Rootkit Hunter

On Mon, 2011-09-19 at 16:46 +0200, daniel@... wrote:
> Greetings,
> 
>    I've been testing Rootkit Hunter 1.3.8 on a handful of Solaris 10 
>  (x86) servers, and I have an interesting problem. While running the 
>  script manually (rkhunter --check --rwo --sk), everything works as 
>  expected. However, when running a check via crontab, I get errors about 
>  files that don't exist on the system though they are in the rkhunter.dat 
>  files.
>
Hello,

I would very much first check that you only have one version of rkhunter
on the system(s). Use something like glocate (just 'locate' or mlocate,
slocate on other systems). It sounds like your cron system is picking up
one version of RKH, whereas when run interactively you are getting a
different one (or the same version but different data files).




John

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001

Le 20 sept. 2011 à 12:03, John Horne a écrit :
> On Mon, 2011-09-19 at 16:46 +0200, daniel@... wrote:
>> Greetings,
>> 
>>   I've been testing Rootkit Hunter 1.3.8 on a handful of Solaris 10 
>> (x86) servers, and I have an interesting problem. While running the 
>> script manually (rkhunter --check --rwo --sk), everything works as 
>> expected. However, when running a check via crontab, I get errors about 
>> files that don't exist on the system though they are in the rkhunter.dat 
>> files.
>> 
> Hello,
> 
> I would very much first check that you only have one version of rkhunter
> on the system(s). Use something like glocate (just 'locate' or mlocate,
> slocate on other systems). It sounds like your cron system is picking up
> one version of RKH, whereas when run interactively you are getting a
> different one (or the same version but different data files).


There's only one version, which I packaged and installed very recently.
There was no RKH install before that.

I also checked for duplicate config files, but there's only one, the
/etc/rkhunter.conf file - and the whitelisting declared in that file is
correctly applied whether running through the command line or as
a cron job.

I've made a very slight change to the job, I wasn't using the --cronjob
option. I doubt the --nocolors will change anything, but it's worth a try.

--
Daniel

On Tue, 2011-09-20 at 12:47 +0200, Daniel Polombo wrote:
> Le 20 sept. 2011 à 12:03, John Horne a écrit :
> > On Mon, 2011-09-19 at 16:46 +0200, daniel@... wrote:
> >> Greetings,
> >> 
> >>   I've been testing Rootkit Hunter 1.3.8 on a handful of Solaris 10 
> >> (x86) servers, and I have an interesting problem. While running the 
> >> script manually (rkhunter --check --rwo --sk), everything works as 
> >> expected. However, when running a check via crontab, I get errors about 
> >> files that don't exist on the system though they are in the rkhunter.dat 
> >> files.
> >> 
> > Hello,
> > 
> > I would very much first check that you only have one version of rkhunter
> > on the system(s). Use something like glocate (just 'locate' or mlocate,
> > slocate on other systems). It sounds like your cron system is picking up
> > one version of RKH, whereas when run interactively you are getting a
> > different one (or the same version but different data files).
> 
> 
> There's only one version, which I packaged and installed very recently.
> There was no RKH install before that.
> 
Hello,

Okay, in which case I would suspect that the PATH used when run via cron
is different from when used interactively. As such if you ran 'rkhunter
--propupd' interactively, then some files may well be reported as
present or missing from the system.

If you are using 'sudo', then maybe using 'sudo su -' will give you the
same PATH as used by cron.

The '--nocolors' option simply suppresses showing the colour escape
codes in the output.




John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001

> Hello,
>
> Okay, in which case I would suspect that the PATH used when run via cron
> is different from when used interactively. As such if you ran 'rkhunter
> --propupd' interactively, then some files may well be reported as
> present or missing from the system.
>
> If you are using 'sudo', then maybe using 'sudo su -' will give you the
> same PATH as used by cron.

After a bit more testing, it's definitely cron-related, though no less
strange.

I'm using 2 wrapper scripts, one to run the check, and another to update
the file properties database. Both are using the full path to the rkhunter
binary.

If I run the update script from the command line, running the check from
the command-line (whether through the wrapper script or directly) works as
expected. Running the check through cron generates the "file does not
exist on the system" error.

If I run the update script through cron, running the check through cron
works as expected, but running it from the command-line (wrapper script or
not) gives the aforementioned error.

Interestingly enough, running the scripts through "at now" displayed the
same behaviour as the command-line, and not the cron jobs. Ah, well, there
goes my idea of doing the propupd through at.

--
Daniel