John
Thanks for the accuracy and amount of feedback on the issue I raised earlier.
But I confess I
should have read the man page more closely as you already mentioned the r
switch.
I may get around to write a mini howto but to refresh....my last email stated
"My objective is to
use a live cd that I can take to anyone's computer and have it scan a hard
drive and not write to
disk"....and I should have said a linux desktop home user computer, so I stand
corrected.
2) Agreed that if we are not using a database already established, we lose the
scan power of file
integrity checks....but I strongly believe, that detecting a rootkit, in
itself, is sufficient
proof of intrusion.
3) Some may suggest I am being complacent, but I believe most intruders will
install a rootkit. If
not, certainly all script kiddies. So I agree that in NOT finding rootkits...I
can not infer no
intrusion on another computer using re-mastered live cd.
4) Some excerpts that I think relevant from log.
[19:19:04] Info: Command line is ./rkhunter -c -sk --configfile
/rkh/etc/rkhunter.conf -r /z
(comment my symbolic link failed and I will try a re-master with a bashrc...RIP
had none)
[19:19:04] Info: Using configuration file '/rkh/etc/rkhunter.conf'
(comment /rkh was new folder created in re-master and custom layout similar to
gobolinux style)
[19:19:04] Info: Using '/z' as the root directory
(comment new /z created to allow hard drive partitions to be mounted on new
tree)
[19:19:04] Info: Using '/rkh/var/lib/rkhunter/tmp' as the temporary directory
(comment I embedded a new conf file with this switch....Thanks John for
pointing out RKH needs a
temp)
[19:19:04] Info: Found the 'diff' command: /usr/bin/diff
(comment uses the rip command not the hard drive proving no chroot....if
intrusion has deleted or
modded these files....I will remain ignorant)
[19:19:05] Scanning for string /usr/lib/.../lsof [ OK ]
(comment ditto)
[19:19:09] /z/bin/find [ OK ]
(comment the z shows these scans are a success....woo hooo)
[19:19:22] Checking for file '/z/dev/proc/fuckit/hax0r' [ Not found ]
(comment.....testing rootkits is clearly a success as exhibited by this log and
similar output)
[19:26:06] Info: Found hidden file '/z/usr/share/man/man1/..1.lzma': it is
whitelisted.
(comment ....this has me stumped....I made no such config)
Overall I am very happy that the dev team allowed the rootdir and tmp switches
that allow anyone
to remaster a live cd, or install into a ramdrive live cd your RKH and test for
rootkits on a
linux computer.
I am resisting the urge to buy another carton of beer. heh heh
cheerio
Make the switch to the world's best email. Get the new Yahoo!7 Mail now.
www.yahoo7.com.au/worldsbestemail
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
