On Wed, 2007-11-07 at 11:48 +0000, John Horne wrote: > On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote: > > Dear listmembers. > > > > > > I found a wrong information in the config file of rkhunter 1.3.0. > > Thought I would post it so ppl after me will be guided right. > > > > I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information > > regarding HASH_FLD_IDX says: > > > > ...<snap> > > The default value is one, but for *BSD users > > rkhunter will automatically use a value of 4. > > <snap>... > > > > On FreeBSD 6.2, 'man cksum' says: > > > > ...<snap> > > The cksum utility writes to the standard output three whitespace > > sepa-------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > rated fields for each input file. These fields are a checksum CRC, the > > total number of octets in the file and the file name. > > <snap>... > > > > So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not* > > 4 as the info in config file says. > > > Hello, > > Well yes, no or possibly! As far as I can tell the current OpenBSD, > FreeBSD and NetBSD man pages all say the same thing in this respect. > However, it depends on what you have set your HASH_FUNC option to. Since > by default RKH will look for 'sha1sum', and if not found then 'sha1', > under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives: > > {NetBSD}: sha1 /bin/ps > SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a > > As can be seen, the hash field index must be 4 in this case. > > Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me > know what it shows please.
{FreeBSD}:
SHA1 (/bin/ps) = 9709aa53540a004db9206260ee8c8380bc54b2f3
> Ironically though, I see in the rkhunter.conf file, I have given as an
> example the following:
>
> # For NetBSD : HASH_FUNC="cksum -n -a sha512"
>
> This command will actually produce the hash value as the first field, so
> HASH_FLD_IDX should be 1 in this example! I should perhaps comment that
> in as well. Alternatively is to remove the '-n', which will then give
> the output requiring HASH_FLD_IDX to be 4 again.
On FreeBSD you have no options for cksum.
Well you have *one* to tell the truth:
{FreeBSD}
man cksum:
...
<snap>
The options are as follows:
-o Use historic algorithms instead of the (superior) defaultone.
...<snap>
In my rkhunet.conf I now have:
HASH_FUNC=cksum
HASH_FLD_IDX=1
--
/Peo
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
