On Tue, 2007-10-23 at 13:02 +0200, Avalon wrote: > > since upgrading RKHunter to the current version 1.3.0 i got multiple new > warning messages on my FreeBSD box. I was able to get rid of many of > them by using whitelists etc. But for some of them is have no clue how > do suppress them. > Hello,
Helmut Hullen has already pointed out that several of these can be whitelisted in the rkhunter.conf file. > > Info: Starting test name 'possible_rkt_strings' > Warning: Checking for possible rootkit strings [ Warning ] > No system startup files found. > > -> Why is this resulting in a warning if no startup file was found? > The test is looking for the files which start up various system services. Typically the directory is something like /etc/init.d or /etc/rc.d. In your case it could not find either, and a system without such a directory seems suspicious. Hence the warning. > > Info: Starting test name 'startup_malware' > Checking for local startup files [ Warning ] > Warning: No local startup files found. > Checking local startup files for malware [ Skipped ] > Warning: No local startup files found. > > -> Why is this resulting in a warning if no local startup file was found? > In this case the check is for the file used for local startup modifications. Typically something like /etc/rc.d/rc.local or rc.sysinit. Again, having no such file is suspicious. RKH will try several locations and file names, but it is possible that a system will have these files located in a directory it does not know about. For that reason, you can specify the locations in the rkhunter.conf file. Look for the SYSTEM_RC_DIR and LOCAL_RC_PATH entries. I would be grateful if you could let me know what values you use for these entries, so that we can include them in RKH by default. > > Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'. > Checking if SSH root access is allowed [ Warning ] > Warning: The SSH configuration option 'PermitRootLogin' has not been set. > The default value may be 'yes', to allow root access. > Checking if SSH protocol v1 is allowed [ Warning ] > Warning: The SSH configuration option 'Protocol' has not been set. > The default value may be '2,1', to allow the use of protocol v1. > Different systems will install SSH using different default configuration values. However, the software itself defaults to allowing root logins, and allowing the less secure SSH protocol version 1. Hence RKH will test that these have been disabled in the sshd_config file. The value of 'PermitRootLogin' in the sshd_config must be exactly the same as that in the rkhunter.conf file (the ALLOW_SSH_ROOT_USER option). Since SSH defaults to 'yes', and RKH defaults to 'no', you get a warning. You need to set the option in the sshd_config file to some value suitable for your requirements, and then set ALLOW_SSH_ROOT_USER to the same value in the rkhunter.conf file. (I guess we should allow some setting for when the 'PermitRootLogin' is unset.) Similarly, RKH checks that only SSH protocol version 2 is enabled. Since it was not set in the sshd_config file, and SSH defaults to it being version 1 and 2, RKH gives a warning. You can set ALLOW_SSH_PROT_V1 in the rkhunter.conf file if you really want to enable SSH protocol version 1 (setting it also allows versions 1 and 2 together of course). John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
