On Tue, 2007-10-23 at 17:41 +0200, Avalon wrote: > > > >> Info: Starting test name 'possible_rkt_strings' > >> Warning: Checking for possible rootkit strings [ Warning ] > >> No system startup files found. > >> > >> -> Why is this resulting in a warning if no startup file was found? > >> > > The test is looking for the files which start up various system > > services. Typically the directory is something like /etc/init.d > > or /etc/rc.d. In your case it could not find either, and a system > > without such a directory seems suspicious. Hence the warning. > A google search gave me the http://www.freebsd.org/cgi/man.cgi?query=rc&sektion=8 web page.
According to this, FreeBSD does indeed use /etc/rc.d for its system startup scripts. Therefore you should not need to set SYSTEM_RC_DIR in rkhunter.conf. (If this is still failing with RKH then your log file should let me know why.) However, it seems that FreeBSD can also use /usr/local/etc/rc.d for system startup scripts. RKH currently only allows one directory to be specified, so I think this is something we could change for the next release. Local startup scripts can appear in a few places, and RKH can be given a list of filenames to use. The man page states: The /etc/rc.d/local script can execute scripts from multiple rc.d/ directories. The default locations are /usr/local/etc/rc.d/ and /usr/X11R6/etc/rc.d/, but these may be overridden with the local_startup rc.conf(5) variable. I would suggest checking /etc/rc.conf to see if 'local_startup' has been set, and then set LOCAL_RC_PATH in rkhunter.conf to that path. If it is not set, then look in the above directories (/usr/local/etc/rc.d, /usr/X11R6/etc/rc.d) to see if some local startup script has been set in there. It may be that you will need to set LOCAL_RC_PATH to several file names if the directories contain several files. This is not ideal, but for the moment should work. As mentioned we should modify RKH to allow for several startup directories. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
