Hi team
Yes I know you guys are super busy in the middle of making 1.3.0 stable but I
thought I better ask this question. So no rush to reply eh?
1) I have tried to find this in tracker....but am happy to admit I do not know
if this is a bug or should be made a support request so am asking here.
2) basic info
cvs rkh dated 12 Jul 2007, clean install of Mandriva (actually a restored
partimage image),.......Conf file given one change only, PKGMGR=RPM
Scan done then propupd command done then scan re-done. Then installed off DVD
one rpm file called zsh (version blah). Scan re-done with the followed culled
log file contents. I used the front end of the rpm installer called rpmdrak
thru the Mandriva control panel.
To confirm that the rpm manager knows a file was added I did this
rpm -q zsh.....result.......zsh-4.2.6-5mdv2007.0
_________
log4 file excerpts
[13:57:28] Running Rootkit Hunter version 1.3.0 on localhost
[13:57:28] Info: Found O/S name: Mandriva Linux release 2007.1 (Cooker) for i586
[13:57:28] Info: Command line is /usr/local/bin/rkhunter -c -sk
[13:57:28] Info: Using configuration file '/etc/rkhunter.conf'
[13:57:28] Info: Using '/var/lib/rkhunter/db' as the database directory
[13:57:28] Info: System is not using prelinking
[13:57:29] Info: Stored hash values used package manager 'RPM' (md5 function)
[13:57:29] Info: The hash function field index is set to 1
[13:57:29] Info: Using package manager 'RPM' for file property checks
[13:57:29] Info: Found the 'rpm' command: /bin/rpm
[13:57:29] Info: Previous file attributes were stored
[13:57:29] Info: Enabled tests are: all
[13:57:29] Info: Disabled tests are: suspscan hidden_procs deleted_files
packet_cap_apps
[13:57:29] Checking if the O/S has changed since last time...
[13:57:29] Info: Nothing seems to have changed
___________log4 excerpts ends ________
3) log4 full text available if required.
Questions
Q1) I can see the rpm package manager is reported in the log file but why no
mention of it at the shell (konsole) command line interface?
q2) Do you prefer rpm -Uvh (file.rpm) commands instead, in order to rpm manager
to work or have I missed something ?
q3) If a system file was installed without using the rpm manager, I agree that
RKH should detect it and report accordingly. So installing a legit file at
first glance looks ok but my real question is....how do I know the rkhunter
executable really did check all new rpm files were legit?
For example, if I enable Tipwire, skdet, unhide etc...even if those names are
not explicit in the CLI....at least in the logfile I can see the check is being
made?
Forgive me if I have made another stupid mistake....because I prefer not to
make them but feel other home users may benefit from any insight your team can
offer. Feel free to point out all of my mistakes...I am still learning. heh heh
Thanks again. cheerio
---------------------------------
Yahoo!7 Mail has just got even bigger and better with unlimited storage on all
webmail accounts. Find out more.-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
