John
Thankyou for previous reply. I am using the beta edition for these tests and
rootkits are still
not found. I am still not expecting a quick reply and thankyou for your
patience but......
1) Question (1)
Why do I need to run this command ....rkhunter -c -sk --pkgmgr?
Information
In my previous post I said that I editted the conf file to have only one change
PKGMGR=RPM
-----log4 excerpts----------------------------------------------
[13:57:28] Info: Using configuration file '/etc/rkhunter.conf'
and that it detected the conf change
[13:57:29] Info: Using package manager 'RPM' for file property checks
------------------------------------------------------------------------
To be move verbose....I changed the conf to allow the RPM package manager then
I run command in
the cli as
rkhunter -c -sk ........and then I looked at the results in the cli and also in
the logfile.
Next, I tried your more explicit pkgmgr switch in the cli.....(based on your
reply I inferred the
following command)
rkhunter -c -sk --pkgmgr RPM --configfile /etc/rkhunter.conf
-----------log 6 excerpts--------------------------
[16:25:58] Info: Command line is /usr/local/bin/rkhunter -c -sk --pkgmgr RPM
--configfile
/etc/rkhunter.conf
[16:25:58] Info: Using configuration file '/etc/rkhunter.conf'
[16:25:59] Info: Using package manager 'RPM' for file property checks
--------------------------------------------------------------------------
Opinion.......... Its the same result.
2) Now getting back to my previous question....what I was looking for in the
cli and in the
logfile was words to the effect
------pretend log-------------------------------
[xx.yy.zz] Checking for RPM changes.............[ok or warning]
------------------------------------------------
Instead I can see this from most of my logs
-------------------------
[16:26:04] Performing file properties checks
-----------------------------
and maybe, this is what my RPM package manager enabled flag is doing. If so,
then my error was in
not saying that I was looking for feedback on hash checks.
Yes ..I am now saying the logfile is using rpms but not stating so explicitly.
AND...I am now
saying the logfile is not showing that hashes are being used in the checks.
eg ------log6 excerpts----with only the RPM conf file change
[16:25:59] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[16:25:59] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[16:25:59] Info: Stored hash values used package manager 'RPM' (md5 function)
[16:25:59] Info: The hash function field index is set to 1
[16:25:59] Info: Using package manager 'RPM' for file property checks
---------------------------------------------------------------------------
Opinion...Info is not a part of the scan.
Question (2)
Does .....Performing file properties checks.. EQUAL... scanning with RPM
manager (if enabled in
conf file or at cli)?
Question (3)
Does the RPM checks replace the hashes value checks?
Question (4)
If not, where do we find in our logs....the hash value scans?
cheerio
Full logs are available if required.
Yahoo!7 Mail has just got even bigger and better with unlimited storage
on all webmail accounts.
http://au.docs.yahoo.com/mail/unlimitedstorage.html
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
