On Sun, 2009-02-15 at 23:20 +0100, Christoph Anton Mitterer wrote: > On Thu, 2009-02-12 at 20:40 +0100, Julien Valroff wrote: > > Just in case you haven't subscribed to the bug (forgot to cc you in my > > oroginal answer) > Thanks =), normally I should have been subscribed,.. but I wasn't,.. > strange. > > > > > Sorry for my late reply, I have just noticed I haven't received some > > > email related to rkhunter (I am to blame for this). > No problem :-) > > > > > > Would you please confirm you are using rkhunter 1.3+? > 1.3.2-6 > > > > Your report doesn't state package information (while you seem to have > > > used reportbug - if that's the case, please leave the appropriate > > > pseudo-headers next time). > Sorry,... I used reportbug on a system where rkhunter wasn't > installed,.. and my observations were done on another ;) > > I just tried it again,.. and e.g. /etc/.java is still not found. > > > > > First, please make sure that all the whitelist entries referring > > > to /etc/.java are commented out (note that in the default configuration > > > file, both file and directory examples co-exist for this particular > > > case). > Checked it again: > #ALLOWHIDDENDIR=/etc/.java > #ALLOWHIDDENFILE=/etc/.java > > > > > Please check that 'file' is installed correctly (rkhunter depends on it, > > > but as you haven't let these information in your report, I need to make > > > sure the package is setup). If not isntalled, your should get a warning > > > from rkhunter anyway. > Of course it's sthere > > > > > Is the filesystem test enabled (or at least not disabled)? > Yes: > ENABLE_TESTS="all" > #DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" > > > > > > Is /etc/.java a file or a directory? > > > rkhunter doesn't report empty hidden files. > # stat /etc/.java > File: `/etc/.java' > Size: 25 Blocks: 0 IO Block: 4096 directory > Device: 803h/2051d Inode: 4498136 Links: 3 > Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2009-02-15 23:16:21.671985679 +0100 > Modify: 2009-01-08 12:16:29.063350279 +0100 > Change: 2009-01-08 12:16:29.063350279 +0100 > > > > > Regarding wpa_supplicant, it is not a rootkit, I do not see why rkhunter > > > should report it? > Actually I don't know ;) ... it's just because chkrootkit reports it (it > reports both, dhclient3 and wpa_supplicant, while rkhunter reports only > dhclient3). > And there is even a entry for it in the default rkhunter.conf: > #ALLOWPROCLISTEN=/sbin/dhclient > #ALLOWPROCLISTEN=/sbin/dhclient3 > #ALLOWPROCLISTEN=/sbin/dhcpcd > #ALLOWPROCLISTEN=/usr/sbin/pppoe > #ALLOWPROCLISTEN=/usr/sbin/tcpdump > #ALLOWPROCLISTEN=/usr/sbin/snort-plain > #ALLOWPROCLISTEN=/sbin/wpa_supplicant > > So I thought it _should_ be reported (which is not the case). > > > Thanks :-) > > Chris.
smime.p7s
Description: S/MIME cryptographic signature
