Hi, I just ran `rkhunter --check` manually today. Take note of the timestamps in the warning. I was under the impression that rkhunter ran every day. Is this not the case? The ISPConfig web interface has a nice RKHunter log viewer - but it doesn't show any timestamps, so the result could be years old. Please add a timestamp. Furthermore, Debian has disabled DB updates for rkhunter (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869760). Does ISPConfig work around this by temporarily enabling updates, or does it update the database by some other means? If not, the Rkhunter log view should show a big fat red warning saying that RKHunter's database is outdated, and that the server is unprotected. I was under the impression that I was protected, but all this leaves me with lots of doubts and concerns. Do you have any recommendations as to how I could verify the integrity of the server, now that RKHunter seems to have been inactive for a very long time ? At least I don't think I can rely on local file hashes and timestamps. Will a check against an updated rkhunter database suffice, or is there more I can/should do ? - Thanks in advance
Rkhunter is running daily and your screenshot does not show any issue in this regard. Rkhunter is not updating file properties on it's own (means rkhunter does not forget file changes) when you run it. If you verified that everything is fine with that file, you can run rkhunter with the property update option to let it update it's file property database. Regarding your link from Debian issue tracker, you should read it until the end then you see that Debian disabled the updates on purpose.
Hi @till Thanks for your swift reply. I wasn't aware that RKHunter didn't update properties by default. Thanks. I was aware though that updates were disabled due to a security issue. The question is, do ISPConfig update the database somehow else? If not, I don't see any value in running rkhunter at all. At least it would make sense to flag this as a security problem in the RKHunter log in the web interface - don't you think?
Which would basically mean that we reintroduce the issue which caused it to be disabled, not sure if that's such a good idea. As rkhunter is a package in the Debian package system, it should receive updates like other packages via apt.
I will often set rkhunter to update properties after dpkg changes, which seems to work well (other that it slows down the apt update process, which is annoying). I would guess it does not update those files via http at that time, though would need to confirm to be sure.
