[opensuse] Crontab : daily cron job for rkhunter on oS 13.1
![](https://seccdn.libravatar.org/avatar/e164891e4d850a5cfd6a5765eb3965d0.jpg?s=120&d=mm&r=g)
Hello List - i have a line in crontab : 30 12 * * * exec /usr/bin/rkhunter --cronjob --update --rwo ..................... it seems that rkhunter is not being run by crontab . . . any idea how to activate ? ............ thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/e164891e4d850a5cfd6a5765eb3965d0.jpg?s=120&d=mm&r=g)
On 12/08/2013 12:17 AM, Carlos E. R. wrote:
On 2013-12-07 23:08, ellanios82 wrote:
it seems that rkhunter is not being run by crontab . . . any idea how to activate ? You should see the reason in syslog or local email.
Thank you Carlos, - i found ok /var/log/messages which says : " /USR/SBIN/CRON[12738]: (root) CMD (exec /usr/bin/rkhunter --cronjob --update --rwo) G systemd: pam_apparmor(systemd-user:session): Unknown error occurred changing to root hat: Operation not permitted G kernel: [13216.734228] type=1400 audit(1386239402.861:35): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12737 com G systemd[12737]: Failed to open private bus connection: Failed to connect to socket /run/user/0/dbus/user_bus_socket: No such file or directo G systemd[12737]: Mounted /sys/fs/fuse/connections. " ..................... - i could not see "syslog" in directory /var/log . . . am i looking in the correct directory? ....................... - what is next step please? .......... thanks
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2013-12-07 23:47, ellanios82 wrote:
On 12/08/2013 12:17 AM, Carlos E. R. wrote:
You should see the reason in syslog or local email.
- i found ok /var/log/messages which says :
You have deleted the timestamps, I can not see what happened at 12:30.
- i could not see "syslog" in directory /var/log . . . am i looking in the correct directory?
Almost all of /var/log is syslog :-)
.......................
- what is next step please?
local email. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
![](https://seccdn.libravatar.org/avatar/e164891e4d850a5cfd6a5765eb3965d0.jpg?s=120&d=mm&r=g)
On 12/08/2013 12:54 AM, Carlos E. R. wrote: > re: rkhunter cron job fails to run ______________________________ >>> You should see the reason in syslog or local email. >> - i found ok /var/log/messages which says : > You have deleted the timestamps, I can not see what happened at 12:30. ______________________ at 12:30 : _______ 2-05T12:30:02.519366+02:00 AIG /USR/SBIN/CRON[12738]: (root) CMD (exec /usr/bin/rkhunter --cronjob --update --rwo) 2013-12-05T12:30:02.863122+02:00 AIG systemd: pam_apparmor(systemd-user:session): Unknown error occurred changing to root hat: Operation not permitted 2013-12-05T12:30:02.863837+02:00 AIG kernel: [13216.734228] type=1400 audit(1386239402.861:35): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12737 comm="(systemd)" 2013-12-05T12:30:02.890217+02:00 AIG systemd[12737]: Failed to open private bus connection: Failed to connect to socket /run/user/0/dbus/user_bus_socket: No such file or directory 2013-12-05T12:30:03.215930+02:00 AIG systemd[12737]: Mounted /sys/fs/fuse/connections. .................. thank you -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2013-12-08 09:46, ellanios82 wrote: > On 12/08/2013 12:54 AM, Carlos E. R. wrote: >> re: rkhunter cron job fails to run > ______________________________ >>>> You should see the reason in syslog or local email. >>> - i found ok /var/log/messages which says : >> You have deleted the timestamps, I can not see what happened at 12:30. > ______________________ > > at 12:30 : > _______ > 2-05T12:30:02.519366+02:00 AIG /USR/SBIN/CRON[12738]: (root) CMD (exec > /usr/bin/rkhunter --cronjob --update --rwo) Well, the task runs. Any error it finds should be in the email. I repeat, in the email. I repeat, in the email. I have told you that two times previously, you did not look. Please do ASAP. > 2013-12-05T12:30:02.863122+02:00 AIG systemd: > pam_apparmor(systemd-user:session): Unknown error occurred changing to > root hat: Operation not permitted > 2013-12-05T12:30:02.863837+02:00 AIG kernel: [13216.734228] type=1400 > audit(1386239402.861:35): apparmor="DENIED" operation="change_hat" > info="unconfined" error=-1 pid=12737 comm="(systemd)" Probably irrelevant. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 08/12/2013 15:07, Carlos E. R. a écrit :
Well, the task runs. Any error it finds should be in the email. I repeat, in the email. I repeat, in the email. I have told you that two times previously, you did not look. Please do ASAP.
apart having changed the default cron mail working... (easy to restore) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2013-12-08 15:23, jdd wrote:
Le 08/12/2013 15:07, Carlos E. R. a écrit :
Well, the task runs. Any error it finds should be in the email. I repeat, in the email. I repeat, in the email. I have told you that two times previously, you did not look. Please do ASAP.
apart having changed the default cron mail working... (easy to restore)
Ah, but if you changed it, you know about it ;-) -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
![](https://seccdn.libravatar.org/avatar/7891b1b1a5767f4b9ac1cc0723cebdac.jpg?s=120&d=mm&r=g)
ellanios82 wrote:
On 12/08/2013 12:17 AM, Carlos E. R. wrote:
On 2013-12-07 23:08, ellanios82 wrote:
it seems that rkhunter is not being run by crontab . . . any idea how to activate ? You should see the reason in syslog or local email.
Thank you Carlos,
- i found ok /var/log/messages which says :
" /USR/SBIN/CRON[12738]: (root) CMD (exec /usr/bin/rkhunter --cronjob --update --rwo) G systemd: pam_apparmor(systemd-user:session): Unknown error occurred changing to root hat: Operation not permitted G kernel: [13216.734228] type=1400 audit(1386239402.861:35): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12737 com
The log message can't be much more clear than that. apparmor is denying rkhunter the use of "change_hat". You should be able to fix that by running 'aa-logprof'. It's probably worth filing a bug for too, the rkhunter package ought to include the apparmor profile, I think. -- Per Jessen, Zürich (1.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 08/12/2013 11:12, Per Jessen a écrit :
You should be able to fix that by running 'aa-logprof'. It's probably worth filing a bug for too, the rkhunter package ought to include the apparmor profile, I think.
http://lmgtfy.com/?q=aa-logprof http://man.he.net/man8/aa-logprof seems appropriate jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/e164891e4d850a5cfd6a5765eb3965d0.jpg?s=120&d=mm&r=g)
On 12/08/2013 12:54 PM, jdd wrote:
Le 08/12/2013 11:12, Per Jessen a écrit :
You should be able to fix that by running 'aa-logprof'. It's probably worth filing a bug for too, the rkhunter package ought to include the apparmor profile, I think.
http://lmgtfy.com/?q=aa-logprof
http://man.he.net/man8/aa-logprof
seems appropriate
jdd
- very advanced . . . very advanced [for me] thank you Per & thank you JDD regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2013-12-08 11:12, Per Jessen wrote:
G systemd: pam_apparmor(systemd-user:session): Unknown error occurred changing to root hat: Operation not permitted G kernel: [13216.734228] type=1400 audit(1386239402.861:35): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12737 com
The log message can't be much more clear than that. apparmor is denying rkhunter the use of "change_hat".
No, that message is typically irrelevant. It is a packaging bug, IMHO, a certain component of AA is enabled by default, but there is no default configuration for it. See Bug 807130, Bug 807106, Bug 807103. «The easiest fix is to uninstall the pam_apparmor package.» It is irrelevant because it should not block anything, just pollutes the logs. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
![](https://seccdn.libravatar.org/avatar/e164891e4d850a5cfd6a5765eb3965d0.jpg?s=120&d=mm&r=g)
On 12/08/2013 12:17 AM, Carlos E. R. wrote:
On 2013-12-07 23:08, ellanios82 wrote:
it seems that rkhunter is not being run by crontab . . . any idea how to activate ? You should see the reason in syslog or local email.
cron now runs rkhunter : all is [ i hope] well :) Local Mail says : _____________ " Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': no Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': yes Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol version 1. Warning: Suspicious file types found in /dev: /dev/shm/com.google.Chrome.shmem.A2128B79EDC81A503E4CD6DE6DBE0741C3663744._service_shmem: data Warning: Hidden file found:/dev/.blkid.tab: ASCII text Warning: Hidden file found:/dev/.blkid.tab.old: ASCII text Warning: Hidden file found:/dev/.udev: symbolic link to `/run/udev' " .............. thanks regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Carlos E. R.
-
ellanios82
-
jdd
-
Per Jessen