On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote:
> Dear listmembers.
>
>
> I found a wrong information in the config file of rkhunter 1.3.0.
> Thought I would post it so ppl after me will be guided right.
>
> I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information
> regarding HASH_FLD_IDX says:
>
> ...<snap>
> The default value is one, but for *BSD users
> rkhunter will automatically use a value of 4.
> <snap>...
>
> On FreeBSD 6.2, 'man cksum' says:
>
> ...<snap>
> The cksum utility writes to the standard output three whitespace
> sepa--------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________ Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> rated fields for each input file. These fields are a checksum CRC, the
> total number of octets in the file and the file name.
> <snap>...
>
> So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not*
> 4 as the info in config file says.
>
Hello,
Well yes, no or possibly! As far as I can tell the current OpenBSD,
FreeBSD and NetBSD man pages all say the same thing in this respect.
However, it depends on what you have set your HASH_FUNC option to. Since
by default RKH will look for 'sha1sum', and if not found then 'sha1',
under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives:
{NetBSD}: sha1 /bin/ps
SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a
As can be seen, the hash field index must be 4 in this case.
Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me
know what it shows please.
Ironically though, I see in the rkhunter.conf file, I have given as an
example the following:
# For NetBSD : HASH_FUNC="cksum -n -a sha512"
This command will actually produce the hash value as the first field, so
HASH_FLD_IDX should be 1 in this example! I should perhaps comment that
in as well. Alternatively is to remove the '-n', which will then give
the output requiring HASH_FLD_IDX to be 4 again.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
