[Rkhunter-users] Problem with rkhunter.dat file with Centos 5.8 and certain binaries

Wed, 03 Oct 2012 02:33:29 -0700 

Hi,
After an upgrade today, I ran rkhunter to re-check the system, and expected
to see some warnings on upgraded binaries.

After running rkhunter --propupd to update the hashes - it is not updating
the hashes on all the files, and this is visible when you look at the .dat
file.

I have the latest version of rkhunter in the Centos repos' 1.4.0-1.el5.rf
and I have manually checked the binaries, and they correctly come for the
correct rpm according to a rpm.

Here is a sample of the rkhunter.dat file which is stored in
/var/lib/rkhunter/db and has been updated by rkhunter at the correct times.

File:/usr/sbin/adduser::1484606:0777:0:0:7:1338383153::
File:/usr/sbin/prelink:773835a5a904f3f0649bffcff1edaff47f7b3e99:1483826:0755:0:0:1015800:1232513661::
File:/usr/sbin/pwck::1482128:0755:0:0:32288:1329932395::
File:/usr/sbin/sestatus:5ebb51d0a84b5c4234d284fd6ac2198f30ac9ad0:1485953:0755:0:0:14720:1270263970::
File:/usr/sbin/tcpd:484764bb0c51986c07775b922066ea852d457ffa:1478565:0755:0:0:120271:1289682903::
File:/usr/sbin/useradd:7921c014beac7da8284b369f0253640b2db08ed3:1478326:0750:0:0:79664:1329932395::
File:/usr/sbin/userdel::1483266:0750:0:0:55568:1329932395::
File:/usr/sbin/usermod::1484619:0750:0:0:79920:1329932395::

Some have hashes others don't.

I have also checked the ones that don't with the prelink command , and that
works correctly with no errors, ie

# prelink --verify --sha /usr/sbin/useradd
7921c014beac7da8284b369f0253640b2db08ed3  /usr/sbin/useradd

Though you can see above in the .dat file it has no hash.

I have read the FAQ's and searched the web for a solution but have so far
pulled up a blank, so any pointers would be gratefully received.

Cheers

Nick

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to