3

I'm using rkhunter to check my system regularly - Sometimes rkhunter output some warnings on file changes (after update e.g.)

rkhunter gives me the new file checksum and the old one, but is there any reference, where I can check if it's the right checksum?

I found some related questions, where a reference for checksums also would help:

Any ideas?

Community
  • 1
kapsiR
  • 131
  • 4
  • Some of these tools refer to the hashes found in the (signed) packages you install on the system. What I don't remember is whether `rkhunter` is one of them. – 0xC0000022L Jul 28 '14 at 11:34
  • no I don't think so, 'rkhunter' just checks, if the files differ from the last check - you also have to use a switch to manually say "it's ok now" (--propupd) – kapsiR Jul 29 '14 at 11:37

1 Answers1

0

debsums can check package files against a checksum manifest if such was shipped with the package. But as the manifest is on the same system, it is not a valid source in case you get hacked. Tripwire or aide would be better, if you store the databases somewhere that wouldn't easily get hacked in the same attack.

ptman
  • 27,124
  • 2
  • 26
  • 45
  • 1
    May you tell me, where these manifest files are stored - so I can manually check it too? – kapsiR Jul 29 '14 at 11:38
  • 1
    `man debsums` says: "Verify installed Debian package files against MD5 checksum lists from /var/lib/dpkg/info/*.md5sums" – ptman Jul 29 '14 at 13:03
  • Thanks. Sadly I found out, that the hashes in the log of 'rkhunter' are SHA-1 hashes, so I can't use the manifest hashes... – kapsiR Jul 29 '14 at 13:21
  • Why do you insist on checking them by hand? Start by just running `debsums`. If you want, you can take known good .md5sums files from another machine and verify against them. The only way to be sure without having already put in place tripwire or something similar, is to install from known good installation media. – ptman Jul 29 '14 at 13:38
  • Thanks for your help. I set up a fresh install and checked it manually with 'sha1sum' - all hashes of the warnings in the 'rkhunter' logs - the next time I will write a script, maybe... – kapsiR Jul 30 '14 at 12:11