hashupd.sh script for rkhunter

breun · **Posted:** Wed Oct 18, 2006 12:07 pm

I'm using ART's rkhunter package, but I just had to use the hashupd.sh script because apparently the prelinking database became out of step with the rkhunter local MD5 hash values. Could you maybe include this script in your RPM?

I found running this script was the solution in section 4.4 of the rkhunter FAQ.

breun · **Posted:** Thu Oct 19, 2006 3:45 am

Some clarification from one of the current maintainers on the rkhunter users mailinglist:

Quote:

"Hashupd is a community made and supported add-on by me and John Horne. It was only promoted on this list (slight advantage for those that kept in touch) and is now being incorporated in RKH phasing out the "old" hash system."

scott · **Posted:** Thu Dec 07, 2006 12:35 am

Got it, hashupd and a whole redesign of the nightly reporting events are in 1.2.9-3. Ive got it set now so that by default, it wont send you anything unless theres something to worry about. If you do want the nightly reports like the old version, you just modify the /etc/sysconfig/rkhunter file.

breun · **Posted:** Thu Dec 07, 2006 4:02 am

Thanks, great!

breun · **Posted:** Thu Dec 07, 2006 4:10 am

I already upgraded to 1.2.9-2 on two boxes yesterday and I noticed that upon upgrading to 1.2.9-3 /etc/sysconfig/rkhunter was overwritten so I had to set the MAILTO again.

scott · **Posted:** Thu Dec 07, 2006 12:43 pm

OK -5 should be hitting the archive shortly. Ive corrected the config settings on /etc/sysconfig/rkhunter and /etc/rkhunter.conf, and added in a hashupd.sh event on an upgrade detection. I also changed the MAILTO variable to root, instead of root@localhost. That should make it so alerts will still be sent, even if you arent running a local MTA.

breun · **Posted:** Fri Dec 08, 2006 7:28 am

So now there's a MAILTO setting in /etc/sysconfig/rkhunter and a MAIL-ON-WARNING setting in /etc/rkhunter.conf? The first one is used for sending full reports and the other for sending an e-mail when there is a warning? Do you have to set both?

scott · **Posted:** Fri Dec 08, 2006 10:42 am

Yeah so what I did is modify the package so the only config you should have to deal with is /etc/sysconfig/rkhunter. By default its only going to email you if something has been detected. I see rkhunter as more of a forensics tool, if it tells you something is wrong, its the worst case scenario and you're looking at a reinstall. Assuming its not a false positive that is, the hash table updates are consistantly ugly and will get out of sync frequently resulting in misfires.

The daily everything is OK full report is still available, I just tied it to the DIAG_SCAN setting in /etc/sysconfig/rkhunter, change that to "yes" and you'll get that, plus the application scan (checks versions on openssh, apache, etc. High false positive rate, be advised).

breun · **Posted:** Fri Dec 08, 2006 11:33 am

Ok, great. Thanks.

hashupd.sh script for rkhunter

Who is online