Joe says:
If it helps, I don't have either a /dev/dev or a
/root/.readahead.
However, I'm running F19 on my desktop, with Xfce, although I never use
a GUI as root. I also don't have rkhunter installed, so that might be
significant.
The file is not "/root/.readahead". The mystery file is
"/.readahead". What is this mystery file?
Frank asks:
Did you run rkhunter prior to update? to check for nasties? # if not
too late now.
yes.
did you run "rkhunter --propupd" after FN+1 which would be
required
yes.
John says (regarding "rpm -qf --queryformat..." error codes)
This means that when rkhunter (RKH) uses the 'rpm' command to
check a
package it is getting an error back. All it can do is log the problem.
If you run something like 'rpm -V chkconfig' then you will probably get
an error - that is what RKH is seeing.
But why all the rpm errors? Is yum not doing something that it should be doing during an
update? Am I not doing something I should be doing? Is something wrong with RPM or my
RPM database? What and where is the real bug, and what's the permanent fix?
John says (regarding prelink issues):
The problem here is prelinking. It will change file properties when
it
runs, but RKH tries to detect this and so obtain the true values for
each file (either by using the rpm package manager or using the prelink
command to verify the file). In some cases a dependency the file has,
has changed. again, RKH cannot do anything about that, but suggests
running the prelink command. If it is occurring a lot with different
files, then you can try running 'prelink -qa', 'prelink -fa' or just
wait for the regular prelink cron job to run when it should sort out
prelinking problems. However, when I last looked the job ran about once
every two weeks :-)
"prelink -qa" fixes things only until the next yum update. Should yum do a
"prelink -qa" at the end of each update?
John says (regarding the GasKit rootkit warning):
It's a bug in F20 with the 'dracut' package, the
'/dev/dev' directory is
created by mistake(see
https://bugzilla.redhat.com/show_bug.cgi?id=1045116). I got the same
problem. There is a fix, or you could wait for an update to the package.
You can whitelist this in your RKH config file (see RTKT_DIR_WHITELIST).
Good. Thank-you, John.
Bill.