OK - so what I found is you have to modify /etc/rkhunter.d/00-opensuse.conf - you can’t/shouldn’t
modify /etc rkhunter.conf or rkhunter.conf.local. That’s what the GIThub instructions didn’t show. I think
I get it now…
So it also looks like the stock rkhunter setup for opensuse includes a cron.daily entry, so rkhunter
runs daily and sends an email to $REPORT_EMAIL, at least that’s what I surmise since there’s an
file in cron.daily named suse.de-rkhunter (and I’ve noticed this running before).
So, bottom line is this seems like the install sequence:
- install with YaST
- run rkhunter per https://gist.github.com/rothkj1022/ba0d2234eba53b815f7b7ecff5b7b741
- in those instructions, add the following to the file /etc/rkhunter.d/00-opensuse.conf
*ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.hmac256.hmac
Does that sound about right? Problem is I still get a complaint from rkhunter… (I did try removing rkhunter from
my system and reinstalling it. I thought --propupd was supposed to “fix” this warning, but maybe, given
its setup in opensuse, it’s a YaST/system-interface-related “bug”)
**linux-lhkc:/home/patti #** rkhunter --propupd
Rootkit Hunter version 1.4.6 ]
File updated: searched for 176 files, found 201
**linux-lhkc:/home/patti #** rkhunter --rwo -c
Warning: Package manager verification has failed:
File: /etc/rkhunter.d/00-opensuse.conf
The file hash value has changed
The file size has changed
The file modification time has changed
**linux-lhkc:/home/patti #**
Despite this one warning, very happy to have something scanning my System dirs. 