need help with understanding rkhunter results

Hello,

I recently installed rkhunter and ran a check. I need help figuring out what the results mean.

I read the manpage and found a couple of switches I was immediately concerned with. I ran rkhunter with --update to update my initial install, but I did not do --propupd because, to my understanding, you need to specify a file/directory/package to do that update.

After doing rkhunter --update (which succeeded), I ran rkhunter -c to do a check, and this is the result:
[19:23:54] Info: Starting test name ‘properties’
[19:23:54] Performing file properties checks
[19:23:54] Warning: Checking for prerequisites Warning ]
[19:23:55] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in ‘rkhunter --propupd’.
[19:23:55] Info: The file properties check will still run as there are checks that can be performed without the ‘rkhunter.dat’ file.
[19:23:55]
[19:23:55] Warning: WARNING! It is the users responsibility to ensure that when the ‘–propupd’ option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter ‘–check’ option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.

[19:23:56] /usr/sbin/ifup Warning ]
[19:23:56] Warning: The command ‘/usr/sbin/ifup’ has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable

[19:23:59] /usr/bin/chkconfig Warning ]
[19:23:59] Warning: The command ‘/usr/bin/chkconfig’ has been replaced by a script: /usr/bin/chkconfig: Perl script text executable

[19:24:01] /usr/bin/egrep Warning ]
[19:24:01] Warning: The command ‘/usr/bin/egrep’ has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable

[19:24:01] /usr/bin/fgrep Warning ]
[19:24:01] Warning: The command ‘/usr/bin/fgrep’ has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

[19:24:03] /usr/bin/ldd Warning ]
[19:24:03] Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable

[19:27:04] Info: Starting test name ‘passwd_changes’
[19:27:04] Checking for passwd file changes Warning ]
[19:27:05] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[19:27:05] Info: Starting test name ‘group_changes’
[19:27:05] Checking for group file changes Warning ]
[19:27:05] Warning: Unable to check for group file differences: no copy of the group file exists.

[19:27:05] Checking if SSH root access is allowed Warning ]
[19:27:05] Warning: The SSH and rkhunter configuration options should be the same:
[19:27:05] SSH configuration option ‘PermitRootLogin’: yes
[19:27:05] Rkhunter configuration option ‘ALLOW_SSH_ROOT_USER’: no
[19:27:05] Checking if SSH protocol v1 is allowed Warning ]
[19:27:05] Warning: The SSH configuration option ‘Protocol’ has not been set.
The default value may be ‘2,1’, to allow the use of protocol version 1.

[19:27:23] System checks summary
[19:27:23] =====================
[19:27:23]
[19:27:23] File properties checks…
[19:27:23] Required commands check failed
[19:27:23] Files checked: 191
[19:27:23] Suspect files: 5
[19:27:23]
[19:27:23] Rootkit checks…
[19:27:23] Rootkits checked : 490
[19:27:24] Possible rootkits: 0
[19:27:24]
[19:27:24] Applications checks…
[19:27:24] All checks skipped

Although it’s googd to see Possible Rootkits showing 0, the binaries flagged with Warning caught my attention because the description says those were replaced by a script. I haven’t done a zypper update at the time, so I was concerned. Apart from that, I’m not sure about the SSH configuration if that’s the default setting or not because I have never touched those before.

I went back to the manpages and noted something in addition to --propupd. It says that if no specific option is given, then the entire database is updated. However, the warning says it is my responsibility to ensure that the files are genuine. I am not sure how to do the ensuring part, but I got curious about the entire database getting updated part.

So I ran rkhunter --propupd without specifying anything else. It went through. Then I ran another check, and this is what I got:
[19:38:32] Checking if SSH root access is allowed Warning ]
[19:38:32] Warning: The SSH and rkhunter configuration options should be the same:
[19:38:32] SSH configuration option ‘PermitRootLogin’: yes
[19:38:32] Rkhunter configuration option ‘ALLOW_SSH_ROOT_USER’: no
[19:38:33] Checking if SSH protocol v1 is allowed Warning ]
[19:38:33] Warning: The SSH configuration option ‘Protocol’ has not been set.
The default value may be ‘2,1’, to allow the use of protocol version 1.

[19:38:49] System checks summary
[19:38:49] =====================
[19:38:49]
[19:38:49] File properties checks…
[19:38:49] Files checked: 191
[19:38:49] Suspect files: 0
[19:38:49]
[19:38:49] Rootkit checks…
[19:38:50] Rootkits checked : 490

[19:38:50] Possible rootkits: 0
[19:38:50]
[19:38:50] Applications checks…
[19:38:50] All checks skipped

The suspect files are gone after that. However, because of that warning about it’s my responsibility to ensure the files are genuine, I am concerned that the --propupd I did simply whitelisted the suspect files which is why it is returning as clean now.

I’m not sure if I’m making sense. Can someone help, please? Thanks.

Not sure what you’re trying to do,
If you update your database and <then> run rkhunter, I’m pretty sure you just defeated its purpose which is to compare what is stored in the database with the current files in your system.

Recommend viewing rkhunter videos on YouTube as a painless (hopefully!) way to learn this tool…

TSU

Thanks. I’ll see if I can find some guidance in YouTube then.

Yes, you’re making sense – with “–propupd” Rootkit Hunter simply white-lists all system files managed by the distribution’s repositories – which we have to trust anyway …

The SSH warning should be heeded – the SSH Daemon “PermitRootLogin” configuration option is by default enabled …

  • The YaST Security Center also assumes the SSH daemon default value …

If the system has been installed successfully, consider setting the value to either “forced-commands-only” or “no” – see the “sshd_config(5)” man page …

  • The openSUSE Security documentation is not explicit about this point …

The SSH protocol version warning is solved by the “sshd(8)” man page:

The OpenSSH SSH daemon supports SSH protocol 2 only.

  • Rootkit Hunter is not really OpenSSH “aware” …

Apart from the points mentioned above, the rest of the Rootkit Hunter messages are pretty much self-explanatory …

  • The list of possible Rootkits the Hunter knows about is fairly extensive and possibly for most people sufficient …

[HR][/HR]From my point of view, having used Rootkit Hunter, is that, possibly running “rpm --verify --all” is almost as effective for the case of systems which “only install packages from reliable, well known, repositories” …

I’m glad to see a useful response. Thanks for clarifying that @dcurtisfra.

I haven’t touched much of the settings by far because I’m still in the “learning phase,” so I guess it’s about time I touch that part.

I only install from official openSUSE repos. It’s also my habit to do zypper verify after every update, so this sounds comforting.

All in all, thanks!