Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote:
Dear listmembers.
I found a wrong information in the config file of rkhunter 1.3.0.
Thought I would post it so ppl after me will be guided right.
I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information
regarding HASH_FLD_IDX says:
...snap
The default value is one, but for *BSD users
rkhunter will automatically use a value of 4.
snap...
On FreeBSD 6.2, 'man cksum' says:
...snap
The cksum utility writes to the standard output three whitespace
sepa--
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___ Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
rated fields for each input file. These fields are a checksum CRC, the
total number of octets in the file and the file name.
snap...
So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not*
4 as the info in config file says.
Hello,
Well yes, no or possibly! As far as I can tell the current OpenBSD,
FreeBSD and NetBSD man pages all say the same thing in this respect.
However, it depends on what you have set your HASH_FUNC option to. Since
by default RKH will look for 'sha1sum', and if not found then 'sha1',
under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives:
{NetBSD}: sha1 /bin/ps
SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a
As can be seen, the hash field index must be 4 in this case.
Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me
know what it shows please.
Ironically though, I see in the rkhunter.conf file, I have given as an
example the following:
# For NetBSD: HASH_FUNC=cksum -n -a sha512
This command will actually produce the hash value as the first field, so
HASH_FLD_IDX should be 1 in this example! I should perhaps comment that
in as well. Alternatively is to remove the '-n', which will then give
the output requiring HASH_FLD_IDX to be 4 again.
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 13:08 +, John Horne wrote: Okay, that's fine. But as you can see, if you don't set these options (HASH_FUNC and HASH_FLD_IDX), then under *BSD RKH will default to using the 'sha1' command, and so the HASH_FLD_IDX is correct in defaulting to 4. John. Hmmm, ok. I have erased the info in config file now, just to make it smaller and more personal. Therefor I cant comment it because I don't remember the info in exact detail. I'll stay with (cksum and 1). Thx for the help! -- /Peo signature.asc Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 11:48 +, John Horne wrote:
On Tue, 2007-11-06 at 23:42 +0100, Peo Nilsson wrote:
Dear listmembers.
I found a wrong information in the config file of rkhunter 1.3.0.
Thought I would post it so ppl after me will be guided right.
I run FreeBSD 6.2-RELEASE and in the rkhunter.conf the information
regarding HASH_FLD_IDX says:
...snap
The default value is one, but for *BSD users
rkhunter will automatically use a value of 4.
snap...
On FreeBSD 6.2, 'man cksum' says:
...snap
The cksum utility writes to the standard output three whitespace
sepa--
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___ Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
rated fields for each input file. These fields are a checksum CRC, the
total number of octets in the file and the file name.
snap...
So for FreeBSD 6.2-Release the HASH_FLD_IDX should be set to 1, *not*
4 as the info in config file says.
Hello,
Well yes, no or possibly! As far as I can tell the current OpenBSD,
FreeBSD and NetBSD man pages all say the same thing in this respect.
However, it depends on what you have set your HASH_FUNC option to. Since
by default RKH will look for 'sha1sum', and if not found then 'sha1',
under NetBSD 3.1 the sha1 command (because NetBSD has no sha1sum) gives:
{NetBSD}: sha1 /bin/ps
SHA1 (/bin/ps) = 9c8cd421f6fa8dd55fd2ecbc7d76b7f13027e91a
As can be seen, the hash field index must be 4 in this case.
Can you run the same command ('sha1 /bin/ps') under FreeBSD and let me
know what it shows please.
{FreeBSD}:
SHA1 (/bin/ps) = 9709aa53540a004db9206260ee8c8380bc54b2f3
Ironically though, I see in the rkhunter.conf file, I have given as an
example the following:
# For NetBSD: HASH_FUNC=cksum -n -a sha512
This command will actually produce the hash value as the first field, so
HASH_FLD_IDX should be 1 in this example! I should perhaps comment that
in as well. Alternatively is to remove the '-n', which will then give
the output requiring HASH_FLD_IDX to be 4 again.
On FreeBSD you have no options for cksum.
Well you have *one* to tell the truth:
{FreeBSD}
man cksum:
...
snap
The options are as follows:
-o Use historic algorithms instead of the (superior) defaultone.
...snap
In my rkhunet.conf I now have:
HASH_FUNC=cksum
HASH_FLD_IDX=1
--
/Peo
signature.asc
Description: This is a digitally signed message part
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] found wrong info in rkhunter.conf
On Wed, 2007-11-07 at 13:45 +0100, Peo Nilsson wrote:
{FreeBSD}:
SHA1 (/bin/ps) = 9709aa53540a004db9206260ee8c8380bc54b2f3
In my rkhunet.conf I now have:
HASH_FUNC=cksum
HASH_FLD_IDX=1
Okay, that's fine. But as you can see, if you don't set these options
(HASH_FUNC and HASH_FLD_IDX), then under *BSD RKH will default to using
the 'sha1' command, and so the HASH_FLD_IDX is correct in defaulting to
4.
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
