Topic: After update to 7.3 email from cron.daily about rkhunter

[jan-martin]

Hello,
After the upgrade from 7.2 to 7.3, every morning i get the following email from cron.daily

/etc/cron.daily/01-rkhunter:

Default logfile will be used (/var/log/rkhunter.log).
The SCRIPTDIR configuration option has not been set by the installer.

I did e search in the /etc and found
rkhunter.conf (without the SCRIPTDIR configured)
rkhunter.conf.rpmnew (with SCRIPTDIR in it)

I thought the .rpmnew files are created with an update and were used and deleted with the signal-event post-upgrade and signal-event reboot.

Hope someone has an explanation about this.

regards
Jan-Martin

[cactus]

Hello,
After the upgrade from 7.2 to 7.3, every morning i get the following email from cron.daily

/etc/cron.daily/01-rkhunter:

Default logfile will be used (/var/log/rkhunter.log).
The SCRIPTDIR configuration option has not been set by the installer.

I did e search in the /etc and found
rkhunter.conf (without the SCRIPTDIR configured)
rkhunter.conf.rpmnew (with SCRIPTDIR in it)

I thought the .rpmnew files are created with an update and were used and deleted with the signal-event post-upgrade and signal-event reboot.

Hope someone has an explanation about this.

RPM/yum does this to not overwrite user changes with default package ones in case configuration files are modified.

The rkhunter.conf file seems not to be under the template control system that is implemented on SME Server. I guess it is worth filing this as a bug in the bugtracker.

AFAIK all packages that have a SME Server template generated configuration file are properly handled and no rpmsave/rpmnew files for them should be left, but I might be wrong.

[jan-martin]

Is it possible to make the template with the cli interface and on this way to repair?

[cactus]

Is it possible to make the template with the cli interface and on this way to repair?

Nope to have it templated in the future you need to add a New Feature Request to the bugtracker. Until that request is granted you need to make modifications yourself if there is any need for that.

[compdoc]

the new rkhunter kept your old rkhunter.conf, and placed the newer conf file under the name of rkhunter.conf.rpmnew. This was done in case you made changes to your rkhunter.conf file.

I had made one change to mine, so I'm glad that it kept it. I had changed:

ALLOW_SSH_ROOT_USER=1

The old conf file doesnt have all the new options, so if you have made any changes, transfer them to rkhunter.conf.rpmnew, delete the old rkhunter.conf, and rename rkhunter.conf.rpmnew to rkhunter.conf to make rkhunter happy.

This is not a bug...

[jan-martin]

@compdoc

Thankyou. I did make the same edit and will try the solution you mentioned and report
Thanks.

[imcintyre]

Is this in response to the error:

Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:

and seeing as I am "command line challenged" can you spell out how to make the change.

Thx

[compdoc]

Using ssh, or at the console (monitor and keyboard attached to the server) log in and type:

nano /etc/rkhunter.conf

Arrow down to ALLOW_SSH_ROOT_USER=no, and change it to ALLOW_SSH_ROOT_USER=1, and save

(to save is Control X, then y for yes)

That should stop that particular error....

But I'm not sure about the 'Suspicious file types' error - that may be something else....

[imcintyre]

Thx.

There are other ferrors related to upgrade to 7.3 which I am trying to follow in bugzilla.

[compdoc]

Hmm, Im getting an error this morning for ALLOW_SSH_ROOT_USER. The new option might be need to be ALLOW_SSH_ROOT_USER=yes. I'll have to test...

[imcintyre]

Let me know pls and thx

[the-heck]

Hmm, Im getting an error this morning for ALLOW_SSH_ROOT_USER. The new option might be need to be ALLOW_SSH_ROOT_USER=yes. I'll have to test...

So is it 'yes' or '1'?

[compdoc]

in rkhunter.conf it's ALLOW_SSH_ROOT_USER=yes

The comments just above the command state that...