rkhunter warning package manager verification has failed

ronaldst

Well-Known Member
Feb 22, 2016
85
16
8
Norway
cPanel Access Level
Root Administrator
I am seeing repeated warnings in rkhunter for
/usr/bin/newgrp
/usr/bin/su

I'm running an updated rkhunter and --propupd have been completed prior to running the check.

rkhunter.log
Code:
[03:16:28]   /usr/bin/newgrp                                 [ Warning ]
[03:16:28] Warning: Package manager verification has failed:
[03:16:28]          File: /usr/bin/newgrp
[03:16:28]          The file permissions have changed

[03:16:33]   /usr/bin/su                                     [ Warning ]
[03:16:33] Warning: Package manager verification has failed:
[03:16:33]          File: /usr/bin/su
[03:16:33]          The file permissions have changed
[03:16:33]          The file group has changed
Should I be worried or is this normal?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
Hello @ronaldst,

The first step when encountering this type of warning is to verify which RPM controls those files and to see if that RPM was recently updated. For example:

Code:
# rpm -qf /usr/bin/su
util-linux-2.23.2-52.el7_5.1.x86_64
# grep "util-linux" /var/log/yum.log
Aug 21 00:27:21 Updated: util-linux-2.23.2-52.el7_5.1.x86_64
For this file, it shows that it's part of the util-linux RPM and that RPM was last updated through YUM on August 21.

Next, check the permission and ownership values on those files to see if they match a comparable system. Here's the output from a CentOS 7 test machine running cPanel & WHM version 74:

Code:
# ls -al  /usr/bin/su
-rwsr-x--- 1 root wheel 32184 Aug 16 13:47 /usr/bin/su
# ls -al /usr/bin/newgrp 
-rwxr-xr-x. 1 root root 41776 Nov  5  2016 /usr/bin/newgrp
Thank you.
 

ronaldst

Well-Known Member
Feb 22, 2016
85
16
8
Norway
cPanel Access Level
Root Administrator
I'm getting similar results (that you have posted). However, there is one exception, yum logs shows an update at May 12th.

Code:
[[email protected] ~]# rpm -qf /usr/bin/su
util-linux-2.23.2-52.el7_5.1.x86_64
[[email protected] ~]# grep "util-linux" /var/log/yum.log
May 12 01:04:58 Updated: util-linux-2.23.2-52.el7.x86_64
Aug 21 01:04:38 Updated: util-linux-2.23.2-52.el7_5.1.x86_64
[[email protected] ~]# ls -al  /usr/bin/su
-rwsr-x---. 1 root wheel 32184 Aug 16 20:47 /usr/bin/su
[[email protected] ~]# ls -al /usr/bin/newgrp
-rwxr-xr-x. 1 root root 41776 Nov  5  2016 /usr/bin/newgrp
I don't know what to read into this, really.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463

Glexia

Member
Aug 8, 2005
17
1
153
I'm having a similar issue with the "su" alerting on package verification. I've done a hash checksum and the file appears fine (in fact its a brand new server install from source).

To suppress this warning you'll need to add the following directive to /etc/rkhunter.conf
PKGMGR_NO_VRFY=/usr/bin/su

then run:
rkhunter --propupd
 
  • Like
Reactions: cPanelMichael