On Tue, 2009-12-29 at 21:22 +0000, Dick Gevers wrote: > Hi > > I'm using rpm package manager. > > # tail -5 rkhunter.conf > INSTALLDIR=/usr/local > DBDIR=/var/lib/rkhunter/db > SCRIPTDIR=/usr/local/lib/rkhunter/scripts > TMPDIR=/var/lib/rkhunter/tmp > USER_FILEPROP_FILES_DIRS=/usr/local/etc/rkhunter.conf > > > All rkhunter logs contain the File properties check that says at the end: > > //usr/local/unhide/unhide-linux26 [ OK ] > /usr/local/etc/rkhunter.conf [ OK ] > > Note the single slash at the start of the last line. > I'm more confused as to why the second line has two slashes. Are you using the '-r' (or ROOTDIR) option at all?
> > Then I change the content of rkhunter.conf and run: > > # rkhunter --propupd /usr/local/etc/rkhunter.conf > > as I would expect to receive a warning otherwise (!?) > Correct, you should get a warning to highlight that the file has changed. > > But this returns: > Filename is not in the "rkhunter.dat" file: /usr/local/etc/rkhunter.conf > > However: > # tail -1 /var/lib/rkhunter/db/rkhunter.dat > > gives: > > File:usr/local/etc/rkhunter.conf:0db1e4bf8bc5847335d72b09b1482fdaa0d05cab:345126:0600:0:0:33811:1259527434:: > > Note the missing slash before 'usr', while all other paths in the dat file > start with a slash. > Very odd. > > On the other hand, if I go to the system's root ( "/" ) and do it without > the 1st slash: > > # rkhunter --propupd usr/local/etc/rkhunter.conf > > this returns: > Relative file or directory name specified: usr/local/etc/rkhunter.conf > Yes, that is correct. You can't use relative pathnames. > But by none of the described actions is the rkhunter.dat file updated. > > So IMHO the mentioned file check [ OK ] for rkhunter.conf is not > appropriate, because I think the check cannot have run. > > To fix stg that may have happened with an older version of rkh, I edit > rkhunter.dat and add the missing slash. > > Now the command > # rkhunter --propupd /usr/local/etc/rkhunter.conf > > Gives: > [ Rootkit Hunter version 1.3.6 ] > File updated: searched for 160 files, found 137 of 137 > > and the result is that rkhunter.dat is updated, including the data for > rkhunter.conf. > > But: according to 'rkhunter --help', the option '--propud [ file ]' should > only have updated only the specified entry in the db, not all entries. > Correct, it should have said 'found 1 of 137'. >From what you have said, I have no idea what is going on. I would say first of all delete the 'rkhunter.dat' file completely. Then run 'rkhunter --propupd' to let RKH recreate the file. If you then still get odd errors when using --propupd, run RKH with the --debug option and email me the resulting /tmp output file. Thanks, John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
