View Single Post
Old 23rd January 2011, 09:50
CSsab CSsab is offline
Senior Member
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default Manage rkhunter warnings properly: Rkhunter in a LXC.

I was getting rkhunter warnings about the absence of /lib/modules directory in a LXC running Debian 5.0 Lenny so with a bit of skulldugery I simply created the directory /lib/modules.

Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now.

vi /lib/modules
## This is a dummy file located /lib/modules in a LXC

I have found it better to deal with rkhunter on a fresh install of ISPConfig3 or any system where it is installed) as follows:

1. Update rkhunter
root@lxchost:~# rkhunter --update
[ Rootkit Hunter version 1.3.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ updated ]
Checking file backdoorports.dat [ updated ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]

2. Run rkhunter to report warnings only
rkhunter -c --rwo

3. Deal with any warnings as you will.
For example:
vi /etc/rkhunter.conf
ALLOW_SSH_ROOT_USER=no (line 199)

4. Run a check again to make sure all spurious warnings have been dealt with.

5. When you are happy that all is well (and only then!) you can run a system wide acceptance of the changes you have made.
rkhunter --propupdate

6. You will still get warnings in the future about possible compromise. For example if I reconfigure debconf and decide to go with readline instead of dialogue inside a LXC, rkhunter will log the change and this is a good thing.
Reply With Quote