Hi all.

Let's suppose I just installed rkhunter (1.3.2).
I've not yet done "rkhunter --propupd", and I do "rkhunter -c".
Rkhunter shows me "OK" for almost every binary.

My questions is: what is the meaning of this "OK", if I've not yet created my database (rkhunter.dat)?

How is compared every single file?

I was thinking about "defaulthashes.dat".. but by doing

"sha1sum /bin/dmesg" or "md5sum /bin/dmesg" (for example) I don't found those values into defaulthashes.dat..

Thank you

If you didn't build the hash database beforehand then deliberately running RKH anyway makes the "OK" mean nothing at all. That's not a flaw in RKH but how we chose to make it function since 1.3.2. While I agree it's beneficial to have "knowngoods" type of central hash databases, from a practical point of view the maintenance of defaulthashes.dat was truly horrible and user submission (at about 2000 downloads per month) nearly nonexistent. From a procedural view, installing RKH or any audit app or integrity checker *after* a (perceived) security breach unfortunately is *not* the correct approach. That doesn't mean those apps will be worthless, just that hash checking should not be done without correlation using an external trusted source. How you do that depends on what distribution you use and if you use prelinking. So that still leaves checks like location, setXid, MAC times, size and strings to help make "foreign" binaries stand out like a sore thumb.

If you think you've got a breach of security on your hands maybe give us more details?

Hi unSpawn,

thank you for your reply.
No, I don't have a server compromised.
I totally agree with you about the error of using RKH AFTER had a violation, or without a proper hash database.

But I think it will be better if RKH, without an hash db, tell the user a message "ERROR: rkhunter.dat not found" or so.

Thank you again and sorry my english

I think it will be better if people actually read the "readme" and update the database first :-]