rkhunter-users

Re: [Rkhunter-users] Updating hash database (script)

[John H. <joh...@pl...>]

On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote:
> 
> Since disabling hash check in RKH aint good and I see people complaining 
> about this regularly I thought I'd throw in a wee helper app until there's 
> a better solution (couldn't find anything like this, if it *is* there 
> just tell me OK).
> 
Hello,

The script is a good idea, and I'll produce a diff patch for some of the
problems I've found with it.

However, I've been thinking more about the actual problem of keeping
machines up todate. As soon as the os.dat file is released again I would
need to run the script again. Would it not be better if the script
produced 2 different files, for example, os.dat.local and
defaulthashes.local, which contain just the data for the local host.
Also, if the script is run again the files would just be overwritten;
the os id number (field 1) could be set to -1 so as to avoid the need to
generate a unique id that isn't used in the os.dat file.

The main rkhunter program would also need to be modified. It would run
as normal using the os.dat/defaulthashes files, but if no records could
be found for the local host then the '.local' files would be looked at.
If they don't exist, have no data or can't be read, then rkhunter can
just ignore them. It would then produce the usual 'unsupported O/S'
error message and the sysadmin can sort out the problem.

Taking this even further though, I started to wonder why do we need an
os.dat file? The only data I am interested in are the hashes of my local
host and I should be able to produce those automatically from the
script. All the other data in the os.dat file is irrelevant for my host.

To that extent would it not be better to scrap the os.dat and
defaulthashes files altogether? The rkhunter '--update' option is still
required for the other data files though. So to use rkhunter all that is
required is to install the software (which has no os.dat/defaulthashes
files); run the script to create the os.dat/defaulthashes files for the
local host; then run rkhunter. The script then only needs to be run when
the local host changes. There is no need to register new Linux versions
or distributions, and the '--update' option is still required but only
for the other data files.



Regards,

John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: Joh...@pl...       Fax: +44 (0)1752 233839

Re: [Rkhunter-users] Updating hash database (script)

[John H. <joh...@pl...>]

On Wed, 2006-03-29 at 21:48 +0200, unspawn wrote:
>
> Purpose: update RKH's defaulthashes.dat database when --update doesn't 
> provide updates. Can be used to add new Linux distributions/releases to 
> the os.dat database. If you do, please use "-m", review and post the info 
> to this list and the maintainer.
> URI: http://www.rootshell.be/~unspawn/hashupd-1.2.sh.gz
> License: GPL
> 
> Needs testing, any constructive feedback and "diff -u" welcome.
> 
Hello,

Attached is a 'diff -u' patch, against the hashupd-1.3.sh file. I have
tested this on FC5 and it works fine. I'll see about trying it on FC4
and FC3 later on.

The patch includes changes which you may well have already done by now,
so you may need to go through it bit by bit to make sure. The patch
fixes some minor bugs, caters for prelinked files, and corrects the
os.dat file output to include the system model.


John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: Joh...@pl...       Fax: +44 (0)1752 233839