Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Let's suppose I just installed rkhunter (1.3.2).
I've not yet done "rkhunter --propupd", and I do "rkhunter -c".
Rkhunter shows me "OK" for almost every binary.
My questions is: what is the meaning of this "OK", if I've not yet created my database (rkhunter.dat)?
How is compared every single file?
I was thinking about "defaulthashes.dat".. but by doing
"sha1sum /bin/dmesg" or "md5sum /bin/dmesg" (for example) I don't found those values into defaulthashes.dat..
I've not yet done "rkhunter --propupd", (...) what is the meaning of this "OK", if I've not yet created my database (rkhunter.dat)
If you didn't build the hash database beforehand then deliberately running RKH anyway makes the "OK" mean nothing at all. That's not a flaw in RKH but how we chose to make it function since 1.3.2. While I agree it's beneficial to have "knowngoods" type of central hash databases, from a practical point of view the maintenance of defaulthashes.dat was truly horrible and user submission (at about 2000 downloads per month) nearly nonexistent. From a procedural view, installing RKH or any audit app or integrity checker *after* a (perceived) security breach unfortunately is *not* the correct approach. That doesn't mean those apps will be worthless, just that hash checking should not be done without correlation using an external trusted source. How you do that depends on what distribution you use and if you use prelinking. So that still leaves checks like location, setXid, MAC times, size and strings to help make "foreign" binaries stand out like a sore thumb.
If you think you've got a breach of security on your hands maybe give us more details?
[...........]
If you think you've got a breach of security on your hands maybe give us more details?
Hi unSpawn,
thank you for your reply.
No, I don't have a server compromised.
I totally agree with you about the error of using RKH AFTER had a violation, or without a proper hash database.
But I think it will be better if RKH, without an hash db, tell the user a message "ERROR: rkhunter.dat not found" or so.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.