On 09/29/2011 12:26 PM, John Horne wrote:
> On Thu, 2011-09-29 at 09:56 +0200, Simon Loewenthal wrote:
>> Good morning all,
>>
>> I am trying to stop these errors from rkhunter by updating the database
>> (presumably?), but the last time I did this, I had messed it up and had
>> to reinstall rkhunter and start afresh!
>>
>> Is there a programme I can run just to add the checksums of these files
>> into the rkhunter dB?
>>
>> (Note that I think I used --hash SHA512, but I cannot remember...)
>>
> Hi,
>
> You might be better off using the HASH_FUNC option in your rkhunter.conf
> file than trying to remember what checksum was used :-)
>
>
>> Example messages I get:
>>
>> Warning: The file '/usr/bin/locate' exists on the system, but it is not
>> present in the rkhunter.dat file.
>> Warning: The file '/usr/bin/mlocate' exists on the system, but it is not
>> present in the rkhunter.dat file.
>>
> This seems a bit odd.
>
> Usually I have found these types of warning get thrown up because the
> PATH used to create the rkhunter database, and that used by the process
> running rkhunter are different. Hence files are either suddenly present
> or missing from the system. If so, then you need to try and ensure that
> the PATH used at both times is the same.
>
> You cannot 'add' new entries. The entries that are added when 'rkhunter
> --propupd' is run are determined by the PATH of the process (usually
> root) running the program and a bultin list of directories (if they
> exist).
>
> However, the default directory list includes /usr/bin. As such the files
> should always be seen, unless you have modified BINDIR in the config
> file, or used the '--bindir' option on the command line.
>
>> Warning: The kernel modules directory '/lib/modules' is missing or empty.
>>
> You can avoid this warning be disabling the 'avail_modules' test.
>
>
>
>
> John.
>
Hi John,
Thank-you very much for pointing out the test I had to omit.
Running --propupd did its job. Actually, the rkhunter.conf had sha512 in
it, so there was no need for me change anything.
No more false positives.
Cheers and have a good weekend.
Simon.
--
Email simon AT klunky DOT co DOT uk
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
~Ö¿Ö~
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
