Bug#444382: rkhunter: cannot recognize socklog as syslog daemon

Bastian Kleineidam Thu, 27 Sep 2007 23:55:42 -0700

Package: rkhunter
Version: 1.3.0-1
Severity: normal
Tags: patch

Hi,


on my system the socklog daemon is responsible for system logging:
$ ps -ef | grep "socklog unix" | grep -v grep
nobody    4988  4979  0 Sep27 ?        00:00:00 socklog unix /dev/log

But rkhunter did not recognize it. I attached a patch that modifies
the hardcoded metalog into a "syslog compatible" message.
Then an additional check for "socklog unix" is added.


Regards,
  Bastian


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-ck1treasure4 (PREEMPT)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages rkhunter depends on:
ii  debconf [debconf-2. 1.5.14               Debian configuration management sy
ii  file                4.21-3               Determines file type using "magic"
ii  net-tools           1.60-17              The NET-3 networking toolkit
ii  perl                5.8.8-11             Larry Wall's Practical Extraction 
ii  qmail-run [mail-tra 1.03+calvin-0calvin3 Secure, reliable, efficient, simpl

Versions of packages rkhunter recommends:
ii  binutils                      2.18-1     The GNU assembler, linker and bina
ii  iproute                       20070313-1 Professional tools to control the 
ii  libmd5-perl                   2.03-1     backwards-compatible wrapper for D
ii  wget                          1.10.2-3   retrieves files from the web

-- debconf information:
* rkhunter/cron_daily_run: true
* rkhunter/cron_db_update: false

--- /usr/bin/rkhunter.orig      2007-09-28 08:21:34.000000000 +0200
+++ /usr/bin/rkhunter   2007-09-28 08:28:28.000000000 +0200
@@ -9408,7 +9408,7 @@
        #
 
        SYSLOG_SEEN=0
-       METALOG_SEEN=0
+       COMPATIBLE_SEEN=0
 
        if [ -n "${PS_CMD}" ]; then
                PS_ARGS="ax"
@@ -9423,12 +9423,15 @@
                        display --to SCREEN+LOG --type PLAIN --result FOUND 
--color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
                else
                        RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 'metalog( |$)' 
| grep -v 'egrep'`
+                       if [ -z "${RKHTMPVAR}" ]; then
+                               RKHTMPVAR=`${PS_CMD} ${PS_ARGS} | egrep 
'socklog unix( |$)' | grep -v 'egrep'`
+                       fi
 
                        if [ -n "${RKHTMPVAR}" ]; then
-                               METALOG_SEEN=1
+                               COMPATIBLE_SEEN=1
 
                                display --to SCREEN+LOG --type PLAIN --result 
NOT_FOUND --color GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
-                               display --to LOG --type INFO --log-indent 2 
SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING
+                               display --to LOG --type INFO --log-indent 2 
SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING
                        else
                                display --to SCREEN+LOG --type PLAIN --result 
WARNING --color RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_SYSLOG
                                display --to LOG --type WARNING 
SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING
@@ -9460,7 +9463,7 @@
        if [ -n "${SYSLOG_CONFIG_FILE}" ]; then
                display --to SCREEN+LOG --type PLAIN --result FOUND --color 
GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
                display --to LOG --type INFO SYSTEM_CONFIGS_FILE_FOUND "syslog" 
"${SYSLOG_CONFIG_FILE}"
-       elif [ $METALOG_SEEN -eq 1 ]; then
+       elif [ $COMPATIBLE_SEEN -eq 1 ]; then
                display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color 
GREEN --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
        elif [ $SYSLOG_SEEN -eq 1 ]; then
                display --to SCREEN+LOG --type PLAIN --result WARNING --color 
RED --log-indent 2 --screen-indent 4 SYSTEM_CONFIGS_FILE "syslog"
--- /var/lib/rkhunter/db/i18n/en.orig   2007-09-28 08:24:31.710908886 +0200
+++ /var/lib/rkhunter/db/i18n/en        2007-09-28 08:24:52.711682181 +0200
@@ -438,7 +438,7 @@
 SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:The default value may be '2,1', to allow the 
use of protocol v1.
 SYSTEM_CONFIGS_SYSLOG:Checking for running syslog daemon
 SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:The syslog daemon is not running.
-SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon is not running, but a 
metalog daemon has been found.
+SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING:The syslog daemon is not running, but 
a compatible daemon has been found.
 SYSTEM_CONFIGS_SYSLOG_NO_FILE:The syslog daemon is running, but no 
configuration file can be found.
 SYSTEM_CONFIGS_SYSLOG_REMOTE:Checking if syslog remote logging is allowed
 SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog configuration file allows remote 
logging: $1
--- /var/lib/rkhunter/db/i18n/cn.orig   2007-09-28 08:33:30.230746224 +0200
+++ /var/lib/rkhunter/db/i18n/cn        2007-09-28 08:33:57.231741330 +0200
@@ -437,7 +437,7 @@
 SYSTEM_CONFIGS_SSH_PROTO_NOTFOUND:默认值可能是 '2,1', 允许使用 v1协议.
 SYSTEM_CONFIGS_SYSLOG:检测是否运行syslog daemon
 SYSTEM_CONFIGS_SYSLOG_NOT_RUNNING:syslog daemon 没有运行.
-SYSTEM_CONFIGS_SYSLOG_METALOG_RUNNING:The syslog daemon 没有运行, 但是已经发现一个metalog 
daemon.
+SYSTEM_CONFIGS_SYSLOG_COMPATIBLE_RUNNING:The syslog daemon 没有运行, 
但是已经发现一个compatible daemon.
 SYSTEM_CONFIGS_SYSLOG_NO_FILE:syslog daemon 正在运行, 但是无法发现配置文件.
 SYSTEM_CONFIGS_SYSLOG_REMOTE:检测是否允许 syslog remote logging 
 SYSTEM_CONFIGS_SYSLOG_REMOTE_FOUND:Syslog 配置文件允许远程登陆: $1

Bug#444382: rkhunter: cannot recognize socklog as syslog daemon

Reply via email to