Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Opinions on checks before running rkhunter --propupd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Nov 04, 2013 12:55 am    Post subject: Opinions on checks before running rkhunter --propupd Reply with quote

I'm running Gentoo on a desktop system. I have been using rkhunter to check for rootkits.
At some point in the past I ran rkhunter --propupd which stored a hash of various files at the time, typically used by rkhunter plus others.

After quite a few updates it's got to the point where I have lots of warnings about hash values not matching.

I want to ensure the files are good before I run rkhunter --propupd again.

So my questions:-
1. what do others do before they run rkhunter --propupd to check the system is clean.
2. what would be the best method to ensure the system is clean before an rkhunter --propupd.

I use Arch as well, so what I do with that is download and extract files and compare hash values (every so often - also probably left too long :roll: ).
I was thinking about doing something similar with Gentoo but in order to do that I need to trust a whole tool chain, and compile quite a few packages.

My thoughts at the moment are:-
Option A - ignore hash values for files (or remove hash values - an effectively don't use the feature).
This does not feel like the right thing to do ... it's obviously been considered important enough to code! Having said that ... it's my current default :oops:

Option B - run rkhunter immediately before and after updates, followed by rkhunter --propupd provided no other issues identiified (other than hash values mis-match).
This is something I could add to system update scripts (so I don't forget to do it!) and reduces exposure time to system updates. This would be an improvement on option A, and one I'm seriously considering.

Option C - compare file update times with emerge log and only update if all match.
This is more work than option A and B and is unlikely to detect a toolchain problem. Which may or may not be a major issue. I prefer option B over option C unless someone can point out a good reason.

Option D - periodically download and emerge sufficient to emerge files to compare hash values with live system.
This could either be done around the same time as system updates in a vm or similar, or once every few months to media which otherwise is not exposed to the net. This probably involves the greatest time and effort at least to initially setup.

I'm after peoples opinion/advice on this, option B is looking favourite at the moment ... I don't want to fit my tin-foil hat too tight :)
Back to top
View user's profile Send private message
chaseguard
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2004
Posts: 140

PostPosted: Tue Nov 05, 2013 9:46 pm    Post subject: Reply with quote

I usually run the propupd option after updates that impact the system set since that is mostly what rkhunter is looking at. If you know things are clean, I supposed running propupd after every emerge is OK and then let cron run the actual rkhunter check. By your options I would guess that might be sort of "B." Personnally, I do not like spending time on these type of things -- especially when it would be so involved as options "C" or "D."

I run rkhunter and chkrootkit. If you really want to track file security there are programs just for that (samhain, tripwire, ...).
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Thu Nov 07, 2013 9:20 pm    Post subject: Reply with quote

chaseguard wrote:
I run rkhunter and chkrootkit. If you really want to track file security there are programs just for that (samhain, tripwire, ...).

OK thanks, I'll keep them in mind for future use 8) I think having a reasonable arrangement for running rkhunter is something I could do with sorting first.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Nov 18, 2013 1:31 am    Post subject: Reply with quote

I'm still using rkhunter for the moment, I have written a script to help me a bit with rkhunter information which I'll be calling from a system update script (with the intent to resolves issues before update ... at least I'm starting with that intent :roll: ).
check-for-rootkits.sh
Code:
#!/bin/bash
### rkhunter use script - use scan, investigate, update, help options
### =================================================================
### rkhunter user must have sudo rights for

###### add the sudo parts in here
# /usr/sbin/rkhunter --update
# /usr/sbin/rkhunter -c
# /bin/cat /var/log/rkhunter.log
# /usr/bin/equery
# /usr/sbin/chkrootkit
#
### rkhunter user
rkhunter_user=jonathan

echo This shell script $0 is used to scan the system for rootkits using rkhunter
echo


if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]
then

# hit Enter too early or forgot to add option
        echo Script file  $0 help information
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
        echo
        echo This script is used for rkhunter scan and update options for user $rkhunter_user
        echo
        echo use $0 scan '              use rkhunter to scan system for updated files'
        echo use $0  '                          to display this help'
        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'
        echo use $0 update           '               to update the rkhunter file database - updates stored file hash values'
        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]
then

# do for cases requiring scan using rkhunter

   echo 'First we need to check for rkhunter updates - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for rkhunter updates using sudo rkhunter --update ...'
   sudo rkhunter --update
   echo 'next check for rootkits - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for rootkits using sudo rkhunter -c ...'
   sudo rkhunter -c
   echo 'You should now review the rkhunter log file - press enter to continue or Ctrl-c to abort'
   read
   sudo cat /var/log/rkhunter.log | less
   echo 'next check for rootkits using chkrootkit - press enter to continue or Ctrl-c to abort'
   read
   sudo chkrootkit



        if [ "$1" = "update" ]
        then
                echo 'If you are sure the file updates are genuine (package or you) then update the rkhunter stored file hash information- Press Enter to continue OR Ctrl-c to abandon'
                read
                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'
                read
                ### ok you had 2 chances to abort - lets update
                echo
                echo 'Running sudo rkhunter --propupd ...'
                sudo rkhunter --propupd
        fi

fi

if [ "$1" = "investigate" ]
        then
        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'
        read
   echo 'extracting information from rkhunter.log - searching for packages which own files - check md5sum values for files owned by packages ...'
        ### put investigative stuff in here
   #echo This shell script $0 'extracts change file information from rkhunter log file, gets package files belong to, and displays results of package check'
   ### extract info from rkhunter log below single # added to each line

   ### this code does it without intermediate files
   ### sudo equery check (  equery belongs  [ sudo cat rkhunter.log | grep line with current hash + previous line | filename ] | sort | uniq | tee rkhunter_packages_to_check_list )

   sudo equery check $(\
                           equery -q -C b $(\
                                                   sudo cat /var/log/rkhunter.log | grep -B 1 'Current hash' | grep File | awk '{ print $3 }'\
                                           ) | sort | uniq | tee rkhunter_packages_to_check_list \
   )
   #1> rkhunter_package_check_results 2> rkhunter_package_check_results_errors


   ### whereas the code below - remove single # from each line below uses intermediate files which can be reviewed after ;-)
   #### using separate files
   #sudo cat /var/log/rkhunter.log > rkhunter.log.copy
   #cat rkhunter.log.copy | grep -B 1 'Current hash' | grep File | awk '{ print $3 }' | tee rkhunter_files_to_check_list
   #echo packages to be checked listed below
   #qfile -q -C b $(cat rkhunter_files_to_check_list) | sort | uniq | tee rkhunter_packages_to_check_list
   #sudo equery check $(cat rkhunter_packages_to_check_list)

   #### 'to run in loop - not actually needed !'
   ##exec<rkhunter_packages_to_check_list
   ##while read line
   ##      do
   ##              sudo equery check $line;
   ##      done

fi
### end of rkhunter script


Using investitation option of the above I had a few things flagged up ... comments added below
Code:
### OK
* Checking app-forensics/rkhunter-1.4.0 ...
!!! /var/lib/rkhunter/db/mirrors.dat has incorrect MD5sum
   39 out of 40 files passed

### OK
* Checking sys-apps/man-1.6g ...
!!! /usr/share/man/nl/man8 does not exist
   251 out of 252 files passed


### OK
* Checking sys-apps/sysvinit-2.88-r4 ...
!!! /etc/inittab has incorrect MD5sum
   55 out of 56 files passed

* Checking sys-apps/tcp-wrappers-7.6-r8 ...
!!! /lib/libwrap.so.0.7.6 has incorrect MD5sum
!!! /usr/sbin/tcpdchk has incorrect MD5sum
!!! /usr/sbin/try-from has incorrect MD5sum
!!! /usr/sbin/tcpd has incorrect MD5sum
!!! /usr/sbin/safe_finger has incorrect MD5sum
!!! /usr/sbin/tcpdmatch has incorrect MD5sum
   32 out of 38 files passed

* Checking sys-apps/which-2.20 ...
!!! /usr/bin/which has incorrect MD5sum
   15 out of 16 files passed

* Checking sys-devel/prelink-20110511 ...
!!! /etc/prelink.conf has incorrect MD5sum
!!! /var/lib/misc/prelink.force has wrong mtime (is 1325457199, should be 1325457193)
!!! /etc/conf.d/prelink has wrong mtime (is 1346513705, should be 1325457193)
   25 out of 28 files passed

### OK
* Checking sys-libs/glibc-2.15-r3 ...
!!! /etc/locale.gen has incorrect MD5sum
   1415 out of 1416 files passed


I can understand mismatch of info for all but sys-apps/tcp-wrappers sys-apps/which sys-devel/prelink. Having done a one-shot emerge of the three packages wrappers and which are OK but prelink still has similar issues :(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I have also installed tripwire and I have written a script to help me which again I'm going to be calling from system updates script. Script tripwire-check.sh below
Code:
#!/bin/bash
### Tripwire use script - use scan, investigate, update, help options
### =================================================================
### tripwire user must have sudo rights for
### /usr/sbin/tripwire
### /opt/tripwire/mktwpol.sh
#
### tripwire user
tripwire_user=jonathan


echo This shell script $0 is used to scan the system for updated files using tripwire
echo


if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]
then

# hit Enter too early or forgot to add option
        echo Script file  $0 help information
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
        echo
        echo This script is used for tripwire scan and update options for user $tripwire_user
        echo
        echo use $0 scan '              use tripwire to scan system for updated files'
        echo use $0  '                          to display this help'
        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'
        echo use $0 update           '               to update the tripwire file database - update policy and stored file hash values'
        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]
then

# do for cases requiring scan using tripwire

        echo The script allows tripwire scan and update options by user $tripwire_user
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
   echo
   echo 'First we run a scan on the system for updated files - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for file updates using sudo tripwire --check > tripwire-latest.txt ...'
   sudo tripwire --check > tripwire-latest.txt
   echo 'next review the scan results - press enter to continue or Ctrl-c to abort'
   read
   less tripwire-latest.txt


        if [ "$1" = "update" ]
        then
                echo 'If you are sure the file updates are genuine (package or you) then update the tripwire policy and stored file hash information- Press Enter to continue OR Ctrl-c to abandon'
                read
                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'
                read
      ### ok you had 2 chances to abort - lets update
                echo
                echo 'Running sudo /opt/tripwire/mktwpol.sh -u ...'
      sudo /opt/tripwire/mktwpol.sh -u
        fi

fi

if [ "$1" = "investigate" ]
   then
        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'
        read

   ### put investigative stuff in here

   # get a list of files identified
   cat tripwire-latest.txt | grep '"/' | tr -d '"'  > tripwire-latest-copy2.txt
   echo files identified as changed $(cat tripwire-latest-copy2.txt)
   echo running qfile to find owning packages ...
   qfile b $(cat tripwire-latest-copy2.txt)
   echo 'Identified files in tripwire-latest-copy2.txt ... thats as far as the automatic stuff goes ;-)'
   #echo files and process which have been identified as changed by tripwire below
   #cat tripwire-latest-copy2.txt
   #echo which belong to packages below
   #cat tripwire-latest-copy.txt
fi
### end of tripwire script


I'm still considering whether to do a fresh install and install tripwire as the first package ... which I may do - but for now I think I'll get used to using rkhunter and tripwire and sort out what works best for me in terms of system updates.

... if you spot errors or know a better way of doing this then please let me know 8)
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Sat Nov 23, 2013 11:22 pm    Post subject: Reply with quote

I did a fresh install on a separate partition. I installed tripwire before a system update. I got a few odd results after the system update and installing vim, sudo and a few other packages ...
Code:
1 /etc/sudoers has incorrect MD5sum
2 /usr/share/vim/vim73/doc/tags has incorrect MD5sum
3 /var/lib/rkhunter/db/mirrors.dat has incorrect MD5sum
4 /run/cups does not exist
5 /run/cups/certs does not exist
6 /usr/libexec/cups/filter/foomatic-gswrapper does not exist
7 /var/run/dbus does not exist
8 /etc/conf.d/keymaps has incorrect MD5sum
9 /var/run/ConsoleKit does not exist
10 /etc/env.d/gcc/i686-pc-linux-gnu-4.7.3 has incorrect MD5sum
11 /etc/locale.gen has incorrect MD5sum
12 No installed packages matching 'tripwire_investigation_results'


1 I updated to add some entries for my admin user
2 the file is owned by vim-core but is updated by vim when it's installed, adding gentoo defaults information in various locations in the file
3 is updated with version information when rkhunter --update is run
4 - 7,9 I'll have to investigate a bit further why they have been removed
11 I updated, 12 I created.
10 I'll investigate a bit further ... probably something similar to 2 going on :roll: ... equery and qfile are OK for identifying package that a file belongs to but don't help with the second example above ... wonder if eix will help with this?

My tripwire script I updated a bit to automate some of the investigation since the system update involves 140 packages ...

Code:
#!/bin/bash

### Tripwire use script - use scan, investigate, update, help options
### =================================================================
### tripwire user must have sudo rights for
### /usr/sbin/tripwire
### /opt/tripwire/mktwpol.sh
### and for investigation also needs sudo for equery
#
### tripwire user
tripwire_user=jonathan

# 'files created by this script are:-'
# '   tripwire-latest.txt which contains the output for the last scan'
# '   tripwire-latest-error.txt which contains the error output for the last scan'
# 'see investigation section for files created for that option - it's likely to be a bit more dynamic'

echo This shell script $0 is used to scan the system for updated files using tripwire
echo


if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]
then

# hit Enter too early or forgot to add option
        echo Script file  $0 help information
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
        echo
        echo This script is used for tripwire scan and update options for user $tripwire_user
        echo
        echo use $0 scan '              use tripwire to scan system for updated files'
        echo use $0  '                          to display this help'
        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'
        echo use $0 update           '               to update the tripwire file database - update policy and stored file hash values'
        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]
then

# do for cases requiring scan using tripwire

        echo The script allows tripwire scan and update options by user $tripwire_user
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
   echo
   echo 'First we run a scan on the system for updated files - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for file updates using sudo tripwire --check 1> tripwire-latest.txt 2>tripwire-latest-error.txt ...'
   sudo tripwire --check 1> tripwire-latest.txt 2> tripwire-latest-error.txt
   echo 'next review the scan results - press enter to continue or Ctrl-c to abort'
   read
   less tripwire-latest.txt
   less tripwire-latest-error.txt


        if [ "$1" = "update" ]
        then
                echo 'If you are sure the file updates are genuine (package or you) then update the tripwire policy and stored file hash information- Press Enter to continue OR Ctrl-c to abandon'
                read
                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'
                read
      ### ok you had 2 chances to abort - lets update
                echo
                echo 'Running sudo /opt/tripwire/mktwpol.sh -u ...'
      sudo /opt/tripwire/mktwpol.sh -u
        fi

fi

if [ "$1" = "investigate" ]
   then
        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'
        read

   ### put investigative stuff in here

   ### 'files created and contents - they all start tripwire_ so should be able to remove them with rm tripwire_*'
   # tripwire_files_to_check_full_list.txt list of files to investigate - extracted from tripwire-latest.txt log
   # tripwire_files_to_check_failed_package_checks.txt - list of files for which errors produced
   # tripwire_files_to_check_no_package_owner.txt - list of files with no package owner (eg did not check OK for a package)
   # tripwire_files_to_check_owned_by_package.txt - list of files which are owned by a package

        ### sudo equery check (  equery belongs  [ cat tripwire-latest.txt | grep line with "/ | remove "  | tee tripwire_packages_to_check_full_list ] | sort | uniq )

   echo 'extracting files from tripwire-latest.txt, using equery to determine file owning package and checking package (it may take a while) ...'
        sudo equery -N -C check $(\
                                equery -q -C b $(\
                                                        cat tripwire-latest.txt | grep '"/' | tr -d '"' | tee tripwire_files_to_check_full_list.txt \
                                                ) | sort | uniq  \
        ) 1> /dev/null 2> tripwire_files_to_check_failed_package_checks.txt

   # and now we capture files which dont belong to a package ...

   qfile b $( cat tripwire_files_to_check_full_list.txt | sort | uniq ) | awk '{ print $2 }' | tr -d '(' | tr -d ')' | sort | uniq > tripwire_files_to_check_owned_by_package.txt

   # now lets list the differences
   sort tripwire_files_to_check_full_list.txt tripwire_files_to_check_owned_by_package.txt | uniq -u > tripwire_files_to_check_no_package_owner.txt

   echo
        echo 'Now you should investigate tripwire_files_to_check_no_package_owner.txt and tripwire_files_to_check_failed_package_checks.txt and check files are genuine update/modified by you/other authorised users !'
        echo 'using less for these files - Press Enter to continue OR Ctrl-c to abandon'
        read
        less tripwire_files_to_check_no_package_owner.txt
        less tripwire_files_to_check_failed_package_checks.txt


   ### message at end of investigation run ...
   echo
   echo 'List of files to check is in tripwire_files_to_check_no_package_owner.txt (no package owns the files) and tripwire_files_to_check_failed_package_checks.txt (file does not match package for some reason eg MD5sum)'
   echo 'The full list of files is in tripwire_files_to_check_sorted_list.txt'

#   ### uncomment to check number of package check fails
#   sudo equery  check -o $(\
#                                equery -q -C b $(\
#                                                        cat tripwire-latest.txt | grep '"/' | tr -d '"' | tee tripwire_files_to_check_full_list.txt \
#                                                ) | sort | uniq  \
#        ) | grep failed

fi
### end of tripwire script


Ed: updated tripwire script above and rkhunter script below to so I check files which are not owned by any package :roll:
Code:

#!/bin/bash

### rkhunter use script - use scan, investigate, update, help options
### =================================================================
### rkhunter user must have sudo rights for

###### add the sudo parts in here ~~~~~~~~
# /usr/sbin/rkhunter --update
# /usr/sbin/rkhunter -c
# /usr/sbin/rkhunter --propupd
# /bin/cat /var/log/rkhunter.log
# /usr/bin/equery
# /usr/sbin/chkrootkit
#
### rkhunter user
rkhunter_user=jonathan

echo This shell script $0 is used to scan the system for rootkits using rkhunter
echo


if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]
then

# hit Enter too early or forgot to add option
        echo Script file  $0 help information
        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
        echo
        echo This script is used for rkhunter scan and update options for user $rkhunter_user
        echo
        echo use $0 scan '              use rkhunter to scan system for updated files'
        echo use $0  '                          to display this help'
        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'
        echo use $0 update           '               to update the rkhunter file database - updates stored file hash values'
        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]
then

# do for cases requiring scan using rkhunter

   echo 'First we need to check for rkhunter updates - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for rkhunter updates using sudo rkhunter --update ...'
   sudo rkhunter --update
   echo 'next check for rootkits - press enter to continue or Ctrl-c to abort'
   read
   echo 'checking for rootkits using sudo rkhunter -c ...'
   sudo rkhunter -c
   echo 'You should now review the rkhunter log file - press enter to continue or Ctrl-c to abort'
   read
   sudo cat /var/log/rkhunter.log | less
   echo 'next check for rootkits using chkrootkit - press enter to continue or Ctrl-c to abort'
   read
   sudo chkrootkit



        if [ "$1" = "update" ]
        then
                echo 'If you are sure the file updates are genuine (package or you) then update the rkhunter stored file hash information- Press Enter to continue OR Ctrl-c to abandon'
                read
                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'
                read
                ### ok you had 2 chances to abort - lets update
                echo
                echo 'Running sudo rkhunter --propupd ...'
                sudo rkhunter --propupd
        fi

fi

if [ "$1" = "investigate" ]
        then
        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'
        read

        ### put investigative stuff in here

   ### 'files created and contents - they all start rkhunter_ so should be able to remove them with rm rkhunter_*'
   # rkhunter_files_to_check_full_list.txt list of files to investigate - extracted from rkhunter.log
   # rkhunter_files_to_check_failed_package_checks.txt - list of files for which errors produced
        # rkhunter_files_to_check_no_package_owner.txt - list of files with no package owner (eg did not check OK for a package)
        # rkhunter_files_to_check_owned_by_package.txt - list of files which are owned by a package
 
   echo 'extracting files from rkhunter.log, using equery to determine file owning package and checking package (it can take a while) ...'

   ### sudo equery check (  equery belongs  [ sudo cat rkhunter.log | grep line with current hash + previous line | filename | tee rkhunter_packages_to_check_list ] | sort | uniq )

   sudo equery -N -C check $(\
                           equery -q -C b $(\
                                                   sudo cat /var/log/rkhunter.log | grep -B 1 'Current hash' | grep File | awk '{ print $3 }' | tee rkhunter_files_to_check_full_list.txt \
                                           ) | sort | uniq  \
   ) 1> /dev/null 2> rkhunter_files_to_check_failed_package_checks.txt

   # and now we capture files which dont belong to a package ...

        qfile b $( cat rkhunter_files_to_check_full_list.txt | sort | uniq ) | awk '{ print $2 }' | tr -d '(' | tr -d ')' | sort | uniq > rkhunter_files_to_check_owned_by_package.txt

        # now lets list the differences
        sort rkhunter_files_to_check_full_list.txt rkhunter_files_to_check_owned_by_package.txt | uniq -u > rkhunter_files_to_check_no_package_owner.txt

   echo
   echo 'Now you should investigate rkhunter_files_to_check_no_package_owner.txt and rkhunter_files_to_check_failed_package_checks.txt and check files are genuine update/modified by you/other authorised users !'
   echo 'using less for these files - Press Enter to continue OR Ctrl-c to abandon'
   read
   less rkhunter_files_to_check_no_package_owner.txt
   less rkhunter_files_to_check_failed_package_checks.txt

        ### message at end of investigation run ...
   echo
        echo 'List of files to check is in rkhunter_files_to_check_no_package_owner.txt (no package owns the files) and rkhunter_files_to_check_failed_package_checks.txt (file does not match package for some reason eg MD5sum)'
        echo 'The full list of files is in rkhunter_files_to_check_full_list.txt'

fi
### end of rkhunter script
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Sat Nov 30, 2013 4:49 pm    Post subject: Reply with quote

If I have two gentoo installs that I sync on the same day (within a few minutes of each other) and I do an
emerge -e world should files on the two systems have the same md5sum values?
If the md5sum values do not match has one of the systems been compromised (using identical /etc information) ...
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509

PostPosted: Sun Dec 01, 2013 11:59 am    Post subject: Reply with quote

jonathan183 wrote:
If I have two gentoo installs that I sync on the same day (within a few minutes of each other) and I do an
emerge -e world should files on the two systems have the same md5sum values?
If the md5sum values do not match has one of the systems been compromised (using identical /etc information) ...


Do they have the same USE flags and CFLAGS, @system, @world, and amount of RAM as well? (-march=native doesn't count) There are so many ways to make binaries different I'd start with md5sums as an experiment first.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Mon Dec 02, 2013 9:38 pm    Post subject: Reply with quote

depontius wrote:
Do they have the same USE flags and CFLAGS, @system, @world, and amount of RAM as well? (-march=native doesn't count) There are so many ways to make binaries different I'd start with md5sums as an experiment first.
It's the same PC, @world will be different because I only setup basic packages - no X etc. The same use flags, same make.conf etc. What I'm trying to do is work out if the original install is compromised by comparison against a fresh install, I was hoping a comparison of md5sum for things that exist on the new system vs the old install will help do that. If that's not really practical then I could do a fresh install and make sure I install tripwire and rkhunter before other packages ... but I'd prefer to keep the current install provided I can be reasonably confident it is not compromised.
For this particular case I could do a fresh install (and might end up doing so anyway), but I was thinking comparison of md5sums would help for any future checking exercise ... and I'd like to confirm as far as I can that the system is not compromised ... if it is I need to figure out how to avoid it in future ...
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509

PostPosted: Tue Dec 03, 2013 12:30 am    Post subject: Reply with quote

You could also pick one package - binutils would be the obvious one, and take md5sums of all of it's pieces. Then re-emerge it, redo the md5sums, and compare. It's not comprehensive, but it's an indicator, and binutils is probably the most likely single target.

USE flags, as used by portage, can be affected by installed software as well as make.conf, /etc/portage/package.use, etc. So if the two machines don't have identical @system and @world, it is possible for the effective USE flags to be different. Hmmmm - you could also do "emerge --info" on the two machines and compare the outputs.

You could also do "emerge -ep world >turnIntoRebuildScript" and turn the output into a script that does md5sums before and after rebuild of each package, then compares. Let it run in the background, and check your system out for you. Priortize the list, even.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 318

PostPosted: Tue Dec 03, 2013 1:41 am    Post subject: Reply with quote

OK if I understand the situation correctly:-
1. I should really do a fresh install and emerge tripwire and rkhunter as one of the first packages to have tracking of files as soon as possible.
2. I can establish which package a file belongs to and check that packages files, which may work in the majority but not all instances (example vim in previous post in this thread).
3. I can do a fresh install to another partition but unless I do a full world emerge md5sum values of files which exist on the original install and fresh install may not match.

I can add rkhunter and tripwire checks to my system update script but I'll be left having to do some manual checks after some updates or cross my fingers and hope that all file updates are legitimate :? ... I think I must be either missing something or I have not configured something properly ...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum