Manage rkhunter warnings properly: Rkhunter in a LXC.
I was getting rkhunter warnings about the absence of /lib/modules directory in a LXC running Debian 5.0 Lenny so with a bit of skulldugery I simply created the directory /lib/modules.
Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now.
## This is a dummy file located /lib/modules in a LXC
I have found it better to deal with rkhunter on a fresh install of ISPConfig3 or any system where it is installed) as follows:
1. Update rkhunter
root@lxchost:~# rkhunter --update
[ Rootkit Hunter version 1.3.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ updated ]
Checking file backdoorports.dat [ updated ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
2. Run rkhunter to report warnings only
rkhunter -c --rwo
3. Deal with any warnings as you will.
ALLOW_SSH_ROOT_USER=no (line 199)
4. Run a check again to make sure all spurious warnings have been dealt with.
5. When you are happy that all is well (and only then!) you can run a system wide acceptance of the changes you have made.
6. You will still get warnings in the future about possible compromise. For example if I reconfigure debconf and decide to go with readline instead of dialogue inside a LXC, rkhunter will log the change and this is a good thing.