Solved RKHunter immediately finds issue with pkg after a --propupd, 14.3-RELEASE

J

jtocci

Hi all, strangest issue...

# pkg update
... all good
# pkg upgrade
... no updates
# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 173 files, found 123
# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
...
/usr/local/sbin/pkg [ Warning ]
...
Wait, how does that happen? I thought running a propupd could not immediately fail like this. I can't figure out what to do. Anyone have any idea for tracking this down?




Code: 
root(33)au:~ # pkg update
Updating FreeBSD repository catalogue...
Fetching data.pkg: 100%   10 MiB  10.8MB/s    00:01
Processing entries: 100%
FreeBSD repository update completed. 36472 packages processed.
Updating FreeBSD-kmods repository catalogue...
Fetching data.pkg: 100%   36 KiB  36.8kB/s    00:01
Processing entries: 100%
FreeBSD-kmods repository update completed. 245 packages processed.
All repositories are up to date.

root(33)au:~ # pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating FreeBSD-kmods repository catalogue...
FreeBSD-kmods repository is up to date.
All repositories are up to date.
Checking for upgrades (158 candidates): 100%
Processing candidates (158 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        realtek-re-kmod-1100.00.1403000_1 [FreeBSD]

Number of packages to be reinstalled: 1

129 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching realtek-re-kmod-1100.00.1403000_1~d11fa50f5e.pkg: 100%  129 KiB 132.5kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Reinstalling realtek-re-kmod-1100.00.1403000_1...
[1/1] Extracting realtek-re-kmod-1100.00.1403000_1: 100%
 
rkhunter log file is confusing.

Code: 
 320 [08:03:40]   /usr/local/sbin/pkg                             [ Warning ]
 321 [08:03:40] Warning: Package manager verification has failed:
 322 [08:03:40]          File: /usr/local/sbin/pkg
 323 [08:03:40]          The file hash value has changed
 324 [08:03:40] Warning: The file properties have changed:
 325 [08:03:40]          File: /usr/local/sbin/pkg
 326 [08:03:40]          Current permissions: 0755    Stored permissions: 391921
 327 [08:03:40]          Current uid: 0    Stored uid: 0755
 328 [08:03:40]          Current inode: 391921    Stored inode:  (null)
 329 [08:03:40]          Current size: 4338752    Stored size: 0
 330 [08:03:40]          Current file modification time: 1766019848 (17-Dec-2025 19:04:08)
 331 [08:03:40]          Stored file modification time : 4338752 (19-Feb-1970 23:12:32)

it seems like rkhunter is not, or is not able, to store a proper record for the PKG file.

# ls -la /usr/local/sbin/pkg
-rwxr-xr-x 1 root wheel 4338752 Dec 17 19:04 /usr/local/sbin/pkg

it doesn't seem to be a link or anything. LS seems to report everything is normal.
 
/usr/local/var/lib/rkhunter/db/rkhunter.dat
...
56 File:0:/usr/sbin/newsyslog:14b880121aa797498f2ba7979fef7fa41a4406046e86a7ab4d86e298bdc86c41:38263:0555:0:0:47968:1759950106::0::
57 File:0:/usr/sbin/nologin:8b02b01d2ba3a9699a30770f201d9c6d5b54f66cf01f1cc474aa65abacf2a0a6:40011:0555:0:0:618720:1759950106::0::
58 File:0:/usr/sbin/pkg:4bce13ec563d25e507dbb156db22bb64aa2434ab7f7d2ac7596fff647fc5eedb:39537:0555:0:0:555976:1759950106::0::
...
ok, this is weird, look at line 124:
124 File:0:/usr/local/sbin/pkg:/usr/local/sbin/pkg: (null):391921:0755:0:0:4338752:1766019848:pkg-2.4.2:0::

This is where the bad info is coming from. I moved the rkhunter.dat file, then ran rkhunter --propupd and both lines came back:

File:0:/usr/sbin/pkg:4bce13ec563d25e507dbb156db22bb64aa2434ab7f7d2ac7596fff647fc5eedb:39537:0555:0:0:555976:1759950106::0::
File:0:/usr/local/sbin/pkg:/usr/local/sbin/pkg: (null):391921:0755:0:0:4338752:1766019848:pkg-2.4.2:0::

# ls -la /usr/local/sbin/p*
-rwxr-xr-x 1 root wheel 4338752 Dec 17 19:04 /usr/local/sbin/pkg
-rwxr-xr-x 1 root wheel 34355520 Dec 17 19:04 /usr/local/sbin/pkg-static
-rwxr-xr-x 1 root wheel 27799504 Apr 1 2023 /usr/local/sbin/pkg-static.pkgsave

# rm /usr/local/sbin/pkg
# rm /usr/local/sbin/pkg-static
# rm /usr/local/sbin/pkg-static.pkgsave
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-2.4.2...
the most recent version of pkg-2.4.2 is already installed
# pkg upgrade
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-2.4.2...
the most recent version of pkg-2.4.2 is already installed
 
pkg -f upgrade

now pkg update and upgrade are responding normally.

tried on my second server, worked first try.

rm /usr/local/sbin/pkg
# rm /usr/local/sbin/pkg-static
# pkg -f upgrade
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-2.4.2...
package pkg is already installed, forced install
Extracting pkg-2.4.2: 100%
pkg: illegal option -- f
pkg: Invalid argument provided
 
You must log in or register to reply here.
Back
Top