[opensuse] Rootkit Hunter for openssue 10.3
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3? I have an older version installed, and run it with the --update tag, but it still shows to be the older version. Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3? I have an older version installed, and run it with the --update tag, but it still shows to be the older version.
http://download.opensuse.org/repositories/home:/lrupp/openSUSE_10.3 Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Togan Muftuoglu wrote:
Jim Flanagan wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3? I have an older version installed, and run it with the --update tag, but it still shows to be the older version.
http://download.opensuse.org/repositories/home:/lrupp/openSUSE_10.3
Hope this helps Togan That's the one! Thank you very much.
Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3? I have an older version installed, and run it with the --update tag, but it still shows to be the older version.
Thanks,
Jim Hi, I don't think that you can update rkhunter that way. The --update only updates what rootkits it searches for, sort of like updating your windows antivirus database for new viruses.
If you want to update your version of rootkit hunter, you have to go to this page and download rootkit hunter. Once you have downloaded the tarball, then I use konqueror to go to the /etc/rkhunter.conf file so that you may delete that file or the new version won't work. An alternate method is detailed as follows: */ When you installed RKH it saw that the file /etc/rkhunter.conf already existed. The installer won't overwrite it, so it created a new dafault one (rkhunter.conf.xxxxxx). The number is just a unique number. What you need to do is integrate any required changes you had in rkhunter.conf to the new (numbered) file, and then move, or copy, that new file to rkhunter.conf. How you actually do this is up to you dpending on how you administer your systems. The point being that RKH will use the rkhunter.conf file. In your case you were running RKH version 1.3.0 but with a 1.2.9 version configuration file. That won't work. That's why when you removed rkhunter.conf everything suddenly worked. During that installation RKH saw there was no previous file, so just created one for you. You then had RKH 1.3.0 with a 1.3.0 config file. Personally, I leave the rkhunter.conf as it is and add any changes only to the bottom of it. That way, when a new RKH version comes out, I only need to copy/paste the bottom part of the file to the new config file (the one with the number). I then 'mv' the numbered file over rkhunter.conf. But that's just me. /* Then to install the new rkhunter, you extract the tarball, then cd to the opened file, then run this script from command line as root: ./installer.sh --layout default --install There are more instructions in the Readme file. Once you have managed to install your new version, you must run rkhunter --propupd from command line as root so that it can figure out what files you have on your computer. Then as root run rkhunter --update to update the rootkit database. Then as root you may run rkhunter -c --sk to do your rootkit checks, and expect some false file warnings the first time around. Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3? I have an older version installed, and run it with the --update tag, but it still shows to be the older version.
Thanks,
Jim Hi, I just realized I left off the link for the rkhunter download page in my first post. Here it is:
http://sourceforge.net/project/showfiles.php?group_id=155034 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Jun 11, 2008 at 9:37 AM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3?
As an aside, you can search for any package here: Software Search http://packages.opensuse-community.org/ Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michael Mientus wrote:
On Wed, Jun 11, 2008 at 9:37 AM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Does anyone know where I can get the newest version of rkhunter in an RPM for opensuse 10.3?
As an aside, you can search for any package here:
Software Search http://packages.opensuse-community.org/
Mike
Ok, thanks to all for the good advise, especially Togan for the new RPM. I un-installed my old version RPM and installed the new one. It runs by command line, but it has not run the daily automatic scan. How do I get it to do that, and perhaps set the time it runs? I tried renaming /etc/rkhunter.conf, but it will not run without that file. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Jim Flanagan <linuxjim@jjfiii.com> [06-12-08 11:38]:
Ok, thanks to all for the good advise, especially Togan for the new RPM. I un-installed my old version RPM and installed the new one. It runs by command line, but it has not run the daily automatic scan. How do I get it to do that, and perhaps set the time it runs?
cron man rkhunter (iirc)
I tried renaming /etc/rkhunter.conf, but it will not run without that file.
you take this action before you upgrade, not after. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Jim Flanagan <linuxjim@jjfiii.com> [06-12-08 11:38]:
Ok, thanks to all for the good advise, especially Togan for the new RPM. I un-installed my old version RPM and installed the new one. It runs by command line, but it has not run the daily automatic scan. How do I get it to do that, and perhaps set the time it runs?
cron man rkhunter (iirc)
I tried renaming /etc/rkhunter.conf, but it will not run without that file.
you take this action before you upgrade, not after.
Doh.......thanks Patrick. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Jim Flanagan <linuxjim@jjfiii.com> [06-12-08 11:38]:
Ok, thanks to all for the good advise, especially Togan for the new RPM. I un-installed my old version RPM and installed the new one. It runs by command line, but it has not run the daily automatic scan. How do I get it to do that, and perhaps set the time it runs?
cron man rkhunter (iirc)
Maybe I'm missing something (most likely) but looking in kcron I see no entries for anything, only folders for entires and variables, but can't get these to open. I tried logging in as root, and I see entries for all system users and others such as cyrus, mail, etc. Each has the two folders, entries and variables, but again these will not open. But I don't see any entires where an actual cron job is listed. No item for rkhunter is listed. Rkhunter does run now, at the same time of day it did before my upgrade, but I have not a clue as to what is making it run at that time. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-06-14 at 07:46 -0500, Jim Flanagan wrote:
Rkhunter does run now, at the same time of day it did before my upgrade, but I have not a clue as to what is making it run at that time.
Have a look here: "/etc/cron.daily/". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIU8DxtTMYHG2NR9URAlUcAJwNPmKu+lOcvqzUANeFJeMNeTCOcgCeMdBQ hFLFjyD+jQXeajFQCHe4b4s= =AxC5 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Saturday 2008-06-14 at 07:46 -0500, Jim Flanagan wrote:
Rkhunter does run now, at the same time of day it did before my upgrade, but I have not a clue as to what is making it run at that time.
Have a look here: "/etc/cron.daily/".
And also look at the DAILY_TIME variable in /etc/sysconfig/cron Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Carlos E. R. wrote:
The Saturday 2008-06-14 at 07:46 -0500, Jim Flanagan wrote:
Rkhunter does run now, at the same time of day it did before my upgrade, but I have not a clue as to what is making it run at that time.
Have a look here: "/etc/cron.daily/".
And also look at the DAILY_TIME variable in /etc/sysconfig/cron
Joe OK, I see a file named /etc/cron.daily/suse.de-rkhunter but I see no references to a time to run. In /etc/sysconfig/cron DAILY_TIME is set at "blank" meaning defaults which is nothing.
IIRC Rkhunter was setup to run at a certain time (set up by itself at installation of the opensuse rpm), say 0830. If I had the machine off during that time, it would run shortly after boot, unless it had already previously run that day. Once it ran at that later time, it would continue to run at that later time every day (again unless the machine happened to be off at that time in which case it would run at boot again). Looking more closely at suse.de-rkhunter I see an entry where it should check /var/tmp/rkhunter-cron.XXXXX, but I don't see this file in /var/tmp/. I do see a way to make it update itself (DB I suppose, not version) by setting CRON_DB_UPDATE="yes" from the default "no". Haven't treid that yet though. One thing at a time. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Quoting Jim Flanagan <linuxjim@jjfiii.com>: [snip]
IIRC Rkhunter was setup to run at a certain time (set up by itself at installation of the opensuse rpm), say 0830. If I had the machine off during that time, it would run shortly after boot, unless it had already previously run that day. Once it ran at that later time, it would continue to run at that later time every day (again unless the machine happened to be off at that time in which case it would run at boot again).
You have just described the behavior of scripts in /etc/cron.daily/. I'd add the additional information that they are checked/run on 15 minute intervals, e.g. 8:00, 8:15, 8:30, 8:45, etc. HTH, Jeffrey -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-06-16 at 08:11 -0500, Jim Flanagan wrote:
Have a look here: "/etc/cron.daily/".
And also look at the DAILY_TIME variable in /etc/sysconfig/cron
OK, I see a file named /etc/cron.daily/suse.de-rkhunter but I see no references to a time to run. In /etc/sysconfig/cron DAILY_TIME is set at "blank" meaning defaults which is nothing.
Correct. Well, it means "I don't care when exactly it runs".
IIRC Rkhunter was setup to run at a certain time (set up by itself at installation of the opensuse rpm), say 0830. If I had the machine off during that time, it would run shortly after boot, unless it had already previously run that day. Once it ran at that later time, it would continue to run at that later time every day (again unless the machine happened to be off at that time in which case it would run at boot again).
Looking more closely at suse.de-rkhunter I see an entry where it should check /var/tmp/rkhunter-cron.XXXXX, but I don't see this file in /var/tmp/.
Don't worry.
I do see a way to make it update itself (DB I suppose, not version) by setting CRON_DB_UPDATE="yes" from the default "no". Haven't treid that yet though. One thing at a time.
Ok... the scripts that are in the "/etc/cron.daily/" are meant to run once a day, but the time of running is not important at all. Just once a day, that's all that matters. So, once it runs at certain time, it will run the next time at about the same time. It the machine is off, then it will run soon after you power it up again. Now, if you want those tasks to run at an approximate hour everyday, you have the variable "DAILY_TIME". If the machine is not up at that time, it will wait till the next day it is powered up at that time. However, if it is never on at that time, it will wait 5 days and then run as soon as it can (you can modify that 5 days limit, to a maximum of 14). Then you see there are other directories for scripts to run hourly, weekly, and monthly. Why all this complexity? Because many machines are not up 24/7, and the system has to work for a variety of situations. If your machine is up 24/7, simply choose a time and write it to DAILY_TIME. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIVsentTMYHG2NR9URAnfeAJ9MYHsBXV5DrBTx63Y/Hj7wwZiK5wCfaMql TlWRbDllmdOZTRSNgpYCH6g= =I0AC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (8)
-
Carlos E. R. -
Jeffrey L. Taylor -
Jim Flanagan -
Joe Sloan -
Mark Misulich -
Michael Mientus -
Patrick Shanahan -
Togan Muftuoglu