I addressed the warning. I am sharing the warnings, allowing you to identify whether have a same or a similar issue. The warning you receive however maybe not exactly the same.
The first warning I received looked like this:
From: root <root@XXXXXXXXXXX.com> Subject: XXXXXXXXXXX Server [rkhunter] Warnings found for XXXXXXXXXXX Date: 11 November 2022 at 06:27:01 CET To: root@XXXXXXXXXXX.com Please inspect this machine, because it may be infected.
The second warning was a bit more sophisticated and looked like this:
From: root <root@XXXXXXXXXXX.com> Subject: [rkhunter] for XXXXXXXXXXX - Daily report Date: 11 November 2022 at 06:27:01 CET To: root@XXXXXXXXXXX.com Warning: The file properties have changed: File: /usr/bin/sudo Current hash: XXXXXXXXXXX Stored hash : YXXXXXXXXXX Current inode: 1171 Stored inode: 6636 Current file modification time: 1667822297 (07-Nov-2022 12:58:17) Stored file modification time : 1611145577 (20-Jan-2021 13:26:17)
How To Fix Rkhunter sudo Warning
The messages shared in the background chapter help to understand whether something good or bad happened to the Debian linux box. Now, how to find this out? Reading the second message we clearly see, that it is pointing to the file called /usr/bin/sudo.
Identify The Root Cause
My first idea was that there must have been an automated software update. However, doing assumptions is a bad idea, hence let’s double check whether my idea is true. To do so, we need to execute a simple command and validate the output.
The good message is, this is easy. We simply shut a grep command searching for the word sudo against the packages log file into which any proper update should write changes. Simply execute the below command:
grep -w sudo /var/log/dpkg.log
In my case, the output was as the following:
root@XXXXXXXXX:~# grep -w sudo /var/log/dpkg.log 2022-11-08 04:16:55 upgrade sudo:amd64 1.8.27-1+deb10u3 1.8.27-1+deb10u4 2022-11-08 04:16:55 status half-configured sudo:amd64 1.8.27-1+deb10u3 2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u3 2022-11-08 04:16:55 status half-installed sudo:amd64 1.8.27-1+deb10u3 2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u4 2022-11-08 04:16:55 configure sudo:amd64 1.8.27-1+deb10u4 2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u4 2022-11-08 04:16:55 status half-configured sudo:amd64 1.8.27-1+deb10u4 2022-11-08 04:16:56 status installed sudo:amd64 1.8.27-1+deb10u4
Direct hit! Indeed there was a software update on sudo. You can see this clearly in the above log file. For this reason, I can feel confident to update the rkhunter database. This will resolve the issue.
Update Rkhunter Database
Rkhunter in my case is shutting alerts at me, because the file sudo changed. As we have seen in the previous chapter, Rkhunter is doing this correctly. It indeed changed. However, it changed for a good reason. It therefore makes sense to update the rkhunter database. This chapter shows how to do this.
To update the rkhunter database with the new hash value of the new updated file we fire the following command:
rkhunter --update --propupd
Note: Only fire this command if you are really sure the file was updated for an intended reason. If this is not the case, then you should further investigate your machine, as it potentially really was impacted by an unintended event, e.g. hacking.
Once done, and the command was executed successfully, double check whether your rkhunter configuration still works properly.
If there are no error messages or no issues anymore, than you are done.
There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:
- Rkhunter – How To Fix Rkhunter Warning
- Rkhunter Linux man page – man page including rkhunter description and command options
- Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter
If you like this how to, then please leverage on the opportunity to link to it or share it! This is highly appreciated.
If you found errors or you like to comment, then please feel free to leverage on my feedback form. I look forward for your message!