Rkhunter – How To Fix Rkhunter Warning

This How To Fix Rkhunter Warning allows you to fix possible false positives caused by rkhunter. However, be careful and double check whether its really a false positive or whether you deal with a newly installed root kit.

The Rkhunter warning of “Warning: The file properties have changed:  (….)” most likely could have different root causes. Whatever the reason is, you do not like to ignore it. This warning is to be taken serious.

Before you start with this how to: I strongly recommend you make a full backup of your system! This how to gives you no warranty for success. If you do not understand what you do, you take the risk of destroying or harming your system.

Index:

  1. Software Update turning into the need of Rkhunter – How To Fix Rkhunter Warning
  2. Rkhunter – How to Fix Rkhunter Warning
  3. Rkhunter -Warning for /usr/bin/ldd in Debian Linux
  4. Further information that you like to consider

Software Update turning into the need of Rkhunter – How To Fix Rkhunter Warning

A software updated that caused this issue by a so called headless software update configuration or also automatic software update configuration is for the cases that I have seen a very likely root cause.

Your files will be replaced by the automatic or also called headless software update whilst rkhunter is not updating its hashes. Once rkhunter is running the next time thru your file system, rhunter rightly figures out that hash values have changed. For this reason rkhunter sets a warning message. You could also call this false positive, as you did like your system to update automatically. Such a warning message could look like the below example:

rkhunter warning message example - How To Fix Rkhunter Warning

rkhunter warning message example – How To Fix Rkhunter Warning

Rkhunter – How to Fix Rkhunter Warning

First of all, you like to double check your system whether a software update has taken place between the last rkhunter run in which you did receive no warning message and the new rkhunter run where you did receive the warning message.

The history log gives you a good view on this. Execute (on Debian Linux) the following command to check for software updates:

more /var/log/apt/history.log

If you find out, that indeed there was a software update, then you like to execute a second step, which is to find out if the file in-scope of the warning was updated. In the above example it would be /usr/bin/ldd.

In the above example, indeed /usr/bin/ldd was updated by a software update, hence the only thing that needs to be done is to update the rkhunter database with the new hash value of the new updated file. You can do this by the following command:

rkhunter --update --propupd

Rkhunter – Warning for /usr/bin/ldd in Debian Linux

Debian Linux uses a scripted version of /usr/bin/ldd instead of its counterpart. This can cause rkhunter warnings that are not necessary. The solution in this case is to whitelist the file. You can do this by editing the whitelist. 

To edit the whitelist you enter on the command line:

vi /etc/rkhunter.conf

Within this file you search for or add the following line:

SCRIPTWHITELIST=/usr/bin/ldd

If the above line does not exist, you add this line. Once done successfully, you like to double check your configuration by running:

rkhunter -C

If there is no output on the command line, than all looks good an you can continue with your work. If it gives any output, then you should reconsider your rkhunter.conf file and check (based on the output you got) your rkhunter.conf file for errors.

If all is fine, you like to double check your updated configuration by executing the below command (note: depending on your computer hardware, this can take a while):

rkhunter -c --enable all -disable none --rwo

Once done, you like to execute the below command to ensure updates are made:

rkhunter --propupd

Further information that you like to consider

There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you: