Installed RKHunter 1.4.2 on four Solaris 10 test systems. On each test system, made two edits to the rkhunter.conf file: Changed SUSPSCAN_TEMP=/dev/shm to SUSPSCAN_TEMP=/usr/lib/fs/tmpfs (The /dev/shm file did not exist on any of the systems.) Changed PKGMGR=NONE to PKGMGR=SOLARIS On three of the four test systems, the properties update command (propupd) populated the rkhunter.dat file correctly. The "Hash" line created in the rkhunter.dat file was as follows: Hash:/usr/bin/perl /usr/local/lib/rkhunter/scripts/filehashsha.pl Digest::MD5 0 All of the fields (including the inode field) were listed for each system file in the rkhunter.dat file. After running the --check command, the only warnings that were flagged from the properties check had to do with a few system files being "replaced by a script" - not a problem.
On the Solaris test system where the rkhunter.dat file was populated incorrectly, the -propupd command returned the following message: File Updated: searched for 211 files, found 209, missing hashes 209 The "Hash" line created in the rkhunter.dat file was: Hash:/usr/local/bin/sha1sum. Many of the colon delimited fields for the system files listed in the .dat file were blank. After running the -check command, every system file was flagged with either one of the following warnings: Warning: No hash value found for <filename> Warning: Unable to obtain current properties for <filename> Warning: Unable to obtain current write permission for <file> Tried modifying the HASH_CMD setting in the rkhunter.conf file. On one of the attempts, used the same setting that was created in the rkhunter.dat file for the three platforms that were populated correctly: Hash:/usr/bin/perl /usr/local/lib/rkhunter/scripts/filehashsha.pl Digest::MD5 0 Except for the inode field, which was left blank, all of the fields in the .dat file were populated correctly. However, when the --check was run, all of the files scanned in the properties check were flagged with either one of the two Warnings: Warning: Unable to obtain current properties for <filename> Warning: Unable to obtain current write permission for <filename> On another attempt, changed the following settings in the /etc/rkhunter.conf file: Uncommented HASH_CMD=sha1sum Set USE_SUNSUM=1 Same problem as the previous attempt. The hashes were populated in the .dat file. But when the --check was run, all of the files scanned in the properties checked were flagged with either one of the two Warnings: Warning: Unable to obtain current properties for <filename> Warning: Unable to obtain current write permission for <file> Any help on resolving this problem will be greatly appreciated. Thanks, Steve Skirpan
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
