4

I ran rkhunter and received the following warnings in its output:

$ rkhunter --update
$ rkhunter -c

...
...
...

Performing file properties checks
    /sbin/chkconfig                                          [ Warning ]

In the /var/log/rkhunter.log, it shows this message:

Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: Perl script, ASCII text executable

Though I am on a Debian system and am aware of update-rc.d, I occasionally use chkconfig to configure services.

What does this warning mean? How serious is this?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Animesh
  • 1,957
  • 5
  • 22
  • 31

2 Answers2

3

I would think that this warning is harmless (assuming you have not been hacked or you haven't installed any suspicious packages), it seems that rkhunter thinks that scripts in /sbin are suspicious behaviour.

In fact, checked on a clean Ubuntu install I have here and chkconfig is indeed a script.

Renan
  • 16,976
  • 8
  • 69
  • 88
  • You meant `chkconfig is indeed a script` as opposed to a binary, right? Just trying to understand here. What is the difference? – Animesh Oct 24 '12 at 14:08
  • Exactly; type `file /sbin/chkconfig` and see for yourself. The main difference is that a script is (generally) written in an interpreted language (bash, perl etc...) and a binary is the result of compiling a program (e.g. written in C); from an end-user (not a developer) point of view, there isn't much difference. – Renan Oct 24 '12 at 14:37
  • 1
    Since `/sbin` is supposed to have binaries in it, rkhunter threw a warning since it encountered a script rather than an executable. It makes sense. – Animesh Oct 24 '12 at 14:40
1

Assuming you're running Ubuntu, create (or edit) the file /etc/rkhunter.conf.local and add the following line.

PKGMGR=DPKG

This tells rkhunter to use the file hash info available via dpkg.

Ramesh
  • 38,687
  • 43
  • 140
  • 215
user3235747
  • 111
  • 1