0

So rkhunter gives me these warnings (in the logfile) beyond this one (which seems to be a false positive):

Checking for passwd file changes [ Warning ]
Warning: User 'logcheck' has been added to the passwd file

Info: Starting test name 'group_changes'
Checking for group file changes [ Warning ]
Warning: Changes found in the group file for group 'adm':
User 'logcheck' has been added to the group
Warning: Group 'logcheck' has been added to the group file.

Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /etc/.java

on one of my machines.

Another also shows me the warnings:

Checking for passwd file changes [ Warning ]
Warning: User 'clamav' has been added to the passwd file
Warning: User 'geoclue' has been added to the passwd file
Checking for group file changes [ Warning ]
Warning: Group 'clamav' has been added to the group file
Warning: Group 'geoclue' has been added to the group file

I guess these warnings are due to when I made the last earlier scan and due to package updates (e.g. openjde) and package-installations (clamtk)?

I'm not sure about geoclue and logcheck though as I can't remember installing logcheck and it doesn't display anything under "required by" in Apper.
Is there a way to display when packages were installed and updated and by whom?
Should package-updates and new installations maybe be coupled with other tools (too?) beyond rkhunter such as automatically doing some specific scan/update before a new installation or update etc?

Is there some way, tool or best practice to account for package updates and new installations?

I'm running a recently installed Debian 9.1 with KDE.

mYnDstrEAm
  • 4,275
  • 14
  • 57
  • 118

1 Answers1

2

/var/log/apt/history.log* contains logs of all apt’s activity, including the username of the user requesting the change (which is only useful if you use sudo, not root directly).

There already is some intergration between rkhunter and apt; see /etc/apt/apt.conf.d/90rkhunter on your system. If you want that to be enabled, you need to change APT_AUTOGEN in /etc/default/rkhunter to true.

You can also add your own pre- or post-installation jobs, e.g. to run a scan just before installation...

The “best practice” part of your question is too broad for this venue. Ultimately, some would argue you should only make changes to your systems using a tool such as Ansible, which provides its own logs of all changes.

Stephen Kitt
  • 434,908