# Opinions on checks before running rkhunter --propupd

## jonathan183

I'm running Gentoo on a desktop system. I have been using rkhunter to check for rootkits.

At some point in the past I ran rkhunter --propupd which stored a hash of various files at the time, typically used by rkhunter plus others.

After quite a few updates it's got to the point where I have lots of warnings about hash values not matching.

I want to ensure the files are good before I run rkhunter --propupd again.

So my questions:-

1. what do others do before they run rkhunter --propupd to check the system is clean.

2. what would be the best method to ensure the system is clean before an rkhunter --propupd.

I use Arch as well, so what I do with that is download and extract files and compare hash values (every so often - also probably left too long   :Rolling Eyes:  ).

I was thinking about doing something similar with Gentoo but in order to do that I need to trust a whole tool chain, and compile quite a few packages.

My thoughts at the moment are:-

Option A - ignore hash values for files (or remove hash values - an effectively don't use the feature).

This does not feel like the right thing to do ... it's obviously been considered important enough to code! Having said that ... it's my current default   :Embarassed: 

Option B - run rkhunter immediately before and after updates, followed by rkhunter --propupd provided no other issues identiified (other than hash values mis-match).

This is something I could add to system update scripts (so I don't forget to do it!) and reduces exposure time to system updates. This would be an improvement on option A, and one I'm seriously considering.

Option C - compare file update times with emerge log and only update if all match.

This is more work than option A and B and is unlikely to detect a toolchain problem. Which may or may not be a major issue. I prefer option B over option C unless someone can point out a good reason.

Option D - periodically download and emerge sufficient to emerge files to compare hash values with live system.

This could either be done around the same time as system updates in a vm or similar, or once every few months to media which otherwise is not exposed to the net. This probably involves the greatest time and effort at least to initially setup.

I'm after peoples opinion/advice on this, option B is looking favourite at the moment ... I don't want to fit my tin-foil hat too tight   :Smile: 

----------

## chaseguard

I usually run the propupd option after updates that impact the system set since that is mostly what rkhunter is looking at.  If you know things are clean, I supposed running propupd after every emerge is OK and then let cron run the actual rkhunter check.  By your options I would guess that might be sort of "B."  Personnally, I do not like spending time on these type of things -- especially when it would be so involved as options "C" or "D."  

I run rkhunter and chkrootkit.  If you really want to track file security there are programs just for that (samhain, tripwire, ...).

----------

## jonathan183

 *chaseguard wrote:*   

> I run rkhunter and chkrootkit.  If you really want to track file security there are programs just for that (samhain, tripwire, ...).

 

OK thanks, I'll keep them in mind for future use   :Cool:   I think having a reasonable arrangement for running rkhunter is something I could do with sorting first.

----------

## jonathan183

I'm still using rkhunter for the moment, I have written a script to help me a bit with rkhunter information which I'll be calling from a system update script (with the intent to resolves issues before update ... at least I'm starting with that intent   :Rolling Eyes:   ).

check-for-rootkits.sh

```
#!/bin/bash

### rkhunter use script - use scan, investigate, update, help options

### =================================================================

### rkhunter user must have sudo rights for

###### add the sudo parts in here

# /usr/sbin/rkhunter --update

# /usr/sbin/rkhunter -c

# /bin/cat /var/log/rkhunter.log

# /usr/bin/equery

# /usr/sbin/chkrootkit

#

### rkhunter user

rkhunter_user=jonathan

echo This shell script $0 is used to scan the system for rootkits using rkhunter

echo

if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]

then

# hit Enter too early or forgot to add option

        echo Script file  $0 help information

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

        echo

        echo This script is used for rkhunter scan and update options for user $rkhunter_user

        echo

        echo use $0 scan '              use rkhunter to scan system for updated files'

        echo use $0  '                          to display this help'

        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'

        echo use $0 update           '               to update the rkhunter file database - updates stored file hash values'

        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]

then

# do for cases requiring scan using rkhunter

   echo 'First we need to check for rkhunter updates - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for rkhunter updates using sudo rkhunter --update ...'

   sudo rkhunter --update

   echo 'next check for rootkits - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for rootkits using sudo rkhunter -c ...'

   sudo rkhunter -c

   echo 'You should now review the rkhunter log file - press enter to continue or Ctrl-c to abort'

   read

   sudo cat /var/log/rkhunter.log | less

   echo 'next check for rootkits using chkrootkit - press enter to continue or Ctrl-c to abort'

   read

   sudo chkrootkit

        if [ "$1" = "update" ]

        then

                echo 'If you are sure the file updates are genuine (package or you) then update the rkhunter stored file hash information- Press Enter to continue OR Ctrl-c to abandon'

                read

                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'

                read

                ### ok you had 2 chances to abort - lets update

                echo

                echo 'Running sudo rkhunter --propupd ...'

                sudo rkhunter --propupd

        fi

fi

if [ "$1" = "investigate" ]

        then

        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'

        read

   echo 'extracting information from rkhunter.log - searching for packages which own files - check md5sum values for files owned by packages ...'

        ### put investigative stuff in here

   #echo This shell script $0 'extracts change file information from rkhunter log file, gets package files belong to, and displays results of package check'

   ### extract info from rkhunter log below single # added to each line

   ### this code does it without intermediate files

   ### sudo equery check (  equery belongs  [ sudo cat rkhunter.log | grep line with current hash + previous line | filename ] | sort | uniq | tee rkhunter_packages_to_check_list )

   sudo equery check $(\

                           equery -q -C b $(\

                                                   sudo cat /var/log/rkhunter.log | grep -B 1 'Current hash' | grep File | awk '{ print $3 }'\

                                           ) | sort | uniq | tee rkhunter_packages_to_check_list \

   )

   #1> rkhunter_package_check_results 2> rkhunter_package_check_results_errors

   ### whereas the code below - remove single # from each line below uses intermediate files which can be reviewed after ;-)

   #### using separate files

   #sudo cat /var/log/rkhunter.log > rkhunter.log.copy

   #cat rkhunter.log.copy | grep -B 1 'Current hash' | grep File | awk '{ print $3 }' | tee rkhunter_files_to_check_list

   #echo packages to be checked listed below

   #qfile -q -C b $(cat rkhunter_files_to_check_list) | sort | uniq | tee rkhunter_packages_to_check_list

   #sudo equery check $(cat rkhunter_packages_to_check_list)

   #### 'to run in loop - not actually needed !'

   ##exec<rkhunter_packages_to_check_list

   ##while read line

   ##      do

   ##              sudo equery check $line;

   ##      done

fi

### end of rkhunter script
```

Using investitation option of the above I had a few things flagged up ... comments added below

```
### OK

* Checking app-forensics/rkhunter-1.4.0 ...

!!! /var/lib/rkhunter/db/mirrors.dat has incorrect MD5sum

   39 out of 40 files passed

### OK

* Checking sys-apps/man-1.6g ...

!!! /usr/share/man/nl/man8 does not exist

   251 out of 252 files passed

### OK

* Checking sys-apps/sysvinit-2.88-r4 ...

!!! /etc/inittab has incorrect MD5sum

   55 out of 56 files passed

* Checking sys-apps/tcp-wrappers-7.6-r8 ...

!!! /lib/libwrap.so.0.7.6 has incorrect MD5sum

!!! /usr/sbin/tcpdchk has incorrect MD5sum

!!! /usr/sbin/try-from has incorrect MD5sum

!!! /usr/sbin/tcpd has incorrect MD5sum

!!! /usr/sbin/safe_finger has incorrect MD5sum

!!! /usr/sbin/tcpdmatch has incorrect MD5sum

   32 out of 38 files passed

* Checking sys-apps/which-2.20 ...

!!! /usr/bin/which has incorrect MD5sum

   15 out of 16 files passed

* Checking sys-devel/prelink-20110511 ...

!!! /etc/prelink.conf has incorrect MD5sum

!!! /var/lib/misc/prelink.force has wrong mtime (is 1325457199, should be 1325457193)

!!! /etc/conf.d/prelink has wrong mtime (is 1346513705, should be 1325457193)

   25 out of 28 files passed

### OK

* Checking sys-libs/glibc-2.15-r3 ...

!!! /etc/locale.gen has incorrect MD5sum

   1415 out of 1416 files passed
```

I can understand mismatch of info for all but sys-apps/tcp-wrappers sys-apps/which sys-devel/prelink. Having done a one-shot emerge of the three packages wrappers and which are OK but prelink still has similar issues   :Sad: 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I have also installed tripwire and I have written a script to help me which again I'm going to be calling from system updates script. Script tripwire-check.sh below

```
#!/bin/bash

### Tripwire use script - use scan, investigate, update, help options

### =================================================================

### tripwire user must have sudo rights for

### /usr/sbin/tripwire

### /opt/tripwire/mktwpol.sh

#

### tripwire user

tripwire_user=jonathan

echo This shell script $0 is used to scan the system for updated files using tripwire

echo

if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]

then

# hit Enter too early or forgot to add option

        echo Script file  $0 help information

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

        echo

        echo This script is used for tripwire scan and update options for user $tripwire_user

        echo

        echo use $0 scan '              use tripwire to scan system for updated files'

        echo use $0  '                          to display this help'

        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'

        echo use $0 update           '               to update the tripwire file database - update policy and stored file hash values'

        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]

then

# do for cases requiring scan using tripwire

        echo The script allows tripwire scan and update options by user $tripwire_user

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

   echo

   echo 'First we run a scan on the system for updated files - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for file updates using sudo tripwire --check > tripwire-latest.txt ...'

   sudo tripwire --check > tripwire-latest.txt

   echo 'next review the scan results - press enter to continue or Ctrl-c to abort'

   read

   less tripwire-latest.txt

        if [ "$1" = "update" ]

        then

                echo 'If you are sure the file updates are genuine (package or you) then update the tripwire policy and stored file hash information- Press Enter to continue OR Ctrl-c to abandon'

                read

                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'

                read

      ### ok you had 2 chances to abort - lets update

                echo

                echo 'Running sudo /opt/tripwire/mktwpol.sh -u ...'

      sudo /opt/tripwire/mktwpol.sh -u

        fi

fi

if [ "$1" = "investigate" ]

   then

        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'

        read

   ### put investigative stuff in here

   # get a list of files identified

   cat tripwire-latest.txt | grep '"/' | tr -d '"'  > tripwire-latest-copy2.txt

   echo files identified as changed $(cat tripwire-latest-copy2.txt)

   echo running qfile to find owning packages ...

   qfile b $(cat tripwire-latest-copy2.txt)

   echo 'Identified files in tripwire-latest-copy2.txt ... thats as far as the automatic stuff goes ;-)'

   #echo files and process which have been identified as changed by tripwire below

   #cat tripwire-latest-copy2.txt

   #echo which belong to packages below

   #cat tripwire-latest-copy.txt

fi

### end of tripwire script
```

I'm still considering whether to do a fresh install and install tripwire as the first package ... which I may do - but for now I think I'll get used to using rkhunter and tripwire and sort out what works best for me in terms of system updates.

... if you spot errors or know a better way of doing this then please let me know   :Cool: 

----------

## jonathan183

I did a fresh install on a separate partition. I installed tripwire before a system update. I got a few odd results after the system update and installing vim, sudo and a few other packages ...

```
1 /etc/sudoers has incorrect MD5sum

2 /usr/share/vim/vim73/doc/tags has incorrect MD5sum

3 /var/lib/rkhunter/db/mirrors.dat has incorrect MD5sum

4 /run/cups does not exist

5 /run/cups/certs does not exist

6 /usr/libexec/cups/filter/foomatic-gswrapper does not exist

7 /var/run/dbus does not exist

8 /etc/conf.d/keymaps has incorrect MD5sum

9 /var/run/ConsoleKit does not exist

10 /etc/env.d/gcc/i686-pc-linux-gnu-4.7.3 has incorrect MD5sum

11 /etc/locale.gen has incorrect MD5sum

12 No installed packages matching 'tripwire_investigation_results'
```

1 I updated to add some entries for my admin user

2 the file is owned by vim-core but is updated by vim when it's installed, adding gentoo defaults information in various locations in the file

3 is updated with version information when rkhunter --update is run

4 - 7,9 I'll have to investigate a bit further why they have been removed

11 I updated, 12 I created.

10 I'll investigate a bit further ... probably something similar to 2 going on   :Rolling Eyes:   ... equery and qfile are OK for identifying package that a file belongs to but don't help with the second example above ... wonder if eix will help with this?

My tripwire script I updated a bit to automate some of the investigation since the system update involves 140 packages ...

```
#!/bin/bash

### Tripwire use script - use scan, investigate, update, help options

### =================================================================

### tripwire user must have sudo rights for

### /usr/sbin/tripwire

### /opt/tripwire/mktwpol.sh

### and for investigation also needs sudo for equery

#

### tripwire user

tripwire_user=jonathan

# 'files created by this script are:-'

# '   tripwire-latest.txt which contains the output for the last scan'

# '   tripwire-latest-error.txt which contains the error output for the last scan'

# 'see investigation section for files created for that option - it's likely to be a bit more dynamic'

echo This shell script $0 is used to scan the system for updated files using tripwire

echo

if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]

then

# hit Enter too early or forgot to add option

        echo Script file  $0 help information

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

        echo

        echo This script is used for tripwire scan and update options for user $tripwire_user

        echo

        echo use $0 scan '              use tripwire to scan system for updated files'

        echo use $0  '                          to display this help'

        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'

        echo use $0 update           '               to update the tripwire file database - update policy and stored file hash values'

        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]

then

# do for cases requiring scan using tripwire

        echo The script allows tripwire scan and update options by user $tripwire_user

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

   echo

   echo 'First we run a scan on the system for updated files - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for file updates using sudo tripwire --check 1> tripwire-latest.txt 2>tripwire-latest-error.txt ...'

   sudo tripwire --check 1> tripwire-latest.txt 2> tripwire-latest-error.txt

   echo 'next review the scan results - press enter to continue or Ctrl-c to abort'

   read

   less tripwire-latest.txt

   less tripwire-latest-error.txt

        if [ "$1" = "update" ]

        then

                echo 'If you are sure the file updates are genuine (package or you) then update the tripwire policy and stored file hash information- Press Enter to continue OR Ctrl-c to abandon'

                read

                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'

                read

      ### ok you had 2 chances to abort - lets update

                echo

                echo 'Running sudo /opt/tripwire/mktwpol.sh -u ...'

      sudo /opt/tripwire/mktwpol.sh -u

        fi

fi

if [ "$1" = "investigate" ]

   then

        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'

        read

   ### put investigative stuff in here

   ### 'files created and contents - they all start tripwire_ so should be able to remove them with rm tripwire_*'

   # tripwire_files_to_check_full_list.txt list of files to investigate - extracted from tripwire-latest.txt log

   # tripwire_files_to_check_failed_package_checks.txt - list of files for which errors produced

   # tripwire_files_to_check_no_package_owner.txt - list of files with no package owner (eg did not check OK for a package)

   # tripwire_files_to_check_owned_by_package.txt - list of files which are owned by a package

        ### sudo equery check (  equery belongs  [ cat tripwire-latest.txt | grep line with "/ | remove "  | tee tripwire_packages_to_check_full_list ] | sort | uniq )

   echo 'extracting files from tripwire-latest.txt, using equery to determine file owning package and checking package (it may take a while) ...' 

        sudo equery -N -C check $(\

                                equery -q -C b $(\

                                                        cat tripwire-latest.txt | grep '"/' | tr -d '"' | tee tripwire_files_to_check_full_list.txt \

                                                ) | sort | uniq  \

        ) 1> /dev/null 2> tripwire_files_to_check_failed_package_checks.txt

   # and now we capture files which dont belong to a package ...

   qfile b $( cat tripwire_files_to_check_full_list.txt | sort | uniq ) | awk '{ print $2 }' | tr -d '(' | tr -d ')' | sort | uniq > tripwire_files_to_check_owned_by_package.txt

   # now lets list the differences

   sort tripwire_files_to_check_full_list.txt tripwire_files_to_check_owned_by_package.txt | uniq -u > tripwire_files_to_check_no_package_owner.txt

   echo

        echo 'Now you should investigate tripwire_files_to_check_no_package_owner.txt and tripwire_files_to_check_failed_package_checks.txt and check files are genuine update/modified by you/other authorised users !'

        echo 'using less for these files - Press Enter to continue OR Ctrl-c to abandon'

        read

        less tripwire_files_to_check_no_package_owner.txt

        less tripwire_files_to_check_failed_package_checks.txt

   ### message at end of investigation run ...

   echo

   echo 'List of files to check is in tripwire_files_to_check_no_package_owner.txt (no package owns the files) and tripwire_files_to_check_failed_package_checks.txt (file does not match package for some reason eg MD5sum)'

   echo 'The full list of files is in tripwire_files_to_check_sorted_list.txt'

#   ### uncomment to check number of package check fails

#   sudo equery  check -o $(\

#                                equery -q -C b $(\

#                                                        cat tripwire-latest.txt | grep '"/' | tr -d '"' | tee tripwire_files_to_check_full_list.txt \

#                                                ) | sort | uniq  \

#        ) | grep failed

fi

### end of tripwire script
```

Ed: updated tripwire script above and rkhunter script below to so I check files which are not owned by any package   :Rolling Eyes:  

```

#!/bin/bash

### rkhunter use script - use scan, investigate, update, help options

### =================================================================

### rkhunter user must have sudo rights for

###### add the sudo parts in here ~~~~~~~~

# /usr/sbin/rkhunter --update

# /usr/sbin/rkhunter -c

# /usr/sbin/rkhunter --propupd

# /bin/cat /var/log/rkhunter.log

# /usr/bin/equery

# /usr/sbin/chkrootkit

#

### rkhunter user

rkhunter_user=jonathan

echo This shell script $0 is used to scan the system for rootkits using rkhunter

echo

if [ "$1" = "" ] || [ "$1" = "help" ] || [ "$1" = "h" ]

then

# hit Enter too early or forgot to add option

        echo Script file  $0 help information

        echo '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

        echo

        echo This script is used for rkhunter scan and update options for user $rkhunter_user

        echo

        echo use $0 scan '              use rkhunter to scan system for updated files'

        echo use $0  '                          to display this help'

        echo use $0 investigate           '               to produce list of packages to check etc ... only part developed ;-)'

        echo use $0 update           '               to update the rkhunter file database - updates stored file hash values'

        echo

elif [ "$1" = "scan" ] || [ "$1" = "update" ]

then

# do for cases requiring scan using rkhunter

   echo 'First we need to check for rkhunter updates - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for rkhunter updates using sudo rkhunter --update ...'

   sudo rkhunter --update

   echo 'next check for rootkits - press enter to continue or Ctrl-c to abort'

   read

   echo 'checking for rootkits using sudo rkhunter -c ...'

   sudo rkhunter -c

   echo 'You should now review the rkhunter log file - press enter to continue or Ctrl-c to abort'

   read

   sudo cat /var/log/rkhunter.log | less

   echo 'next check for rootkits using chkrootkit - press enter to continue or Ctrl-c to abort'

   read

   sudo chkrootkit

        if [ "$1" = "update" ]

        then

                echo 'If you are sure the file updates are genuine (package or you) then update the rkhunter stored file hash information- Press Enter to continue OR Ctrl-c to abandon'

                read

                echo 'are you really sure the system is clean ? ... - Press Enter to continue OR Ctrl-c to abandon'

                read

                ### ok you had 2 chances to abort - lets update

                echo

                echo 'Running sudo rkhunter --propupd ...'

                sudo rkhunter --propupd

        fi

fi

if [ "$1" = "investigate" ]

        then

        echo 'Investigative tasks to determine if file updates are genuine package etc ... this is only part automated ... and overwrites previous investigation information - Press Enter to continue OR Ctrl-c to abandon'

        read

        ### put investigative stuff in here

   ### 'files created and contents - they all start rkhunter_ so should be able to remove them with rm rkhunter_*'

   # rkhunter_files_to_check_full_list.txt list of files to investigate - extracted from rkhunter.log

   # rkhunter_files_to_check_failed_package_checks.txt - list of files for which errors produced

        # rkhunter_files_to_check_no_package_owner.txt - list of files with no package owner (eg did not check OK for a package)

        # rkhunter_files_to_check_owned_by_package.txt - list of files which are owned by a package

 

   echo 'extracting files from rkhunter.log, using equery to determine file owning package and checking package (it can take a while) ...'

   ### sudo equery check (  equery belongs  [ sudo cat rkhunter.log | grep line with current hash + previous line | filename | tee rkhunter_packages_to_check_list ] | sort | uniq )

   sudo equery -N -C check $(\

                           equery -q -C b $(\

                                                   sudo cat /var/log/rkhunter.log | grep -B 1 'Current hash' | grep File | awk '{ print $3 }' | tee rkhunter_files_to_check_full_list.txt \

                                           ) | sort | uniq  \

   ) 1> /dev/null 2> rkhunter_files_to_check_failed_package_checks.txt

   # and now we capture files which dont belong to a package ...

        qfile b $( cat rkhunter_files_to_check_full_list.txt | sort | uniq ) | awk '{ print $2 }' | tr -d '(' | tr -d ')' | sort | uniq > rkhunter_files_to_check_owned_by_package.txt

        # now lets list the differences

        sort rkhunter_files_to_check_full_list.txt rkhunter_files_to_check_owned_by_package.txt | uniq -u > rkhunter_files_to_check_no_package_owner.txt

   echo

   echo 'Now you should investigate rkhunter_files_to_check_no_package_owner.txt and rkhunter_files_to_check_failed_package_checks.txt and check files are genuine update/modified by you/other authorised users !'

   echo 'using less for these files - Press Enter to continue OR Ctrl-c to abandon'

   read

   less rkhunter_files_to_check_no_package_owner.txt

   less rkhunter_files_to_check_failed_package_checks.txt

        ### message at end of investigation run ...

   echo

        echo 'List of files to check is in rkhunter_files_to_check_no_package_owner.txt (no package owns the files) and rkhunter_files_to_check_failed_package_checks.txt (file does not match package for some reason eg MD5sum)'

        echo 'The full list of files is in rkhunter_files_to_check_full_list.txt'

fi

### end of rkhunter script
```

----------

## jonathan183

If I have two gentoo installs that I sync on the same day (within a few minutes of each other) and I do an

emerge -e world should files on the two systems have the same md5sum values?

If the md5sum values do not match has one of the systems been compromised (using identical /etc information) ...

----------

## depontius

 *jonathan183 wrote:*   

> If I have two gentoo installs that I sync on the same day (within a few minutes of each other) and I do an
> 
> emerge -e world should files on the two systems have the same md5sum values?
> 
> If the md5sum values do not match has one of the systems been compromised (using identical /etc information) ...

 

Do they have the same USE flags and CFLAGS, @system, @world, and amount of RAM as well?  (-march=native doesn't count)  There are so many ways to make binaries different I'd start with md5sums as an experiment first.

----------

## jonathan183

 *depontius wrote:*   

> Do they have the same USE flags and CFLAGS, @system, @world, and amount of RAM as well?  (-march=native doesn't count)  There are so many ways to make binaries different I'd start with md5sums as an experiment first.

  It's the same PC, @world will be different because I only setup basic packages - no X etc. The same use flags, same make.conf etc. What I'm trying to do is work out if the original install is compromised by comparison against a fresh install, I was hoping a comparison of md5sum for things that exist on the new system vs the old install will help do that. If that's not really practical then I could do a fresh install and make sure I install tripwire and rkhunter before other packages ... but I'd prefer to keep the current install provided I can be reasonably confident it is not compromised.

For this particular case I could do a fresh install (and might end up doing so anyway), but I was thinking comparison of md5sums would help for any future checking exercise ... and I'd like to confirm as far as I can that the system is not compromised ... if it is I need to figure out how to avoid it in future ...

----------

## depontius

You could also pick one package - binutils would be the obvious one, and take md5sums of all of it's pieces.  Then re-emerge it, redo the md5sums, and compare.  It's not comprehensive, but it's an indicator, and binutils is probably the most likely single target.

USE flags, as used by portage, can be affected by installed software as well as make.conf, /etc/portage/package.use, etc.  So if the two machines don't have identical @system and @world, it is possible for the effective USE flags to be different.  Hmmmm - you could also do "emerge --info" on the two machines and compare the outputs.

You could also do "emerge -ep world >turnIntoRebuildScript" and turn the output into a script that does md5sums before and after rebuild of each package, then compares.  Let it run in the background, and check your system out for you.  Priortize the list, even.

----------

## jonathan183

OK if I understand the situation correctly:-

1. I should really do a fresh install and emerge tripwire and rkhunter  as one of the first packages to have tracking of files as soon as possible.

2. I can establish which package a file belongs to and check that packages files, which may work in the majority but not all instances (example vim in previous post in this thread).

3. I can do a fresh install to another partition but unless I do a full world emerge md5sum values of files which exist on the original install and fresh install may not match.

I can add rkhunter and tripwire checks to my system update script but I'll be left having to do some manual checks after some updates or cross my fingers and hope that all file updates are legitimate  :Confused:  ... I think I must be either missing something or I have not configured something properly ...

----------

