rkhunter warning package manager verification has failed

[ronaldst]

I am seeing repeated warnings in rkhunter for
/usr/bin/newgrp
/usr/bin/su

I'm running an updated rkhunter and --propupd have been completed prior to running the check.

rkhunter.log

[03:16:28]   /usr/bin/newgrp                                 [ Warning ]
[03:16:28] Warning: Package manager verification has failed:
[03:16:28]          File: /usr/bin/newgrp
[03:16:28]          The file permissions have changed

[03:16:33]   /usr/bin/su                                     [ Warning ]
[03:16:33] Warning: Package manager verification has failed:
[03:16:33]          File: /usr/bin/su
[03:16:33]          The file permissions have changed
[03:16:33]          The file group has changed

Should I be worried or is this normal?

 

[cPanelMichael]

Hello @ronaldst,

The first step when encountering this type of warning is to verify which RPM controls those files and to see if that RPM was recently updated. For example:

# rpm -qf /usr/bin/su
util-linux-2.23.2-52.el7_5.1.x86_64
# grep "util-linux" /var/log/yum.log
Aug 21 00:27:21 Updated: util-linux-2.23.2-52.el7_5.1.x86_64

For this file, it shows that it's part of the util-linux RPM and that RPM was last updated through YUM on August 21.

Next, check the permission and ownership values on those files to see if they match a comparable system. Here's the output from a CentOS 7 test machine running cPanel & WHM version 74:

# ls -al  /usr/bin/su
-rwsr-x--- 1 root wheel 32184 Aug 16 13:47 /usr/bin/su
# ls -al /usr/bin/newgrp 
-rwxr-xr-x. 1 root root 41776 Nov  5  2016 /usr/bin/newgrp

Thank you.

 

[ronaldst]

I'm getting similar results (that you have posted). However, there is one exception, yum logs shows an update at May 12th.

[[email protected] ~]# rpm -qf /usr/bin/su
util-linux-2.23.2-52.el7_5.1.x86_64
[[email protected] ~]# grep "util-linux" /var/log/yum.log
May 12 01:04:58 Updated: util-linux-2.23.2-52.el7.x86_64
Aug 21 01:04:38 Updated: util-linux-2.23.2-52.el7_5.1.x86_64
[[email protected] ~]# ls -al  /usr/bin/su
-rwsr-x---. 1 root wheel 32184 Aug 16 20:47 /usr/bin/su
[[email protected] ~]# ls -al /usr/bin/newgrp
-rwxr-xr-x. 1 root root 41776 Nov  5  2016 /usr/bin/newgrp

I don't know what to read into this, really.

 

[cPanelMichael]

Hi @ronaldst,

The May 12th entry appears because your server was setup before the test server I utilized in the example. The command is simply showing the times when the package was updated through YUM. It's possible this is a false positive from the RKHunter application. Here are some links where this is discussed:

Update only upgraded packages with rkhunter --propupd
Rootkit Hunter / Re: [Rkhunter-users] baffling warning

Thank you.

 

[Glexia]

I'm having a similar issue with the "su" alerting on package verification. I've done a hash checksum and the file appears fine (in fact its a brand new server install from source).

To suppress this warning you'll need to add the following directive to /etc/rkhunter.conf
PKGMGR_NO_VRFY=/usr/bin/su

then run:
rkhunter --propupd