On Sunday 11 January 2009, Kevin Fenzi wrote:
>On Thu, 08 Jan 2009 20:29:49 +0000
>John Horne <john horne plymouth ac uk
>> On Thu, 2009-01-08 at 15:22 -0500, Gene Heskett wrote:
>> > On Thursday 08 January 2009, John Horne wrote:
>> > Should the rpm installer have over written them? I dunno, there
>> > could be problems intro'd either way in this case.
>> The rkhunter installer will not overwrite anything in /etc. The copies
>> it takes of the files are for its own use and put into a separate
>> secure directory. It is those files it looks for.
>> Looking at the rkhunter 1.3.2 rpm spec file (as used for the Fedora
>> package), it does not seem to take an initial copy of the files. So
>> that would explain why you got the initial warning. However, as has
>> already been replied, the spec file for 1.3.4 FC10 does do this
>> initial copy (although I cannot personally verify that).
>Nope. Neither one does that. You need to run 'rkhunter --propupd' to
>get it to make copies of passwd/shadow and save file properties.
>The reason for that is that the package can't know anything about how
>much you trust your current install when it's installed. It's up to you
>to run the --propupd and tell it that you think the system is clean and
>that everything should be saved.