How To Fix Rkhunter sudo Warning

This how to fix Rkhunter sudo Warning focuses on a Rkhunter warning that potentially results from an updated sudo package.

How To Fix Rkhunter sudo Warning

How To Fix Rkhunter sudo Warning

Index

Background

After receiving 2 new rkhunter messages I have investigated to find the root cause. I thought its maybe helpful for you to understand how I addressed the warning. I am sharing the warnings, allowing you to identify whether have a same or a similar issue. The warning you receive however maybe not exactly the same.

The first warning I received looked like this:

From: root <root@XXXXXXXXXXX.com>
Subject: XXXXXXXXXXX Server [rkhunter] Warnings found for XXXXXXXXXXX
Date: 11 November 2022 at 06:27:01 CET
To: root@XXXXXXXXXXX.com
Please inspect this machine, because it may be infected.

The second warning was a bit more sophisticated and looked like this:

From: root <root@XXXXXXXXXXX.com>
Subject: [rkhunter] for XXXXXXXXXXX - Daily report
Date: 11 November 2022 at 06:27:01 CET
To: root@XXXXXXXXXXX.com
Warning: The file properties have changed:
File: /usr/bin/sudo
Current hash: XXXXXXXXXXX
Stored hash : YXXXXXXXXXX
Current inode: 1171 Stored inode: 6636
Current file modification time: 1667822297 (07-Nov-2022 12:58:17)
Stored file modification time : 1611145577 (20-Jan-2021 13:26:17)

How To Fix Rkhunter sudo Warning

The messages shared in the background chapter help to understand whether something good or bad happened to the Debian linux box. Now, how to find this out? Reading the second message we clearly see, that it is pointing to the file called /usr/bin/sudo. 

Identify The Root Cause

My first idea was that there must have been an automated software update. However, doing assumptions is a bad idea, hence let’s double check whether my idea is true. To do so, we need to execute a simple command and validate the output.

The good message is, this is easy. We simply shut a grep command searching for the word sudo against the packages log file into which any proper update should write changes. Simply execute the below command:

grep -w sudo  /var/log/dpkg.log

In my case, the output was as the following:

root@XXXXXXXXX:~# grep -w sudo  /var/log/dpkg.log
2022-11-08 04:16:55 upgrade sudo:amd64 1.8.27-1+deb10u3 1.8.27-1+deb10u4
2022-11-08 04:16:55 status half-configured sudo:amd64 1.8.27-1+deb10u3
2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u3
2022-11-08 04:16:55 status half-installed sudo:amd64 1.8.27-1+deb10u3
2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u4
2022-11-08 04:16:55 configure sudo:amd64 1.8.27-1+deb10u4
2022-11-08 04:16:55 status unpacked sudo:amd64 1.8.27-1+deb10u4
2022-11-08 04:16:55 status half-configured sudo:amd64 1.8.27-1+deb10u4
2022-11-08 04:16:56 status installed sudo:amd64 1.8.27-1+deb10u4

Direct hit! Indeed there was a software update on sudo. You can see this clearly in the above log file. For this reason, I can feel confident to update the rkhunter database. This will resolve the issue.

Update Rkhunter Database

Rkhunter in my case is shutting alerts at me, because the file sudo changed. As we have seen in the previous chapter, Rkhunter is doing this correctly. It indeed changed. However, it changed for a good reason. It therefore makes sense to update the rkhunter database. This chapter shows how to do this. 

To update the rkhunter database with the new hash value of the new updated file we fire the following command:

rkhunter --update --propupd

Note: Only fire this command if you are really sure the file was updated for an intended reason. If this is not the case, then you should further investigate your machine, as it potentially really was impacted by an unintended event, e.g. hacking. 

Once done, and the command was executed successfully, double check whether your rkhunter configuration still works properly.

rkhunter -c

If there are no error messages or no issues anymore, than you are done.

Additional Information

There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:

If you like this how to, then please leverage on the opportunity to link to it or share it! This is highly appreciated.

If you found errors or you like to comment, then please feel free to leverage on my feedback form. I look forward for your message!