LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-30-2013, 04:38 PM   #1
michaellopez12
Member
 
Registered: Nov 2013
Posts: 47

Rep: Reputation: Disabled
Prelink question


If I wanted to get rid of an error warning message that appears while running rootkit hunter, and I knew that it was a false positive that I had nothing to worry about could I just prelink it with the following command

prelink -Rm /usr/sbin/newusers

or would this be the correct way to do it

prelink -rm /usr/sbin/newusers?

I am asking because this is my first time ever using rootkit hunter and I am trying to learn as much as I can about it.
 
Old 01-01-2014, 05:17 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by michaellopez12 View Post
would this be the correct way to do it
Linux is case sensitive so its manual page (as in 'man prelink' or 'info prelink') should show you the correct switch capitalization for the command.


Quote:
Originally Posted by michaellopez12 View Post
I am asking because this is my first time ever using rootkit hunter and I am trying to learn as much as I can about it.
Then the README, FAQ and rkhunter.conf comments should be read first. Also know most questions have already been solved: do check the rkhunter-users mailing list archives.
 
Old 01-02-2014, 04:42 PM   #3
michaellopez12
Member
 
Registered: Nov 2013
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Linux is case sensitive so its manual page (as in 'man prelink' or 'info prelink') should show you the correct switch capitalization for the command.
By manual page do you mean inside prelink's configuration file?
 
Old 01-04-2014, 10:23 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by michaellopez12 View Post
By manual page do you mean inside prelink's configuration file?
No, I mean typing 'man prelink' and then reading what's on the screen.
 
Old 01-08-2014, 03:54 PM   #5
michaellopez12
Member
 
Registered: Nov 2013
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
No, I mean typing 'man prelink' and then reading what's on the screen.
I did the man prelink and I found the information I was looking for.

Thanks for the information. I have a new question I would like to ask you. When it comes to using the prelink command, what would be the proper syntax to use prelink if I wanted to get rid of a "warning" message that appeared every time I ran rootkit hunter?

/bin/csh [ Warning ]
/bin/cp [ OK ]
/bin/csh [ Warning ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ Warning ]
/bin/egrep [ Warning ]
/bin/env [ OK ]
/bin/fgrep [ Warning ]
/bin/grep [ Warning ]
/bin/kill [ OK ]
/bin/logger [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ Warning ]

I found out the syntax but I am getting a message telling me that the directory doesn't exist? I will let you know once I find out more details.

Last edited by michaellopez12; 01-08-2014 at 04:49 PM.
 
Old 01-12-2014, 07:36 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by michaellopez12 View Post
When it comes to using the prelink command, what would be the proper syntax to use prelink if I wanted to get rid of a "warning" message that appeared every time I ran rootkit hunter?
What warning exactly? Don't post output but check, like said in previous threads, /var/log/rkhunter.log instead.


Quote:
Originally Posted by michaellopez12 View Post
I found out the syntax but I am getting a message telling me that the directory doesn't exist?
Since you didn't post any command line and output there's nothing to correct.
 
Old 01-13-2014, 01:44 PM   #7
michaellopez12
Member
 
Registered: Nov 2013
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
What warning exactly? Don't post output but check, like said in previous threads, /var/log/rkhunter.log instead.


Since you didn't post any command line and output there's nothing to correct.
Disregard the last message.

Here is what I did. I ran the rkhunter --propupd option. Afterwards I ran grep csh /var/lib/rkhunter/db/rkhunter.dat


What I saw was the following:

File:/bin/csh::33816687:0777:0:0:4:1291058316::
The hash value exists for /bin/csh.

I then tried to to do the prelink -f /bin/csh command. If you run this command nothing will be displayed if it works correctly. But I got this output message:

bash: prelink: command not found

Is there any way I can see why rkhunter is not getting the has value for the /bin/csh file?

It works from the command line so why doesn't it work when I run rkhunter --propupd?

This is what I am still getting when I run rkhunter -c

/bin/csh [ Warning ]
This is the error I was talking about.

Furthermore I looked at the rkhunter log file and this is what I found.

[12:41:01] Warning: No hash value found for file '/bin/csh' in the rkhunter.dat file.

and yet I was able to find the hash value.

Last edited by michaellopez12; 01-13-2014 at 02:22 PM.
 
Old 01-13-2014, 02:14 PM   #8
michaellopez12
Member
 
Registered: Nov 2013
Posts: 47

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaellopez12 View Post
Disregard the last message.

Here is what I did. I ran the rkhunter --propupd option. Afterwards I ran grep csh /var/lib/rkhunter/db/rkhunter.dat


What I saw was the following:

File:/bin/csh::33816687:0777:0:0:4:1291058316::
The hash value exists for /bin/csh.

I then tried to to do the prelink -f /bin/csh command. If you run this command nothing will be displayed if it works correctly. But I got this output message:

bash: prelink: command not found

Is there any way I can see why rkhunter is not getting the has value for the /bin/csh file?

It works from the command line so why doesn't it work when I run rkhunter --propupd?

This is what I am still getting when I run rkhunter -c

/bin/csh [ Warning ]
This is the error I was talking about.

Last edited by michaellopez12; 01-13-2014 at 02:56 PM.
 
Old 01-13-2014, 05:42 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by michaellopez12 View Post
Is there any way I can see why rkhunter is not getting the has value for the /bin/csh file?
Run RKH with the "--debug" switch and add it to your ticket at http://sourceforge.net/p/rkhunter/support-requests/.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to use prelink for arm Aymen Linux - Software 0 12-13-2012 11:44 AM
prelink in slackware13.37 SergMarkov Slackware 2 07-28-2011 03:54 PM
what is prelink? anilbh Fedora 3 05-21-2008 07:40 PM
prelink amnesty_puppy Debian 4 05-11-2005 12:57 PM
Prelink and performance mr666white Linux - Software 5 08-31-2004 09:21 AM


All times are GMT -5. The time now is 12:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration