Re: rkhunter warning meaning

To: debian-user@lists.debian.org
Subject: Re: rkhunter warning meaning
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Tue, 5 Nov 2013 14:27:17 +0000
Message-id: <[🔎] 20131105142717.GB6196@darac.org.uk>
In-reply-to: <[🔎] 5278FCD6.5050204@mi.parisdescartes.fr>
References: <[🔎] 5278FCD6.5050204@mi.parisdescartes.fr>

On Tue, Nov 05, 2013 at 03:12:38PM +0100, François Patte wrote:
> Bonjour,
> 
> I have some warnings from rkhunter:
> 
> 
> Warning: The file properties have changed:

Properties of the file have changed. In other words, not just the file
has changed, but information about the file has changed.

>          File: /usr/sbin/rsyslogd

This is the file whose information has changed and to which the
following lines relate.

>          Current hash: 99fd3e8be4e7b9f553d52f6837eef50ebcebadc8
>          Stored hash : 2acece0875f8c6156c1f05df71e8c83c91dea2d0

A "hash" is a mathematical summary of the contents of a file. Hash
functions are typically chosen so that even a one bit change in a file
produces a significant change in the hash. It's not possible to
determine, from the hash itself, what the change was or how big it was,
but it is clearly possible to tell that the contents of the file have
changed.

The "Current hash" shows what the hash is for the file as it currently
resides on the disk. The "Stored hash" shows the hash of the file as it
was when you last updated rkhunter's database.

>          Current inode: 523303    Stored inode: 523309

An inode is the entry in a filesystem where the properties of a file
(that is, everything EXCEPT the contents of the file and the file's
name(s)) are stored. So, the size of the file, where the contents of the
file are on disk, the permissions and so on. As before "Current" tells
you which inode is associated with "/usr/sbin/rsyslogd" now, and
"Stored" shows you which one was when rkhunter updated its database.

A change of inode MAY be caused by deletion and recreation of the file,
but it's possible there are other causes.

>          Current size: 522304    Stored size: 522400

A file has a size. This has changed.

>          Current file modification time: 1378296534 (04-sept.-2013 14:08:54)
>          Stored file modification time : 1374534377 (23-juil.-2013 01:06:17)

This shows you when the file was last modified. This is PROBABLY
associated with the above changes, but there is no real guarantee of
that.

(Interestingly, I notice here that SOME of this information has been
translated into your locale (French?), but not all of it. That's
probably a bug :)

> W
> 
> 
> What do they mean?
> 
> Thank you.
> -- 
> François Patte
> UFR de mathématiques et informatique
> Laboratoire CNRS MAP5, UMR 8145
> Université Paris Descartes
> 45, rue des Saints Pères
> F-75270 Paris Cedex 06
> Tél. +33 (0)1 8394 5849
> http://www.math-info.univ-paris5.fr/~patte
>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- rkhunter warning meaning
  - From: François Patte <francois.patte@mi.parisdescartes.fr>

Prev by Date: Re: No space left on device (28) but device is NOT full!
Next by Date: Re: No space left on device (28) but device is NOT full!
Previous by thread: rkhunter warning meaning
Next by thread: Re: rkhunter warning meaning
Index(es):
- Date
- Thread