On Tue, 16 Jun 2009 13:46:53 -0500, Mike McCarty wrote about Re: [Rkhunter-users] aptitude updates file properties automatically on one system but not another:
>Dick Gevers wrote: >> On Tue, 16 Jun 2009 10:59:17 -0400, Brian McKee wrote about >> [Rkhunter-users] aptitude updates file properties automatically on one >> system but not another: >> >>> I have rkhunter running on a bunch of Ubuntu 8.04 machines. >>> >>> On all of them but one, when system updates are done via the package >>> manager, rkhunter's info gets updated too - e.g. when cron was >>> recently updated, rkhunter never issued a warning because the new >>> hash sum was already known. >> >> IMNSHO that is not a quite safe setup: if you tell rkhunter to >> automatically update your hashes after ubuntu has been updated, it will >> also not warn for hash changes that are not due to a regular package >> manager update. > >I use RPM, so I can't say what happens about Ubuntu, which I believe >uses DPKG, but telling it to use the package manager information is >not the same as telling it to ignore all changes, at least on my >machine. > >> I'd rather be warned of all hash changes and determine by myself whether >> they are a result of such updates or if they are potentially unwarranted >> changes. > >That's what my setup does. It queries the package manager. It also >complains if other changes take place the package manager doesn't >approve. Aye. What I meant is: if Brian has 300 packages, let's call them 1 thru 300, and Ubuntu updates packages 3, 190 and 250 and Brian's box runs an rkhunter hashupdate right after that, Brian will miss when a rootkit has 'fixed' package no. 13. Cheers, =Dick Gevers= ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
