On Mon, 2007-07-23 at 19:30 +1000, Gordy wrote:
>
> Thankyou for previous reply. I am using the beta edition for these tests and
> rootkits are still
> not found.
>
Are you saying that your system has a rootkit installed on it and RKH is
not finding it?
> 1) Question (1)
> Why do I need to run this command ....rkhunter -c -sk --pkgmgr?
>
You haven't specified a package manager to use there, RKH will give an
error.
>
> -----------log 6 excerpts--------------------------
> [16:25:58] Info: Command line is /usr/local/bin/rkhunter -c -sk --pkgmgr RPM
> --configfile
> /etc/rkhunter.conf
> [16:25:58] Info: Using configuration file '/etc/rkhunter.conf'
> [16:25:59] Info: Using package manager 'RPM' for file property checks
> --------------------------------------------------------------------------
>
> Opinion.......... Its the same result.
>
Correct. There is no difference whether you use the config file or the
command-line. Although the log will show the command-line used and hence
you can then see a package manager was specified.
> 2) Now getting back to my previous question....what I was looking for in the
> cli and in the
> logfile was words to the effect
>
> ------pretend log-------------------------------
> [xx.yy.zz] Checking for RPM changes.............[ok or warning]
>
> ------------------------------------------------
> Instead I can see this from most of my logs
> -------------------------
> [16:26:04] Performing file properties checks
> -----------------------------
> and maybe, this is what my RPM package manager enabled flag is doing. If so,
> then my error was in
> not saying that I was looking for feedback on hash checks.
>
> Yes ..I am now saying the logfile is using rpms but not stating so
> explicitly. AND...I am now
> saying the logfile is not showing that hashes are being used in the checks.
>
RKH performs the 'file properties' check when the test is enabled (which
by default it is). *HOW* it performs that test can be modified by using
a package manager, but the test is the same regardless of whether a
package manager is used or not. File properties are checked to see if
they have changed. The log file does not record specific properties
unless there is an error.
I think you are putting too much emphasis on the rpm package manager. It
is not a test in itself, but simply part of a larger test. It is only
used as a mechanism to perform part of the file properties check. As
such the log file will mention that a package manager is being used, but
that is all.
>
> Opinion...Info is not a part of the scan.
>
'Info:' type messages in the log file are simply pieces of information
logged at the time which may be useful if the log file needs to be
interrogated. They may occur within tests.
> Question (2)
> Does .....Performing file properties checks.. EQUAL... scanning with RPM
> manager (if enabled in
> conf file or at cli)?
>
No. A package manager will be used to check whatever values it provides
as part of the file properties check. However, none of the current
package managers provide all the information - for example, has a file
changed from being a binary to a shell script? The rpm package manager
cannot tell you that. So RKH will perform other checks as well to verify
that the file has not changed at all.
As far as I remember there are 10 or 11 tests in the file properties
check. The rpm package manager provides about 7 or 8 test values, the
bsd and Debian package managers only provide 1. All the other test
values are obtained by other means and compared against the rkhunter.dat
file. This is why the '--propupd' option should be one of the first used
after RKH has been installed. It creates the rkhunter.dat file, and
allows RKH to fully check each file in the file properties check. If it
('--propupd') is not used, then the file properties check can only
perform some of the tests (those not requiring the rkhunter.dat file).
> Question (3)
> Does the RPM checks replace the hashes value checks?
>
No, you are missing the point. Forget about the old 'hashes' check, that
releated to version 1.2.9 and before. Version 1.3.0 has a 'file
properties' check. One part of that check is to see if a files hash
value has changed. This can be done using a package manager, or by other
means and then comparing against the value stored in rkhunter.dat. The
CHANGELOG file points out that the file properties check checks more
than just the files hash value though.
> Question (4)
> If not, where do we find in our logs....the hash value scans?
>
As part of the file properties check. If the test for each file passes
then you will get an 'ok'. If any file property has changed - i.e. hash
value, permissions, file type, uid, inode, etc, etc - then you get a
warning.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
