Topic: Database directory does not exist error e-mail from RKhunter (solved)

[mercyh]

After last update RKhunter sends the following e-mail each time the cron job runs.

email

Subject:     rkhunter Daily Run on testserver

--------------------- Start Rootkit Hunter Update ---------------------
Database directory does not exist: /var/rkhunter/db

---------------------- Start Rootkit Hunter Scan ----------------------
Database directory does not exist: /var/rkhunter/db

----------------------- End Rootkit Hunter Scan -----------------------

Please give direction on how to correct this problem.

I have also opened the following bug:

http://bugs.contribs.org/show_bug.cgi?id=5273

Thanks for your help.

[mercyh]

The explanation of the cause and how to fix the problem is found in the following bug report:

http://bugs.contribs.org/show_bug.cgi?id=5269

[armand]

Hi there,

I've been reading the bugtracker, but I'm confused.
I have the same output as mr. John Bennet. Does it mean my system is okay?
Do I have install smeserver-rkhunter?
I don't understand what the solution is.

Regards,

Armand

[Paspv]

Hello Mercyh,

There are several solutions in this tread, could you give the number of the comment with the one you mentioned? I've had the same e-mail as you described here and the one below:

Code: [Select]

/etc/cron.daily/logrotate:

error: stat of /var/log/rkhunter/rkhunter.log failed: No such file or directory

[mercyh]

The second option on comment #11 with the additional reboot command from comment #12 did it for me. On the first nightly run you will get an e-mail showing the program updating (it looks like the message in comment #23) after that you should be running with no errors or messages.

This error will show up on any server that has had the rkhunter.conf file modified. If rkhunter was sending you the "root login allowed over SSH" message and you set that check to "no" in the rkhunter.conf file you will have this problem.

The new update reads the setting from the sme-server DB and pulls it into the rkhunter.conf file automatically.

[Paspv]

Hello Mercyh,

Thanks for your answer. I've installed rkhunter and did the upgrade/reboot, this morning I received this mail:

Code: [Select]

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

----------------------- End Rootkit Hunter Scan -----------------------

I've looked for this message and see there is an bug reported already.

http://bugs.contribs.org/show_bug.cgi?id=5267

It looks I have the same situation as #8, I'll wait to see if they have an solution.

Thanks for the help so far!

[mercyh]

Hello Mercyh,

Thanks for your answer. I've installed rkhunter and did the upgrade/reboot, this morning I received this mail:

Code: [Select]

--------------------- Start Rootkit Hunter Update ---------------------
[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Warning: Unable to check for group file differences: no copy of the group file exists.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

----------------------- End Rootkit Hunter Scan -----------------------

I've looked for this message and see there is an bug reported already.

http://bugs.contribs.org/show_bug.cgi?id=5267

It looks I have the same situation as #8, I'll wait to see if they have an solution.

Thanks for the help so far!

I also got that message at first run. Because this is a fresh install of rkhunter it does not have the user and group file to check against. It will have created that file during the run listed above. Your next run should have no errors and you should be up and running without any trouble.

If you want to verify that everything is working, after the next overnight cron jobs run go into the "view log files page" in server-manager and select the "rkhunter.log" file to view. Go to the bottom of the file and you will see what checks ran and completed.

Good luck,

Royce

[chris burnat]

Hi there,

I've been reading the bugtracker, but I'm confused.
I have the same output as mr. John Bennet. Does it mean my system is okay?
Do I have install smeserver-rkhunter?
I don't understand what the solution is.
Armand

rkhunter is about to be removed from the distro (sme 7.4 and sme 8xx) as of next lot of upgrade - in a week or so. This does not mean that rkhunter will be lost for ever, user will be able to install this package from the smecontribs repo.  For more information, check bug #5301 (http://bugs.contribs.org/show_bug.cgi?id=5301).

The best strategy at the moment is to wait until this has taken place, then decide whether you wish to forget about rkhunter altogether, or reinstall it as a contrib.   There is little benefit at this stage in taking any corrective action, i.e. installing smeserver-rkhunter.  The errors you are experiencing are benign and are unlikely to affect the correct operation of your server. 

Hope it helps.

[armand]

Thanks for info Chris,

I will just sit and wait. I was a bit confused. Never had any trouble with SME Server before.
And as I understand now, still no problem....

Thanks again for your advise, and thank you all for this great distro...

Armand

[mercyh]

Chris,

Thanks for the update on the status of rkhunter and SME.

Royce

[Paspv]

Hello Royce,

I checked the server today and there were no messages as you has said so everything is alright here.

Patrick

[Paspv]

Hello Chris,

Thanks for your information. I don't have problems with rkhunter at this moment, they are solved. Is there a particular reason to remove rkhunter from the smeserver?

Patrick

[mercyh]

Patrick,

I think because some of the Devs feel like it is a program that is somewhat problematic and feel that it does not actually add much to the security of the software.

[janet]

Paspv

The issue with rkhunter was an ongoing incidence of false positives, causing angst to unknowing users and generating significant requests for support at bugzilla and in forums.

ie it's a nice tool, but the upstream developers were not catering for all scenarios sufficiently well.

Install smeserver-rkhunter from smecontribs if you want, but it will no longer be in the base release of sme. IIRC sme developers are looking at other alternatives.

[chris burnat]

Hello Chris,

Thanks for your information. I don't have problems with rkhunter at this moment, they are solved. Is there a particular reason to remove rkhunter from the smeserver?

Patrick

Mary response Today at 03:59:55 AM below sums it all.  Please refer.