Rkhunter 오탐지를 확인하는 방법

tag-icon tag-icon rkhunter
Rkhunter 오탐지를 확인하는 방법

CentOS 7 서버를 새로 설치하고 cpanel/whm을 새로 설치했습니다. 다른 서버에서 cpanel 백업을 복원하기 전에 모든 것이 깨끗한지 확인/확인했습니다.

[warning]cpanel을 복원한 후 다음 파일을 받았습니다 .

    /usr/sbin/adduser                                
    /usr/sbin/depmod                                       
    /usr/sbin/ifdown                                         
    /usr/sbin/ifup                                          
    /usr/sbin/init                                           
    /usr/sbin/insmod                                        
    /usr/sbin/lsmod                                          
    /usr/sbin/modinfo                                      
    /usr/sbin/modprobe                                  
    /usr/sbin/rmmod                                         
    /usr/sbin/runlevel                                       
    /usr/bin/awk                                           
    /usr/bin/egrep                                           
    /usr/bin/fgrep                                        
    /usr/bin/links                                         
    /usr/bin/mail                                            
    /usr/bin/passwd                                          
    /usr/bin/sh                                              
    /usr/bin/sudo

sha256sum 체크섬을 실행해서 제가 설정한 virtualbox 테스트 서버의 해당 값과 비교했더니 체크섬이 모두 일치했습니다.

거기에서 ls -ld프로덕션 및 테스트 서버의 모든 파일을 실행했습니다. 그룹 /usr 권한이 모두 일치했습니다.

이 시점에서 나는 이것이 거짓 긍정이라고 합리적으로 확신합니다.

내 질문은 "멍청한" 질문입니다. rkhunter는 경고의 원인이 무엇인지 확인합니까? 테스트 서버에서 경고가 발생하는 원인을 어떻게 확인합니까?

고쳐 쓰다

약간의 조사 끝에 경고가 생성된 이유를 알려주는 rkhunter 검사를 실행하는 다른(더 유용한) 방법을 찾았습니다(기본적으로 rkhunter.log 파일의 내용을 미러링함).

[root@host2 ~]# rkhunter -c --rwo
Warning: No hash value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/adduser
         Current file modification time: 1613637774 (18-Feb-2021 16:42:54)
         Stored file modification time : 1565319054 (09-Aug-2019 10:50:54)
Warning: No hash value found for file '/usr/sbin/depmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/depmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: The file properties have changed:
         File: /usr/sbin/ifdown
         Current hash: 69026ac688e78a6f54406fd4a4b92bb655fa9795cb043cafb1ebf7782985a38b
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current size: 1651    Stored size: 0
         Current file modification time: 1590144273 (22-May-2020 18:44:33)
         Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The file properties have changed:
         File: /usr/sbin/ifup
         Current hash: f5ce9f5f014159aa479a88a4754b4a1980f307fac68863477341e62787f8e52c
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current size: 5010    Stored size: 0
         Current file modification time: 1590144273 (22-May-2020 18:44:33)
         Stored file modification time : 1605543307 (17-Nov-2020 00:15:07)
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: No hash value found for file '/usr/sbin/init' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/init
         Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
         Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/sbin/insmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/insmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/lsmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/lsmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modinfo' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/modinfo
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/modprobe' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/modprobe
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/rmmod' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/rmmod
         Current file modification time: 1613637781 (18-Feb-2021 16:43:01)
         Stored file modification time : 1585709895 (01-Apr-2020 10:58:15)
Warning: No hash value found for file '/usr/sbin/runlevel' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/sbin/runlevel
         Current file modification time: 1613637783 (18-Feb-2021 16:43:03)
         Stored file modification time : 1612283656 (03-Feb-2021 00:34:16)
Warning: No hash value found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/awk
         Current file modification time: 1562813534 (11-Jul-2019 10:52:14)
         Stored file modification time : 1498686765 (29-Jun-2017 05:52:45)
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The file properties have changed:
         File: /usr/bin/links
         Current hash: 52d888a65f7e8c4e9837eb98d0c617af3ffbf5c51426036f69deeb31e93a2d37
         Stored hash : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
         Current permissions: 0777    Stored permissions: 0644
         Current size: 23    Stored size: 0
         Current file modification time: 1613662786 (18-Feb-2021 23:39:46)
         Stored file modification time : 1547139654 (11-Jan-2019 01:00:54)
         Current symbolic link target: '/usr/bin/links' -> '/usr/bin/elinks'
         Stored symbolic link target : '/usr/bin/links' -> '/usr/bin'
Warning: No hash value found for file '/usr/bin/mail' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/mail
         Current file modification time: 1562814013 (11-Jul-2019 11:00:13)
         Stored file modification time : 1523430473 (11-Apr-2018 15:07:53)
Warning: The file properties have changed:
         File: /usr/bin/passwd
         Current permissions: 4755    Stored permissions: 04755
Warning: No hash value found for file '/usr/bin/sh' in the 'rkhunter.dat' file.
Warning: The file properties have changed:
         File: /usr/bin/sh
         Current file modification time: 1613637759 (18-Feb-2021 16:42:39)
         Stored file modification time : 1585707450 (01-Apr-2020 10:17:30)
Warning: The file properties have changed:
         File: /usr/bin/sudo
         Current permissions: 4111    Stored permissions: 04111
Warning: The following processes are using deleted files:
         Process: /usr/local/cpanel/libexec/tailwatch/tailwatchd    PID: 1973    File: /var/cpanel/apnspush.sqlite3-wal

특히 혼란스러운 것은 현재 해시와 일부 파일의 저장된 해시입니다. 예를 들어 /usr/sbin/ifup 새로 VM 설치에서 해시를 확인했기 때문입니다. 이건 그냥 단순한 실행인가요 rkhunter --propupd?

관련 정보