rkhunter warning: Found enabled xinetd service: /etc/xinetd.d/nrpe

Over my publicly reachable servers I’ve installed for security reasons, among some other tools, Rootkit Hunter.

What does rkhunter do?

Rkhunter is much like a virus scanner for a Windows system.
It has definitions to help identify rootkits and reports them. Just like anything, rkhunter isn’t 100%, but it weeds out the majority of rootkits. Upon running rkhunter, various system files, conf files, and bin directories are examined. The results are cross-referenced against the results of infected systems (from the definitions) and the results are compiled. This is where *nix systems really shine. While your OS may vary, and how it’s compiled or configured, the file system and configuration is basically the same.
This allows programs like rkhunter to provide results with a fairly small window for error or false positive.

While the installation via the distribution repositories is trivial, fine tuning the rkhunter.conf file is another pair of hands, since we have to tailor it to our system’s configuration and handle those false positive warning messages. Periodically receiving those, in fact, lowers our level of attention on the signals coming from the server.

So it’s a good idea to have a read on the provided README file provided by your distribution’s package. Over a CentOS 5.8 system of mine you make it giving a simple:

 more /usr/share/doc/rkhunter-1.4.0/README

One of the most annoying false positive warning message I had to deal with was the one regarding the NagiosNRPE plugin running as a xinetd service.

The solution I found after some googling was to edit the /etc/rkhunter.conf file in this way:

# This setting tells rkhunter where the xinetd configuration
# file is located.
#	^^^ de-commented by me $INSERT-DATE
#	^^^ added by me $INSERT-DATE

This has solved the issue and I got no more warnings about it!