unsubscribe
On Jan 5, 2012 2:29 AM, <rkhunter-users-requ...@lists.sourceforge.net>
wrote:
> Send Rkhunter-users mailing list submissions to
> rkhunter-users@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> or, via email, send a message with subject or body 'help' to
> rkhunter-users-requ...@lists.sourceforge.net
>
> You can reach the person managing the list at
> rkhunter-users-ow...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Rkhunter-users digest..."
>
>
> Today's Topics:
>
> 1. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne)
> 2. Re: FAQ? Resetting rkhunter Database after OS Updates (Tanstaafl)
> 3. Re: FAQ? Resetting rkhunter Database after OS Updates (Tim Evans)
> 4. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne)
> 5. Re: FAQ? Resetting rkhunter Database after OS Updates
> (Wayne Brown)
> 6. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne)
> 7. Re: can not exclude /dev/files (Marius Stan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 03 Jan 2012 19:55:54 +0000
> From: John Horne <john.ho...@plymouth.ac.uk>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <1325620565.11588.4.camel@jhorne>
> Content-Type: text/plain; charset="ISO-8859-15"
>
> On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> > On 01/03/2012 01:35 PM, John Horne wrote:
> > > On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> > >> Don't see this in the FAQ, or in the last year or so's worth of
> archived
> > >> messages, so...
> > >>
> > >> After running yum update on a RedHat 5.x system (or any other
> analogous
> > >> update tool), how do you re-set the rkhunter database to accept the
> > >> changed files? Something like tripwire's --update and --report-file
> > >> options.
> > >>
> > > Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page
> > > indicates when the '--propupd' option should be used:
> > >
> > > One of the checks rkhunter performs is to compare various
> current
> > > file properties of various commands, against those it has
> previously
> > > stored. This command option causes rkhunter to update its data file
> > > of stored values with the current values.
> >
> > Thanks for your response. Been there, done that, repeatedly. (This is
> > version 1.3.8, BTW.)
> >
> > The only thing I can find that truly cleans everything up is renaming
> > the db directory and re-installing, then running --propupd, then running
> > a normal scan. Surely, that's not the right way.
> >
> Certainly not! What is the actual problem that you are seeing?
>
> Whenever automatic updates occur to your system, then just running
> 'rkhunter --propupd' should suffice. If the PKGMGR option in the config
> file is being used, then nothing should be required (the file checks are
> then done against the systems own databases, not against the RKH one).
>
>
>
> John.
>
> --
> John Horne, Plymouth University, UK
> Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 03 Jan 2012 13:04:58 -0500
> From: Tanstaafl <tansta...@libertytrek.org>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <4f03434a.1030...@libertytrek.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 2012-01-03 11:54 AM, Tim Evans <tkev...@tkevans.com> wrote:
> > Don't see this in the FAQ, or in the last year or so's worth of archived
> > messages, so...
> >
> > After running yum update on a RedHat 5.x system (or any other analogous
> > update tool), how do you re-set the rkhunter database to accept the
> > changed files? Something like tripwire's --update and --report-file
> > options.
> >
> > Thanks.
>
> rkhunter --propupd
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 03 Jan 2012 16:54:45 -0500
> From: Tim Evans <tkev...@tkevans.com>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: John Horne <john.ho...@plymouth.ac.uk>
> Cc: rkhunter-users@lists.sourceforge.net
> Message-ID: <4f037925.90...@tkevans.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 01/03/2012 02:55 PM, John Horne wrote:
> > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> >> On 01/03/2012 01:35 PM, John Horne wrote:
> >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> >>>> Don't see this in the FAQ, or in the last year or so's worth of
> archived
> >>>> messages, so...
> >>>>
> >>>> After running yum update on a RedHat 5.x system (or any other
> analogous
> >>>> update tool), how do you re-set the rkhunter database to accept the
> >>>> changed files? Something like tripwire's --update and --report-file
> >>>> options.
> >>>>
> >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page
> >>> indicates when the '--propupd' option should be used:
> >>>
> >>> One of the checks rkhunter performs is to compare various
> current
> >>> file properties of various commands, against those it has
> previously
> >>> stored. This command option causes rkhunter to update its data
> file
> >>> of stored values with the current values.
> >>
> >> Thanks for your response. Been there, done that, repeatedly. (This is
> >> version 1.3.8, BTW.)
> >>
> >> The only thing I can find that truly cleans everything up is renaming
> >> the db directory and re-installing, then running --propupd, then running
> >> a normal scan. Surely, that's not the right way.
> >>
> > Certainly not! What is the actual problem that you are seeing?
>
> Thanks, again. What I'm seeing is reports of inconsistencies on the
> day(s) after applying updates with yum--which is what I would expect to
> see. --propupd does not make them go away, however.
>
> > Whenever automatic updates occur to your system, then just running
> > 'rkhunter --propupd' should suffice. If the PKGMGR option in the config
> > file is being used, then nothing should be required (the file checks are
> > then done against the systems own databases, not against the RKH one).
>
> Turning on PKGMGR makes it even worse (that is, more files are flagged
> in the daily cronjob report than without it).
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 03 Jan 2012 22:37:52 +0000
> From: John Horne <john.ho...@plymouth.ac.uk>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <1325630273.11588.15.camel@jhorne>
> Content-Type: text/plain; charset="ISO-8859-15"
>
> On Tue, 2012-01-03 at 16:54 -0500, Tim Evans wrote:
> > On 01/03/2012 02:55 PM, John Horne wrote:
> > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> > >> On 01/03/2012 01:35 PM, John Horne wrote:
> > >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> > >>>> Don't see this in the FAQ, or in the last year or so's worth of
> archived
> > >>>> messages, so...
> > >>>>
> > >>>> After running yum update on a RedHat 5.x system (or any other
> analogous
> > >>>> update tool), how do you re-set the rkhunter database to accept the
> > >>>> changed files? Something like tripwire's --update and --report-file
> > >>>> options.
> > >>>>
> > >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page
> > >>> indicates when the '--propupd' option should be used:
> > >>>
> > >>> One of the checks rkhunter performs is to compare various
> current
> > >>> file properties of various commands, against those it has
> previously
> > >>> stored. This command option causes rkhunter to update its data
> file
> > >>> of stored values with the current values.
> > >>
> > >> Thanks for your response. Been there, done that, repeatedly. (This is
> > >> version 1.3.8, BTW.)
> > >>
> > >> The only thing I can find that truly cleans everything up is renaming
> > >> the db directory and re-installing, then running --propupd, then
> running
> > >> a normal scan. Surely, that's not the right way.
> > >>
> > > Certainly not! What is the actual problem that you are seeing?
> >
> > Thanks, again. What I'm seeing is reports of inconsistencies on the
> > day(s) after applying updates with yum--which is what I would expect to
> > see. --propupd does not make them go away, however.
> >
> > > Whenever automatic updates occur to your system, then just running
> > > 'rkhunter --propupd' should suffice. If the PKGMGR option in the config
> > > file is being used, then nothing should be required (the file checks
> are
> > > then done against the systems own databases, not against the RKH one).
> >
> > Turning on PKGMGR makes it even worse (that is, more files are flagged
> > in the daily cronjob report than without it).
> >
> Okay, I'm a bit lost as to why that happens.
>
> Can you let me know what O/S you are using. Also if you have any
> rkhunter log files (usually in /var/log) which show the problem, could
> you email them to me (not the list) please.
>
>
>
>
> John.
>
> --
> John Horne, Plymouth University, UK
> Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 3 Jan 2012 21:18:20 -0800 (PST)
> From: Wayne Brown <fwbr...@bellsouth.net>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <1325654300.63859.yahoomai...@web83912.mail.sp1.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
>
>
>
> On Tue, January 3, 2012 at 4:37:52 PM John Horne wrote:
> > On Tue, 2012-01-03 at 16:54 -0500, Tim Evans wrote:
> > > On 01/03/2012 02:55 PM, John Horne wrote:
> > > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote:
> > > >> On 01/03/2012 01:35 PM, John Horne wrote:
> > > >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote:
> > > >>>> Don't see this in the FAQ, or in the last year or so's worth of
> >archived
> > > >>>> messages, so...
> > > >>>>
> > > >>>> After running yum update on a RedHat 5.x system (or any other
> analogous
> > > >>>> update tool), how do you re-set the rkhunter database to accept
> the
> > > >>>> changed files? Something like tripwire's --update and
> --report-file
> > > >>>> options.
> > > >>>>
> > > >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man
> page
> > > >>> indicates when the '--propupd' option should be used:
> > > >>>
> > > >>> One of the checks rkhunter performs is to compare various
> >current
> > > >>> file properties of various commands, against those it has
> >previously
> > > >>> stored. This command option causes rkhunter to update its
> data
> file
> > > >>> of stored values with the current values.
> > > >>
> > > >> Thanks for your response. Been there, done that, repeatedly.
> (This is
> > > >> version 1.3.8, BTW.)
> > > >>
> > > >> The only thing I can find that truly cleans everything up is
> renaming
> > > >> the db directory and re-installing, then running --propupd, then
> running
> > > >> a normal scan. Surely, that's not the right way.
> > > >>
> > > > Certainly not! What is the actual problem that you are seeing?
> > >
> > > Thanks, again. What I'm seeing is reports of inconsistencies on the
> > > day(s) after applying updates with yum--which is what I would expect to
> > > see. --propupd does not make them go away, however.
> > >
> > > > Whenever automatic updates occur to your system, then just running
> > > > 'rkhunter --propupd' should suffice. If the PKGMGR option in the
> config
> > > > file is being used, then nothing should be required (the file
> checks are
> > > > then done against the systems own databases, not against the RKH
> one).
> > >
> > > Turning on PKGMGR makes it even worse (that is, more files are flagged
> > > in the daily cronjob report than without it).
> > >
> > Okay, I'm a bit lost as to why that happens.
> >
> > Can you let me know what O/S you are using. Also if you have any
> > rkhunter log files (usually in /var/log) which show the problem, could
> > you email them to me (not the list) please.
>
> I'm guessing that Tim is specifying PKGMGR when running -propupd but not
> when
> running the check, which will generate many more errors than running
> without
> PKGMGR at all. I made the same mistake when I first began using rkhunter.
>
> --
> F. Wayne Brown <fwbr...@bellsouth.net>
>
> ??s ofereode, ?isses swa m?g. ("That passed away, this also can.")
> from "Deor," in the Exeter Book (folios 100r-100v)
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 04 Jan 2012 10:56:54 +0000
> From: John Horne <john.ho...@plymouth.ac.uk>
> Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after
> OS Updates
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <1325674615.27142.3.ca...@jhorne.csd.plymouth.ac.uk>
> Content-Type: text/plain; charset="ISO-8859-15"
>
> On Tue, 2012-01-03 at 21:18 -0800, Wayne Brown wrote:
> >
> > I'm guessing that Tim is specifying PKGMGR when running -propupd but not
> when
> > running the check, which will generate many more errors than running
> without
> > PKGMGR at all. I made the same mistake when I first began using
> rkhunter.
> >
> Yes, that would cause many warnings. You need to decide whether you are
> going to use the package manager or not, and then use the command-line
> options and the configuration file options accordingly. Mixing the two
> will lead to warnings :-)
>
> Generally I tend to just decide on what 'policy' I want, and then set
> the config file options. I don't use the command-line options that much.
> That way rkhunter should be consistent whether I run it via cron or from
> the command-line.
>
>
>
> John.
>
> --
> John Horne Tel: +44 (0)1752 587287
> Plymouth University, UK Fax: +44 (0)1752 587001
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 05 Jan 2012 10:29:17 +0200
> From: Marius Stan <ms...@asesoft.ro>
> Subject: Re: [Rkhunter-users] can not exclude /dev/files
> To: rkhunter-users@lists.sourceforge.net
> Message-ID: <4f055f5d.9000...@asesoft.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> For some reason, Helmut's message didn't arrive in my inbox, so I'm
> forced to reply myself:
>
> I have the following in rkhunter.conf:
> ALLOWDEVFILE="/dev/shm/php_session*"
> ALLOWDEVFILE="/dev/shm/php_session/*"
> ALLOWDEVFILE="/dev/shm/php_session/*/*"
> ALLOWDEVFILE="/dev/shm/php_session/*/*/*"
>
> And yet, I still get these daily warnings:
>
> Warning: Suspicious file types found in /dev:
> /dev/shm/php_session/f/f/sess_ff74cfba3aac7e2cc9bac2c5fb0bd5f0:
> ASCII text, with no line terminators
> /dev/shm/php_session/f/f/sess_ffcbd2f4ba4c1df2987e0b5a6708160c:
> ASCII text, with no line terminators
> /dev/shm/php_session/f/1/sess_f198c5d1a97be02559cbdebc96695ac0:
> ASCII text, with no line terminators
> /dev/shm/php_session/f/1/sess_f13ce52a2c77e5d2603a4ec701034b96:
> ASCII text, with no line terminators
>
>
> And the list is very long...
>
>
>
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>
> ------------------------------
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
>
> End of Rkhunter-users Digest, Vol 65, Issue 2
> *********************************************
>
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
