Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote: Dear listmembers. I found a wrong information in the config file of rkhunter 1.3.0. Thought I would post it so ppl after me will be guided right. I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information regarding HASH_FLD_IDX says: ...snap The default value is one, but for *BSD users rkhunter will automatically use a value of 4. snap... On FreeBSD 6.2, 'man cksum' says: ...snap The cksum utility writes to the standard output three whitespace sepa-- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users rated fields for each input file. These fields are a checksum CRC, the total number of octets in the file and the file name. snap... So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not* 4 as the info in config file says. Hello, Well yes, no or possibly! As far as I can tell the current OpenBSD, FreeBSD and NetBSD man pages all say the same thing in this respect. However, it depends on what you have set your HASH_FUNC option to. Since by default RKH will look for 'sha1sum', and if not found then 'sha1', under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives: {NetBSD}: sha1 /bin/ps SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a As can be seen, the hash field index must be 4 in this case. Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me know what it shows please. Ironically though, I see in the rkhunter.conf file, I have given as an example the following: # For NetBSD: HASH_FUNC=cksum -n -a sha512 This command will actually produce the hash value as the first field, so HASH_FLD_IDX should be 1 in this example! I should perhaps comment that in as well. Alternatively is to remove the '-n', which will then give the output requiring HASH_FLD_IDX to be 4 again. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 13:08 +, John Horne wrote: Okay, that's fine. But as you can see, if you don't set these options (HASH_FUNC and HASH_FLD_IDX), then under *BSD RKH will default to using the 'sha1' command, and so the HASH_FLD_IDX is correct in defaulting to 4. John. Hmmm, ok. I have erased the info in config file now, just to make it smaller and more personal. Therefor I cant comment it because I don't remember the info in exact detail. I'll stay with (cksum and 1). Thx for the help! -- /Peo signature.asc Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 11:48 +, John Horne wrote: On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote: Dear listmembers. I found a wrong information in the config file of rkhunter 1.3.0. Thought I would post it so ppl after me will be guided right. I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information regarding HASH_FLD_IDX says: ...snap The default value is one, but for *BSD users rkhunter will automatically use a value of 4. snap... On FreeBSD 6.2, 'man cksum' says: ...snap The cksum utility writes to the standard output three whitespace sepa-- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users rated fields for each input file. These fields are a checksum CRC, the total number of octets in the file and the file name. snap... So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not* 4 as the info in config file says. Hello, Well yes, no or possibly! As far as I can tell the current OpenBSD, FreeBSD and NetBSD man pages all say the same thing in this respect. However, it depends on what you have set your HASH_FUNC option to. Since by default RKH will look for 'sha1sum', and if not found then 'sha1', under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives: {NetBSD}: sha1 /bin/ps SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a As can be seen, the hash field index must be 4 in this case. Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me know what it shows please. {FreeBSD}: SHA1 (/bin/ps) = 9709aa53540a004db9206260ee8c8380bc54b2f3 Ironically though, I see in the rkhunter.conf file, I have given as an example the following: # For NetBSD: HASH_FUNC=cksum -n -a sha512 This command will actually produce the hash value as the first field, so HASH_FLD_IDX should be 1 in this example! I should perhaps comment that in as well. Alternatively is to remove the '-n', which will then give the output requiring HASH_FLD_IDX to be 4 again. On FreeBSD you have no options for cksum. Well you have *one* to tell the truth: {FreeBSD} man cksum: ... snap The options are as follows: -o Use historic algorithms instead of the (superior) defaultone. ...snap In my rkhunet.conf I now have: HASH_FUNC=cksum HASH_FLD_IDX=1 -- /Peo signature.asc Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 13:45 +0100, Peo Nilsson wrote: {FreeBSD}: SHA1 (/bin/ps) = 9709aa53540a004db9206260ee8c8380bc54b2f3 In my rkhunet.conf I now have: HASH_FUNC=cksum HASH_FLD_IDX=1 Okay, that's fine. But as you can see, if you don't set these options (HASH_FUNC and HASH_FLD_IDX), then under *BSD RKH will default to using the 'sha1' command, and so the HASH_FLD_IDX is correct in defaulting to 4. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users