chkrootkit results -- question on root logins

[rathodr]

I have been reading many articles but am unable to locate info. on my particular situation. Any help or guidance would be appreciated!

Just installed FC7 and am in the learning mode. So while I know not to login as root, I do so anyway to understand the system. I installed chkrootkit and ran it a few times (logging in as root, and logging in via 'su root'). In all cases, everything passes the test except for the following two msgs:

1. Checking `z2'... user root deleted or never logged from lastlog!
2. Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 10329 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

In #1, I run lastlog and find that for all UIDs, lastlog reports "Never logged in". I see that /var/log/lastlog was updated around the time I installed the system. I suspect I may need to manually rotate logs, but that is a guess on my part.

In #2, I am not sure how to interpret the msg. when I run 'w', I simply get my user login session.

Any thoughts?

[securitylover]

I have the same warnings. My tiny investigation via Google let me know these are false positives, but perhaps someone could shed a brighter light on this issue.

Quote:

Originally Posted by rathodr

I have been reading many articles but am unable to locate info. on my particular situation. Any help or guidance would be appreciated!

Just installed FC7 and am in the learning mode. So while I know not to login as root, I do so anyway to understand the system. I installed chkrootkit and ran it a few times (logging in as root, and logging in via 'su root'). In all cases, everything passes the test except for the following two msgs:

1. Checking `z2'... user root deleted or never logged from lastlog!
2. Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 10329 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7

In #1, I run lastlog and find that for all UIDs, lastlog reports "Never logged in". I see that /var/log/lastlog was updated around the time I installed the system. I suspect I may need to manually rotate logs, but that is a guess on my part.

In #2, I am not sure how to interpret the msg. when I run 'w', I simply get my user login session.

Any thoughts?

[rathodr]

Apparently, I get this even after a fresh install. So, it is ok and I see this as a false positive.
I now run tripwire in addition, just to be sure.