Linux and Rkhunter

Rkhunter (root kit hunter) is a package that can be installed on linux systems to perform intrusion detections. It does some of (more?) the things that tripwire did/does.

On my fedora system, I just yum install rkhunter.

Hassles with prelink

Out of the blue, I began getting warnings in the daily rkhunter email: 
Warning: Package manager verification has failed:
	File: /bin/ls
	Try running the command 'prelink /bin/ls' to resolve dependency errors.
	The file hash value has changed
	The file size has changed


This makes me wonder if I have been hacked since /bin/ls and /bin/rpm
are just the kind of packages that hackers like to replace.  I do the following to
check on ls:


rpm -qf /bin/ls
rpm -V coreutils
prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
S.?......    /bin/ls



And after some searching, I discover that lots of people are getting bogus warnings related
to prelink.  One fellows advice is to get rid of prelink via:


prelink -au
yum erase prelink



This might indeed be a good idea.  Prelink apparently does some kind of trick (optimization)
to improve startup time related to dynamic linking, ultimately some kind of caching scheme.
Like any caching scheme, unless it is done right, it can become inconsistent
and produce just the kind of confusion that I am dealing with.






Have any comments? Questions?
Drop me a line!





Adventures in Computing / tom@mmto.org