For me, on FC5, ever since I got prelink running I've been getting the bad hashes. I went through the procedure outlined in many recent posts. setenforce 0 > run prelink > run hashupd > got good hashes. setenforce 1, and the hashes are bad again. I followed through with the setenforce 0 > rm prelink.cache > run prelink > run hashupd > good hashes > setenforce 1 bad hashes. Is this indicative of the prelink and > selinux problem you mention or am I supposed to get good hashes with selinux enabled after following that procedure?
In other words, as long as I'm getting bad hashes with rkhunter cron.daily run (selinux enabled), should I be running rkhunter manually with setenforce 0 to verify the hashes? -or- Does this indicate a problem with my machine? I am not extremely concerned as I just DLd FC6 and I can always do a format/fresh install If needed to be safe, I would just like clarification on the bad hashes. I have seen everything asked except this? ;) I have verified the binaries with rpm, but some of the configs couldn't be verified, and as I understand it, this is an expected result since configs get changed(?). Unfortunately, I did not have another box to run the verification from. I had to run it from the "suspect" OS/box :( Message: 3 Date: Tue, 24 Oct 2006 00:07:26 +0100 From: John Horne <[EMAIL PROTECTED]> Subject: Re: [Rkhunter-users] centos 4.4 To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain On Mon, 2006-10-23 at 16:31 -0500, Benny Butler wrote: > > I have a machine that's running centos 4.4x86_64, after installing it > > ALL of the files in /bin/usr/bin and /sbin show up as bad. > > > > I freaked, went and downloaded a new RPM for coreutils. updated it, > > and thankfully, they still showed as bad. I trust the source of the > > RPM, so I'm pretty confident I haven't been hacked. > > > > Could it be choking on the 64bit issue? > > > No, there is currently a combined prelink and selinux problem. Try the following (it applies to centos as well as redhat/fedora): http://www.mail-archive.com/[email protected]/msg00116.html John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
