rkhunter on Etch
Dear Debian users and rkhunter maintainers for Etch,
I've been trying to set up rkhunter on my Debian Etch VPS, and I've
run into a few problems. (In case it's significant, this VPS is
virtualised via OpenVZ; I have root access to the VPS but not the
underlying system.)
The first problem is this. When I run rkhunter -c, after performing
the 'known bad' checks, rkhunter gives the message, "Performing 'known
good' check... Info: Check skipped - no hashes available".
Now, my understanding (from reading rkhunter documentation on the web,
and mailing list posts) is that the solution to this problem is to run
a script called hashupd.sh, which is made available by the rkhunter
developers. However, it turns out that hashupd.sh is not included with
the rkhunter package in Etch. Nor does it have its own package. Nor is
it any longer available on rkhunter's SourceForge download page,
because the latest version of rkhunter (1.3.2) does not require it.
Yet the version of rkhunter available in Etch is 1.2.9, which does
require it.
So in order to solve the first problem ('known good' check being
skipped), I have to solve a second, harder problem, which is: how do I
provide hashes to rkhunter on my server?
I can think of four solutions to this, three of which (starred below)
should not be required, IMHO, for users of a widely adopted, widely
recommended package for a stable OS release. They are:
(1*) Use the version of hashupd.sh at
http://rkhunter.cvs.sourceforge.net/rkhunter/hashupd/ . I'm a little
nervous about doing this, as it's not the same age as rkhunter 1.2.9
and may not be totally compatible. Rootkit detection isn't to be
trifled with, so I'd rather not take the risk without assurances from
Debian's rkhunter maintainer that this version of hashupd.sh is okay
for use with 1.2.9. (NB. I've asked the rkhunter-users list if I can
ask for support there for 1.2.9; the answer was: no. See email below.)
Micah, Julien, is this version of hashupd.sh okay for use with
rkhunter 1.2.9?
(2*) Use the package from Lenny instead. I'm loath to do this. It
feels like a slippery slope. I really want to run a pure Debian Stable
system if at all possible. But if consensus among users/maintainers is
that using the package from Lenny is the best solution to problem 2,
I'll be willing to try it.
(3*) Forego the Debian packages altogether; just download the source
and build it myself. Well, it's certainly possible. But that would
kind of defeat the main reason I chose to run Debian: easy and fast
package management and upgrades; minimal compiling necessary.
(4) Request the Debian Etch rkhunter maintainers to upgrade rkhunter
in Etch to version 1.3.2. If successful, this would undoubtedly be the
best solution. Dear Micah and Julien, how about it? Sysadmins will
love you even more than they do already! :)
Looking forward to your replies,
Sam
---------- Forwarded message ----------
From: Nils Breunese (Lemonbit) <nils@lemonbit.com>
Date: 2008/8/25
Subject: Re: [Rkhunter-users] Welcome to the "Rkhunter-users" mailing list
To: rkhunter-users@lists.sourceforge.net
Sam Kuper wrote:
> Q1) The advice page for this mailing list states, "If you are not
> running the latest version: please check the website for the latest
> version and upgrade first." I use Debian 4 (Etch), which is the
> latest stable Debian release. Like most users of Debian stable, I
> upgrade by using "apt-get update; apt-get upgrade". Doing this gives
> me rkhunter 1.2.9, whereas running "rkhunter --versioncheck" reveals
> that the latest release of rkhunter is 1.3.2. I do not want to use
> "testing" Debian packages on my server, as I am concerned about
> stability. Yet rkhunter 1.2.9 is giving me some problems. My
> question is, then: can I expect support from this mailing list for
> rkhunter 1.2.9 or must I look elsewhere?
rkhunter 1.2.9 is not supported anymore. Contact Debian's package
maintainer if you have problems with this old version.
> Q2) The advice page for this mailing list states, "Hashupd is on our
> download page. Please see the FAQ for details." Actually, it isn't,
> and yes, I have checked the online FAQ for an up-to-date link to the
> download page, in case I was looking in the wrong place. So, please
> could you tell me where I can obtain Hashupd?
hashupd was a script for rkhunter 1.2.9. The rkhunter 1.2.9 files are
no longer available on the project page, so that's probably why
hashupd is also no longer there. The FAQ should be updated, yes.
Reply to: