Re: [Rkhunter-users] Rkhunter-users Digest, Vol 65, Issue 2
Brought to you by:
dogsbody
From: crash3m <cr...@gm...> - 2012-01-18 03:41:49
|
unsubscribe On Jan 5, 2012 2:29 AM, <rkh...@li...> wrote: > Send Rkhunter-users mailing list submissions to > rkh...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > or, via email, send a message with subject or body 'help' to > rkh...@li... > > You can reach the person managing the list at > rkh...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Rkhunter-users digest..." > > > Today's Topics: > > 1. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne) > 2. Re: FAQ? Resetting rkhunter Database after OS Updates (Tanstaafl) > 3. Re: FAQ? Resetting rkhunter Database after OS Updates (Tim Evans) > 4. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne) > 5. Re: FAQ? Resetting rkhunter Database after OS Updates > (Wayne Brown) > 6. Re: FAQ? Resetting rkhunter Database after OS Updates (John Horne) > 7. Re: can not exclude /dev/files (Marius Stan) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 03 Jan 2012 19:55:54 +0000 > From: John Horne <joh...@pl...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: rkh...@li... > Message-ID: <1325620565.11588.4.camel@jhorne> > Content-Type: text/plain; charset="ISO-8859-15" > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote: > > On 01/03/2012 01:35 PM, John Horne wrote: > > > On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote: > > >> Don't see this in the FAQ, or in the last year or so's worth of > archived > > >> messages, so... > > >> > > >> After running yum update on a RedHat 5.x system (or any other > analogous > > >> update tool), how do you re-set the rkhunter database to accept the > > >> changed files? Something like tripwire's --update and --report-file > > >> options. > > >> > > > Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page > > > indicates when the '--propupd' option should be used: > > > > > > One of the checks rkhunter performs is to compare various > current > > > file properties of various commands, against those it has > previously > > > stored. This command option causes rkhunter to update its data file > > > of stored values with the current values. > > > > Thanks for your response. Been there, done that, repeatedly. (This is > > version 1.3.8, BTW.) > > > > The only thing I can find that truly cleans everything up is renaming > > the db directory and re-installing, then running --propupd, then running > > a normal scan. Surely, that's not the right way. > > > Certainly not! What is the actual problem that you are seeing? > > Whenever automatic updates occur to your system, then just running > 'rkhunter --propupd' should suffice. If the PKGMGR option in the config > file is being used, then nothing should be required (the file checks are > then done against the systems own databases, not against the RKH one). > > > > John. > > -- > John Horne, Plymouth University, UK > Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 > > > > > ------------------------------ > > Message: 2 > Date: Tue, 03 Jan 2012 13:04:58 -0500 > From: Tanstaafl <tan...@li...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: rkh...@li... > Message-ID: <4F0...@li...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 2012-01-03 11:54 AM, Tim Evans <tk...@tk...> wrote: > > Don't see this in the FAQ, or in the last year or so's worth of archived > > messages, so... > > > > After running yum update on a RedHat 5.x system (or any other analogous > > update tool), how do you re-set the rkhunter database to accept the > > changed files? Something like tripwire's --update and --report-file > > options. > > > > Thanks. > > rkhunter --propupd > > > > ------------------------------ > > Message: 3 > Date: Tue, 03 Jan 2012 16:54:45 -0500 > From: Tim Evans <tk...@tk...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: John Horne <joh...@pl...> > Cc: rkh...@li... > Message-ID: <4F0...@tk...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 01/03/2012 02:55 PM, John Horne wrote: > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote: > >> On 01/03/2012 01:35 PM, John Horne wrote: > >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote: > >>>> Don't see this in the FAQ, or in the last year or so's worth of > archived > >>>> messages, so... > >>>> > >>>> After running yum update on a RedHat 5.x system (or any other > analogous > >>>> update tool), how do you re-set the rkhunter database to accept the > >>>> changed files? Something like tripwire's --update and --report-file > >>>> options. > >>>> > >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page > >>> indicates when the '--propupd' option should be used: > >>> > >>> One of the checks rkhunter performs is to compare various > current > >>> file properties of various commands, against those it has > previously > >>> stored. This command option causes rkhunter to update its data > file > >>> of stored values with the current values. > >> > >> Thanks for your response. Been there, done that, repeatedly. (This is > >> version 1.3.8, BTW.) > >> > >> The only thing I can find that truly cleans everything up is renaming > >> the db directory and re-installing, then running --propupd, then running > >> a normal scan. Surely, that's not the right way. > >> > > Certainly not! What is the actual problem that you are seeing? > > Thanks, again. What I'm seeing is reports of inconsistencies on the > day(s) after applying updates with yum--which is what I would expect to > see. --propupd does not make them go away, however. > > > Whenever automatic updates occur to your system, then just running > > 'rkhunter --propupd' should suffice. If the PKGMGR option in the config > > file is being used, then nothing should be required (the file checks are > > then done against the systems own databases, not against the RKH one). > > Turning on PKGMGR makes it even worse (that is, more files are flagged > in the daily cronjob report than without it). > > > > > ------------------------------ > > Message: 4 > Date: Tue, 03 Jan 2012 22:37:52 +0000 > From: John Horne <joh...@pl...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: rkh...@li... > Message-ID: <1325630273.11588.15.camel@jhorne> > Content-Type: text/plain; charset="ISO-8859-15" > > On Tue, 2012-01-03 at 16:54 -0500, Tim Evans wrote: > > On 01/03/2012 02:55 PM, John Horne wrote: > > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote: > > >> On 01/03/2012 01:35 PM, John Horne wrote: > > >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote: > > >>>> Don't see this in the FAQ, or in the last year or so's worth of > archived > > >>>> messages, so... > > >>>> > > >>>> After running yum update on a RedHat 5.x system (or any other > analogous > > >>>> update tool), how do you re-set the rkhunter database to accept the > > >>>> changed files? Something like tripwire's --update and --report-file > > >>>> options. > > >>>> > > >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man page > > >>> indicates when the '--propupd' option should be used: > > >>> > > >>> One of the checks rkhunter performs is to compare various > current > > >>> file properties of various commands, against those it has > previously > > >>> stored. This command option causes rkhunter to update its data > file > > >>> of stored values with the current values. > > >> > > >> Thanks for your response. Been there, done that, repeatedly. (This is > > >> version 1.3.8, BTW.) > > >> > > >> The only thing I can find that truly cleans everything up is renaming > > >> the db directory and re-installing, then running --propupd, then > running > > >> a normal scan. Surely, that's not the right way. > > >> > > > Certainly not! What is the actual problem that you are seeing? > > > > Thanks, again. What I'm seeing is reports of inconsistencies on the > > day(s) after applying updates with yum--which is what I would expect to > > see. --propupd does not make them go away, however. > > > > > Whenever automatic updates occur to your system, then just running > > > 'rkhunter --propupd' should suffice. If the PKGMGR option in the config > > > file is being used, then nothing should be required (the file checks > are > > > then done against the systems own databases, not against the RKH one). > > > > Turning on PKGMGR makes it even worse (that is, more files are flagged > > in the daily cronjob report than without it). > > > Okay, I'm a bit lost as to why that happens. > > Can you let me know what O/S you are using. Also if you have any > rkhunter log files (usually in /var/log) which show the problem, could > you email them to me (not the list) please. > > > > > John. > > -- > John Horne, Plymouth University, UK > Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 > > > > > ------------------------------ > > Message: 5 > Date: Tue, 3 Jan 2012 21:18:20 -0800 (PST) > From: Wayne Brown <fw...@be...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: rkh...@li... > Message-ID: <132...@we...> > Content-Type: text/plain; charset=iso-8859-1 > > > > On Tue, January 3, 2012 at 4:37:52 PM John Horne wrote: > > On Tue, 2012-01-03 at 16:54 -0500, Tim Evans wrote: > > > On 01/03/2012 02:55 PM, John Horne wrote: > > > > On Tue, 2012-01-03 at 13:39 -0500, Tim Evans wrote: > > > >> On 01/03/2012 01:35 PM, John Horne wrote: > > > >>> On Tue, 2012-01-03 at 11:54 -0500, Tim Evans wrote: > > > >>>> Don't see this in the FAQ, or in the last year or so's worth of > >archived > > > >>>> messages, so... > > > >>>> > > > >>>> After running yum update on a RedHat 5.x system (or any other > analogous > > > >>>> update tool), how do you re-set the rkhunter database to accept > the > > > >>>> changed files? Something like tripwire's --update and > --report-file > > > >>>> options. > > > >>>> > > > >>> Run 'rkhunter --propupd'. It's not mention as a FAQ, but the man > page > > > >>> indicates when the '--propupd' option should be used: > > > >>> > > > >>> One of the checks rkhunter performs is to compare various > >current > > > >>> file properties of various commands, against those it has > >previously > > > >>> stored. This command option causes rkhunter to update its > data > file > > > >>> of stored values with the current values. > > > >> > > > >> Thanks for your response. Been there, done that, repeatedly. > (This is > > > >> version 1.3.8, BTW.) > > > >> > > > >> The only thing I can find that truly cleans everything up is > renaming > > > >> the db directory and re-installing, then running --propupd, then > running > > > >> a normal scan. Surely, that's not the right way. > > > >> > > > > Certainly not! What is the actual problem that you are seeing? > > > > > > Thanks, again. What I'm seeing is reports of inconsistencies on the > > > day(s) after applying updates with yum--which is what I would expect to > > > see. --propupd does not make them go away, however. > > > > > > > Whenever automatic updates occur to your system, then just running > > > > 'rkhunter --propupd' should suffice. If the PKGMGR option in the > config > > > > file is being used, then nothing should be required (the file > checks are > > > > then done against the systems own databases, not against the RKH > one). > > > > > > Turning on PKGMGR makes it even worse (that is, more files are flagged > > > in the daily cronjob report than without it). > > > > > Okay, I'm a bit lost as to why that happens. > > > > Can you let me know what O/S you are using. Also if you have any > > rkhunter log files (usually in /var/log) which show the problem, could > > you email them to me (not the list) please. > > I'm guessing that Tim is specifying PKGMGR when running -propupd but not > when > running the check, which will generate many more errors than running > without > PKGMGR at all. I made the same mistake when I first began using rkhunter. > > -- > F. Wayne Brown <fw...@be...> > > ??s ofereode, ?isses swa m?g. ("That passed away, this also can.") > from "Deor," in the Exeter Book (folios 100r-100v) > > > > ------------------------------ > > Message: 6 > Date: Wed, 04 Jan 2012 10:56:54 +0000 > From: John Horne <joh...@pl...> > Subject: Re: [Rkhunter-users] FAQ? Resetting rkhunter Database after > OS Updates > To: rkh...@li... > Message-ID: <132...@jh...> > Content-Type: text/plain; charset="ISO-8859-15" > > On Tue, 2012-01-03 at 21:18 -0800, Wayne Brown wrote: > > > > I'm guessing that Tim is specifying PKGMGR when running -propupd but not > when > > running the check, which will generate many more errors than running > without > > PKGMGR at all. I made the same mistake when I first began using > rkhunter. > > > Yes, that would cause many warnings. You need to decide whether you are > going to use the package manager or not, and then use the command-line > options and the configuration file options accordingly. Mixing the two > will lead to warnings :-) > > Generally I tend to just decide on what 'policy' I want, and then set > the config file options. I don't use the command-line options that much. > That way rkhunter should be consistent whether I run it via cron or from > the command-line. > > > > John. > > -- > John Horne Tel: +44 (0)1752 587287 > Plymouth University, UK Fax: +44 (0)1752 587001 > > > > ------------------------------ > > Message: 7 > Date: Thu, 05 Jan 2012 10:29:17 +0200 > From: Marius Stan <ms...@as...> > Subject: Re: [Rkhunter-users] can not exclude /dev/files > To: rkh...@li... > Message-ID: <4F0...@as...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > For some reason, Helmut's message didn't arrive in my inbox, so I'm > forced to reply myself: > > I have the following in rkhunter.conf: > ALLOWDEVFILE="/dev/shm/php_session*" > ALLOWDEVFILE="/dev/shm/php_session/*" > ALLOWDEVFILE="/dev/shm/php_session/*/*" > ALLOWDEVFILE="/dev/shm/php_session/*/*/*" > > And yet, I still get these daily warnings: > > Warning: Suspicious file types found in /dev: > /dev/shm/php_session/f/f/sess_ff74cfba3aac7e2cc9bac2c5fb0bd5f0: > ASCII text, with no line terminators > /dev/shm/php_session/f/f/sess_ffcbd2f4ba4c1df2987e0b5a6708160c: > ASCII text, with no line terminators > /dev/shm/php_session/f/1/sess_f198c5d1a97be02559cbdebc96695ac0: > ASCII text, with no line terminators > /dev/shm/php_session/f/1/sess_f13ce52a2c77e5d2603a4ec701034b96: > ASCII text, with no line terminators > > > And the list is very long... > > > > > ------------------------------ > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > > ------------------------------ > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > End of Rkhunter-users Digest, Vol 65, Issue 2 > ********************************************* > |