Wood's Words

Update rkhunter After SUSE Package Updates

How to suppress rkhunter false positives due to zypper package updates on openSUSE 15.3.

Danila Vershinin’s blog post explains why one might want to do this and has instructions for CentOS 7. The only problem I had with his setup is that I couldn’t find anything for SUSE that did what yum-plugin-post-transaction-actions does, so I had to write a zypper plugin for that.

  1. Setup
  2. How it Works

Setup

Install zypp-plugin-post-commit-actions.

Create /etc/zypp/post-actions.d/rkhunter.action with this line:

*:any:echo $name >> /var/lib/rkhunter/changed-packages.dat

Create a script, /etc/cron.daily/0rkhunter, with these contents:

#!/bin/bash

pkglist=/var/lib/rkhunter/changed-packages.dat
touch "$pkglist"
while read pkg; do
    /usr/bin/rkhunter --propupdate "$pkg" &>/dev/null
done < <(sort -u "$pkglist")
: > "$pkglist"

Make the script executable with chmod +x /etc/cron.daily/0rkhunter .

If all goes well, you’ll no longer get false positives like below for files that were changed due to a package being updated, installed, or removed:

Warning: The file properties have changed:
         File: /bin/systemctl
         Current inode: 133679    Stored inode: 71681
Warning: The file properties have changed:
         File: /usr/bin/curl
         Current inode: 135284    Stored inode: 72525

How it Works

Whenever a package is installed, updated, or removed with zypper, we store the package name in /var/lib/rkhunter/changed-packages.dat with the help of the zypper plugin.

Before the system cron job (suse.de-rkhunter) for rkhunter runs, our 0rkhunter cron script takes the stored package names and runs rkhunter --propupd $pkg against each one. Running rkhunter in this way updates the rkhunter database for files included in the RPM package named $pkg. It does so using the file attributes from RPM’s database, not from the the filesystem.

See Danila Vershinin’s blog post for a more thorough explanation of the pieces at play here.