rkhunter alerts // Warnings for changes to passwd file

Discussion in 'General' started by Spawnsworth, Aug 18, 2016.

  1. Spawnsworth

    Spawnsworth Member


    I am getting regular warning emails from rkhunter on one of our servers. It is warning that changes have been made to the passwd file. The end user is adding their own Users so this is legit and we keep getting warning emails about it.

    Is there any way to stop rkhunter from checking the passwd file? There are far too many FPs so I'd rather disable this particular check if it was possible?

    Details from the rkhunter.log are as follows:

    [23:01:30] Info: Starting test name 'passwd_changes'
    [23:01:30] Checking for passwd file changes [ Warning ]
    [23:01:30] Warning: User 'web46' has been added to the passwd file.
    [23:01:30] Warning: User 's4_chambre' has been added to the passwd file.
    [23:01:30] Info: Starting test name 'group_changes'
    [23:01:30] Checking for group file changes [ Warning ]
    [23:01:30] Warning: Changes found in the group file for group 'sshusers':
    [23:01:31] User 'web46' has been added to the group
    [23:01:31] Checking root account shell history files [ OK ]

    Many thanks,

  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You could probably add `passwd_changes group_changes` to the `DISABLED_TESTS` line in /etc/rkhunter.conf to disable the tests completely. Possibly you could write a simple ispconfig plugin that runs when users/groups change to update rkhunter's database, so those tests could still run and potentially catch other changes that were not made by ispconfig.
  3. Spawnsworth

    Spawnsworth Member

    Hi Jesse,

    Thanks for your reply! I'd just prefer to add it to the DISABLED_TESTS line and have done just that. Hopefully will keep it quiet!


Share This Page