Centos7

rkhunter:幾天后,我收到“系統已更改為自上次執行以來不使用預連結。”

  • April 17, 2016

我們在這裡執行一個(新的)CentOS 7 系統。為了觀察系統免受無效更改/黑客攻擊,我們每晚執行 rkhunter。同樣在每次(yum)更新之後,我們預先連結所有並執行“rkhunter –propupd”。

這執行良好。但是幾天后我們收到以下錯誤:

[03:55:02] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
          is used, all the files on their system are known to be genuine, and installed from a
          reliable source. The rkhunter '--check' option will compare the current file properties
          against previously stored values, and report if any values differ. However, rkhunter
          cannot determine what has caused the change, that is for the user to do.
...
...
...
[03:55:04] Warning: Checking for prerequisites               [ Warning ]
[03:55:04]          The local host configuration or operating system has changed.
[03:55:05]   /usr/sbin/adduser                               [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chkconfig                             [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/chkconfig' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chroot                                [ Warning ]

我們確信伺服器沒有被黑客入侵。因為我們檢查了一些二進製文件的日期和大小。我們還創建了其中一些文件的校驗和。發生 rkhunter 警告後,所有文件都相同且未更改。

但我們想找出 rkhunter 警告的原因是什麼……

有任何想法嗎?

編輯:

rkhunter 日誌文件中還有其他警告:

[03:55:05] Warning: The system has changed to not using prelinking since the last run.
[03:55:05]          Because of the change(s) the file properties checks may give some false-positive results.
[03:55:05]          You may need to re-run rkhunter with the '--propupd' option.

這也是解決方案。請參閱下面我的答案….

找到了!今天我查看了幾個日誌文件。所以我找到了一個預連結日誌文件。日誌文件顯示正在執行預連結程序。在 cron 文件中搜尋預連結作業後,我在/etc/cron.daily. 我確定這是 rkhunter 警告的原因… :-)

引用自:https://serverfault.com/questions/770800