Bug#472114: rkhunter: Is there a way to speed up the properties update?
package rkhunter tags 472114 + pending thanks Hi Francois, Le dimanche 23 mars 2008 à 21:18 +1300, Francois Marier a écrit : > Hi Julien, > > I was using PKGMGR=DPKG and switching to NONE makes it much faster. So I > think that my original bug report isn't so relevant anymore. > > However, I would suggest you do the following before closing it: > > - add a note in the config file next to the PKGMGR field to say that hash > computation takes about 4 times longer when it's set to DPKG I have added a short comment in the default configuration file. > On 2008-03-23 at 07:45:46, Julien Valroff wrote: > > I first thought it was a good idea, but the answer of the upstream > > developer to the bug report lets me think it isn't a good idea to use > > the attributes test without the hashes test. > > > > Would you please check his comment at > > https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1922881&group_id=155034 > > I have replied to the upstream bug to clear up what my original suggestion > was. Although, now I don't think it's necessary anymore. > > With respect to doing a propupd with --hash NONE if "hashes" is detected in > DISABLE_TESTS, I think that's still a good idea. I mean, ideally you would > want to run both tests, but rkhunter does provide a facility to disable one > of them. So if, for whatever reason, an admin decides to disable hashes, > then the post-invoke script should honour that decision and skip the hash > computation. After checking, this is already done in rkhunter itself: if ! `check_test attributes`; then SCMD="" elif [ -z "${STAT_CMD}" ]; then SCMD="" else if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then SCMD="${STAT_CMD} --modeoct --raw --ino --mode --uid --gid --size --Mtime" elif [ $BSDOS -eq 1 ]; then SCMD="${STAT_CMD} -f '%i %Mp%Lp %u %g %z %m:'" else SCMD="${STAT_CMD} --format='%i 0%a %u %g %s %Y:'" fi fi [...] if ! `check_test hashes`; then HCMD="" elif [ -z "${PKGMGR}" -a "${HASH_FUNC}" = "NONE" ]; then HCMD="" else HCMD="${HASH_FUNC}" fi You can check this in rkhunter.dat when disabling eg. the hashes test. You'll get something like: File:/bin/bash::1556524:0755:0:0:817352:1202598270: (ie no hashes) or the following when the attributes test is disabled: File:/bin/bash:67743a83731749bfe09341b4bf1eb5da7e1c7428::: > Thanks for your help resolving this problem! I really appreciate how much > time and effort you put into supporting rkhunter users. Thanks to you for using Debian and rkhunter ;-) Cheers, Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
Hi Francois, Le samedi 22 mars 2008 à 22:29 +1300, Francois Marier a écrit : > On 2008-03-22 at 09:49:53, Julien Valroff wrote: > > You can add the 'hashes' test to the DISABLE_TESTS option in > > rkhunter.conf. > > Great, it's lightning fast now and it's not completely disabled. > > So, here's a small packaging suggestion. In the > /etc/apt/apt.conf.d/90rkhunter post-invoke script, how about this: > > if hashes is disabled (but not properties) > or if properties is enabled (but not hashes) > then run: > rkhunter --propupd --hash NONE > instead of > rkhunter --propupd I first thought it was a good idea, but the answer of the upstream developer to the bug report lets me think it isn't a good idea to use the attributes test without the hashes test. Would you please check his comment at https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1922881&group_id=155034 Note that I changed yesterday the default value of PKGMGR to be dpkg instead of none, but it seems it is even slower for updating the database: Using DPKG: athyr:~/# time rkhunter --propupd [ Rootkit Hunter version 1.3.2 ] File updated: searched for 154 files, found 130 real0m21.677s user0m13.697s sys 0m7.776s Using NONE: athyr:~/# time rkhunter --propupd [ Rootkit Hunter version 1.3.2 ] File updated: searched for 154 files, found 130 real0m6.859s user0m1.572s sys 0m3.408s I will hence revert my commit and let the admin choose what is the best for him. Maybe you could try setting 'NONE' if you had previously changed to dpkg ? Cheers, Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
package rkhunter tags 472114 + upstream forwarded 472114 http://sourceforge.net/tracker/index.php?func=detail&aid=1922881&group_id=155034&atid=794190 thanks Hi François, Le samedi 22 mars 2008 à 19:35 +1300, Francois Marier a écrit : > Package: rkhunter > Version: 1.3.2-1 > Severity: wishlist > > Hi, > > I understand that this is not strictly speaking a problem with rkhunter or > the packaging > (hence the wishlist severity). However, on my laptop, doing the property > update at the > end of each apt run is very slow. When apt-get installing small packages, it > often takes > more time to update the properties than download and install the package. > > Is there a way that we could speed this up? Either by priming the cache in a > clever way > with readahead, or by being smarter about which files to re-hash. > > Maybe it would make sense to create a "quick" property update where rkhunter > would look > at each file and if the timestamp hasn't changed just assume that the hash is > still the > same. I must say I have the same issue, and tend to disable the hashes/attributes tests on machines running Debian sid. I have forwarded your request to the upstream feature request list. Cheers, Julien
Bug#472114: rkhunter: Is there a way to speed up the properties update?
Package: rkhunter Version: 1.3.2-1 Severity: wishlist Hi, I understand that this is not strictly speaking a problem with rkhunter or the packaging (hence the wishlist severity). However, on my laptop, doing the property update at the end of each apt run is very slow. When apt-get installing small packages, it often takes more time to update the properties than download and install the package. Is there a way that we could speed this up? Either by priming the cache in a clever way with readahead, or by being smarter about which files to re-hash. Maybe it would make sense to create a "quick" property update where rkhunter would look at each file and if the timestamp hasn't changed just assume that the hash is still the same. Francois -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23.17-hrt3-grsec (SMP w/2 CPU cores; PREEMPT) Shell: /bin/sh linked to /bin/dash -- debconf information: * rkhunter/apt_autogen: true * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]