Bug#472114: rkhunter: Is there a way to speed up the properties update?
package rkhunter
tags 472114 + pending
thanks
Hi Francois,
Le dimanche 23 mars 2008 à 21:18 +1300, Francois Marier a écrit :
> Hi Julien,
>
> I was using PKGMGR=DPKG and switching to NONE makes it much faster. So I
> think that my original bug report isn't so relevant anymore.
>
> However, I would suggest you do the following before closing it:
>
> - add a note in the config file next to the PKGMGR field to say that hash
> computation takes about 4 times longer when it's set to DPKG
I have added a short comment in the default configuration file.
> On 2008-03-23 at 07:45:46, Julien Valroff wrote:
> > I first thought it was a good idea, but the answer of the upstream
> > developer to the bug report lets me think it isn't a good idea to use
> > the attributes test without the hashes test.
> >
> > Would you please check his comment at
> > https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1922881&group_id=155034
>
> I have replied to the upstream bug to clear up what my original suggestion
> was. Although, now I don't think it's necessary anymore.
>
> With respect to doing a propupd with --hash NONE if "hashes" is detected in
> DISABLE_TESTS, I think that's still a good idea. I mean, ideally you would
> want to run both tests, but rkhunter does provide a facility to disable one
> of them. So if, for whatever reason, an admin decides to disable hashes,
> then the post-invoke script should honour that decision and skip the hash
> computation.
After checking, this is already done in rkhunter itself:
if ! `check_test attributes`; then
SCMD=""
elif [ -z "${STAT_CMD}" ]; then
SCMD=""
else
if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid
--gid --size --Mtime"
elif [ $BSDOS -eq 1 ]; then
SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'"
else
SCMD="${STAT_CMD} --format='%i 0%a %u %g %s %Y:'"
fi
fi
[...]
if ! `check_test hashes`; then
HCMD=""
elif [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then
HCMD=""
else
HCMD="${HASH_FUNC}"
fi
You can check this in rkhunter.dat when disabling eg. the hashes test.
You'll get something like:
File:/bin/bash::1556524:0755:0:0:817352:1202598270:
(ie no hashes)
or the following when the attributes test is disabled:
File:/bin/bash:67743a83731749bfe09341b4bf1eb5da7e1c7428:::
> Thanks for your help resolving this problem! I really appreciate how much
> time and effort you put into supporting rkhunter users.
Thanks to you for using Debian and rkhunter ;-)
Cheers,
Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
Hi Francois, Le samedi 22 mars 2008 à 22:29 +1300, Francois Marier a écrit : > On 2008-03-22 at 09:49:53, Julien Valroff wrote: > > You can add the 'hashes' test to the DISABLE_TESTS option in > > rkhunter.conf. > > Great, it's lightning fast now and it's not completely disabled. > > So, here's a small packaging suggestion. In the > /etc/apt/apt.conf.d/90rkhunter post-invoke script, how about this: > > if hashes is disabled (but not properties) > or if properties is enabled (but not hashes) > then run: > rkhunter --propupd --hash NONE > instead of > rkhunter --propupd I first thought it was a good idea, but the answer of the upstream developer to the bug report lets me think it isn't a good idea to use the attributes test without the hashes test. Would you please check his comment at https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1922881&group_id=155034 Note that I changed yesterday the default value of PKGMGR to be dpkg instead of none, but it seems it is even slower for updating the database: Using DPKG: athyr:~/# time rkhunter --propupd [ Rootkit Hunter version 1.3.2 ] File updated: searched for 154 files, found 130 real0m21.677s user0m13.697s sys 0m7.776s Using NONE: athyr:~/# time rkhunter --propupd [ Rootkit Hunter version 1.3.2 ] File updated: searched for 154 files, found 130 real0m6.859s user0m1.572s sys 0m3.408s I will hence revert my commit and let the admin choose what is the best for him. Maybe you could try setting 'NONE' if you had previously changed to dpkg ? Cheers, Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
package rkhunter tags 472114 + upstream forwarded 472114 http://sourceforge.net/tracker/index.php?func=detail&aid=1922881&group_id=155034&atid=794190 thanks Hi François, Le samedi 22 mars 2008 à 19:35 +1300, Francois Marier a écrit : > Package: rkhunter > Version: 1.3.2-1 > Severity: wishlist > > Hi, > > I understand that this is not strictly speaking a problem with rkhunter or > the packaging > (hence the wishlist severity). However, on my laptop, doing the property > update at the > end of each apt run is very slow. When apt-get installing small packages, it > often takes > more time to update the properties than download and install the package. > > Is there a way that we could speed this up? Either by priming the cache in a > clever way > with readahead, or by being smarter about which files to re-hash. > > Maybe it would make sense to create a "quick" property update where rkhunter > would look > at each file and if the timestamp hasn't changed just assume that the hash is > still the > same. I must say I have the same issue, and tend to disable the hashes/attributes tests on machines running Debian sid. I have forwarded your request to the upstream feature request list. Cheers, Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
Package: rkhunter Version: 1.3.2-1 Severity: wishlist Hi, I understand that this is not strictly speaking a problem with rkhunter or the packaging (hence the wishlist severity). However, on my laptop, doing the property update at the end of each apt run is very slow. When apt-get installing small packages, it often takes more time to update the properties than download and install the package. Is there a way that we could speed this up? Either by priming the cache in a clever way with readahead, or by being smarter about which files to re-hash. Maybe it would make sense to create a "quick" property update where rkhunter would look at each file and if the timestamp hasn't changed just assume that the hash is still the same. Francois -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23.17-hrt3-grsec (SMP w/2 CPU cores; PREEMPT) Shell: /bin/sh linked to /bin/dash -- debconf information: * rkhunter/apt_autogen: true * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
