Thread: Re: [Rkhunter-users] Updating hash database (script)
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2006-04-15 19:20:43
|
On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote: > > Since disabling hash check in RKH aint good and I see people complaining > about this regularly I thought I'd throw in a wee helper app until there's > a better solution (couldn't find anything like this, if it *is* there > just tell me OK). > Hello, The script is a good idea, and I'll produce a diff patch for some of the problems I've found with it. However, I've been thinking more about the actual problem of keeping machines up todate. As soon as the os.dat file is released again I would need to run the script again. Would it not be better if the script produced 2 different files, for example, os.dat.local and defaulthashes.local, which contain just the data for the local host. Also, if the script is run again the files would just be overwritten; the os id number (field 1) could be set to -1 so as to avoid the need to generate a unique id that isn't used in the os.dat file. The main rkhunter program would also need to be modified. It would run as normal using the os.dat/defaulthashes files, but if no records could be found for the local host then the '.local' files would be looked at. If they don't exist, have no data or can't be read, then rkhunter can just ignore them. It would then produce the usual 'unsupported O/S' error message and the sysadmin can sort out the problem. Taking this even further though, I started to wonder why do we need an os.dat file? The only data I am interested in are the hashes of my local host and I should be able to produce those automatically from the script. All the other data in the os.dat file is irrelevant for my host. To that extent would it not be better to scrap the os.dat and defaulthashes files altogether? The rkhunter '--update' option is still required for the other data files though. So to use rkhunter all that is required is to install the software (which has no os.dat/defaulthashes files); run the script to create the os.dat/defaulthashes files for the local host; then run rkhunter. The script then only needs to be run when the local host changes. There is no need to register new Linux versions or distributions, and the '--update' option is still required but only for the other data files. Regards, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |
From: John H. <joh...@pl...> - 2006-04-19 14:21:33
Attachments:
hashupd-1.3.sh-patch
|
On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote: > > Purpose: update RKH's defaulthashes.dat database when --update doesn't > provide updates. Can be used to add new Linux distributions/releases to > the os.dat database. If you do, please use "-m", review and post the info > to this list and the maintainer. > URI: http://www.rootshell.be/~unspawn/hashupd-1.2.sh.gz > License: GPL > > Needs testing, any constructive feedback and "diff -u" welcome. > Hello, Attached is a 'diff -u' patch, against the hashupd-1.3.sh file. I have tested this on FC5 and it works fine. I'll see about trying it on FC4 and FC3 later on. The patch includes changes which you may well have already done by now, so you may need to go through it bit by bit to make sure. The patch fixes some minor bugs, caters for prelinked files, and corrects the os.dat file output to include the system model. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |