On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote: > Dear listmembers. > > > I found a wrong information in the config file of rkhunter 1.3.0. > Thought I would post it so ppl after me will be guided right. > > I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information > regarding HASH_FLD_IDX says: > > ...<snap> > The default value is one, but for *BSD users > rkhunter will automatically use a value of 4. > <snap>... > > On FreeBSD 6.2, 'man cksum' says: > > ...<snap> > The cksum utility writes to the standard output three whitespace > sepa-------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > rated fields for each input file. These fields are a checksum CRC, the > total number of octets in the file and the file name. > <snap>... > > So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not* > 4 as the info in config file says. > Hello,
Well yes, no or possibly! As far as I can tell the current OpenBSD, FreeBSD and NetBSD man pages all say the same thing in this respect. However, it depends on what you have set your HASH_FUNC option to. Since by default RKH will look for 'sha1sum', and if not found then 'sha1', under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives: {NetBSD}: sha1 /bin/ps SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a As can be seen, the hash field index must be 4 in this case. Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me know what it shows please. Ironically though, I see in the rkhunter.conf file, I have given as an example the following: # For NetBSD : HASH_FUNC="cksum -n -a sha512" This command will actually produce the hash value as the first field, so HASH_FLD_IDX should be 1 in this example! I should perhaps comment that in as well. Alternatively is to remove the '-n', which will then give the output requiring HASH_FLD_IDX to be 4 again. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users