Mailinglist Archive: opensuse-factory (649 mails)

< Previous Next >
Re: [opensuse-factory] Howto check installed packages with Rkhunter?
On 2017-08-29 15:02, Bruno Friedmann wrote:
On mardi, 29 août 2017 14.51:45 h CEST Carlos E. R. wrote:
On 2017-08-29 13:58, Bruno Friedmann wrote:
On mardi, 29 août 2017 13.00:02 h CEST Carlos E. R. wrote:
On 2017-08-27 23:29, Bjoern Voigt wrote:
I use Rkhunter to check the installed packages for unallowed
modifications.

Unfortunately by default, Rkhunter also reports all official openSUSE
Tumbleweed updates. E.g.

I don't think you can use rkhunter on TW.

The wikipedia describes what it does as:

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits,
backdoors and possible local exploits. It does this by comparing SHA-1
hashes of important files with known good ones in online databases,
searching for default directories (of rootkits), wrong permissions,
hidden files, suspicious strings in kernel modules, and special tests
for Linux and FreeBSD.


The database simply can not keep up, unless some process at the openSUSE
build system would upload new hashes at the same time the rpms are
published.

Before stating this kind of remarks, could you use man rkhunter and try to
understand how the software work.

Then explain it.

Not me the authors :-)
https://linux.die.net/man/8/rkhunter

Ah, the man page.

Which means only read this paragraph of interest - I'm not going to read
the options, though (perhaps I would read a howto) -:

+++------------------
Description
rkhunter is a shell script which carries out various checks on the local
system to try and detect known rootkits and malware. It also performs
checks to see if commands have been modified, if the system startup
files have been modified, and various checks on the network interfaces,
including checks for listening applications.

rkhunter has been written to be as generic as possible, and so should
run on most Linux and UNIX systems. It is provided with some support
scripts should certain commands be missing from the system, and some of
these are perl scripts. rkhunter does require certain commands to be
present for it to be able to execute. Additionally, some tests require
specific commands, but if these are not present then the test will be
skipped. rkhunter needs to be run under a Bourne-type shell, typically
bash or ksh. rkhunter can be run as a cron job or from the command-line.
------------------++-


I'm centering only on the part that checks modified commands. This needs
some database, and it needs be updated simultaneously with the system. I
read elsewhere that the database is online. If wrong, then it is local.

Doing this on a TW system means that someone has to update that database
daily. Who?

--
Cheers / Saludos,

Carlos E. R.
(from 42.2 x86_64 "Malachite" at Telcontar)

< Previous Next >