Package: rkhunter Version: 1.3.0-1 Severity: normal Tags: patch Hi,
on my system the socklog daemon is responsible for system logging: $ ps -ef | grep "socklog unix" | grep -v grep nobody 4988 4979 0 Sep27 ? 00:00:00 socklog unix /dev/log But rkhunter did not recognize it. I attached a patch that modifies the hardcoded metalog into a "syslog compatible" message. Then an additional check for "socklog unix" is added. Regards, Bastian -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-ck1treasure4 (PREEMPT) Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages rkhunter depends on: ii debconf [debconf-2. 1.5.14 Debian configuration management sy ii file 4.21-3 Determines file type using "magic" ii net-tools 1.60-17 The NET-3 networking toolkit ii perl 5.8.8-11 Larry Wall's Practical Extraction ii qmail-run [mail-tra 1.03+calvin-0calvin3 Secure, reliable, efficient, simpl Versions of packages rkhunter recommends: ii binutils 2.18-1 The GNU assembler, linker and bina ii iproute 20070313-1 Professional tools to control the ii libmd5-perl 2.03-1 backwards-compatible wrapper for D ii wget 1.10.2-3 retrieves files from the web -- debconf information: * rkhunter/cron_daily_run: true * rkhunter/cron_db_update: false
--- /usr/bin/rkhunter.orig 2007-09-28 08:21:34.000000000 +0200 +++ /usr/bin/rkhunter 2007-09-28 08:28:28.000000000 +0200 @@ -9408,7 +9408,7 @@ # SYSLOG_SEEN=0 - METALOG_SEEN=0 + COMPATIBLE_SEEN=0 if [ -n "${PS_CMD}" ]; then PS_ARGS="ax" @@ -9423,12 +9423,15 @@ display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG else RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'metalog( |$)' | grep -v 'egrep'` + if [ -z "${RKHTMPVAR}" ]; then + RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'socklog unix( |$)' | grep -v 'egrep'` + fi if [ -n "${RKHTMPVAR}" ]; then - METALOG_SEEN=1 + COMPATIBLE_SEEN=1 display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG - display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING + display --to LOG --type INFO --log-indent 2 SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING else display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG display --to LOG --type WARNING SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING @@ -9460,7 +9463,7 @@ if [ -n "${SYSLOG_CONFIG_FILE}" ]; then display --to SCREEN+LOG --type PLAIN --result FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog" display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "syslog" "${SYSLOG_CONFIG_FILE}" - elif [ $METALOG_SEEN -eq 1 ]; then + elif [ $COMPATIBLE_SEEN -eq 1 ]; then display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog" elif [ $SYSLOG_SEEN -eq 1 ]; then display --to SCREEN+LOG --type PLAIN --result WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog" --- /var/lib/rkhunter/db/i18n/en.orig 2007-09-28 08:24:31.710908886 +0200 +++ /var/lib/rkhunter/db/i18n/en 2007-09-28 08:24:52.711682181 +0200 @@ -438,7 +438,7 @@ SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the use of protocol v1. SYSTEM_CONFIGS_SYSLOG:Checking for running syslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:The syslog daemon is not running. -SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon is not running, but a metalog daemon has been found. +SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING:The syslog daemon is not running, but a compatible daemon has been found. SYSTEM_CONFIGS_SYSLOG_NO_FILE:The syslog daemon is running, but no configuration file can be found. SYSTEM_CONFIGS_SYSLOG_REMOTE:Checking if syslog remote logging is allowed SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog configuration file allows remote logging: $1 --- /var/lib/rkhunter/db/i18n/cn.orig 2007-09-28 08:33:30.230746224 +0200 +++ /var/lib/rkhunter/db/i18n/cn 2007-09-28 08:33:57.231741330 +0200 @@ -437,7 +437,7 @@ SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:默认值可能是 '2,1', 允许使用 v1协议. SYSTEM_CONFIGS_SYSLOG:检测是否运行syslog daemon SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:syslog daemon 没有运行. -SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon 没有运行, 但是已经发现一个metalog daemon. +SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING:The syslog daemon 没有运行, 但是已经发现一个compatible daemon. SYSTEM_CONFIGS_SYSLOG_NO_FILE:syslog daemon 正在运行, 但是无法发现配置文件. SYSTEM_CONFIGS_SYSLOG_REMOTE:检测是否允许 syslog remote logging SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog 配置文件允许远程登陆: $1