On 12/2/2009 2:11 PM, John Horne wrote: >> Now, I am only apparently running two tests: File properties, and >> rootkits.
> You need to check your config file to see what tests have been > disabled. Well, like I said before, I'm new to rkhunter, so I basically just left it at the defaults. I'm using gentoo, so those are what the gentoo ebuild maintainer set them to: DISABLE_TESTS="apps deleted_files hidden_procs loaded_modules packet_cap_apps suspscan" I added the 'apps' to the above, so, subtract that, and that is what the defaults were set to after installation. > However, even without the apps test you should have whole sections of > tests stating what they are doing: > > Checking system commands... (which includes the file properties test, > but is not restricted to just that) > Checking the network... > Checking the local host... I do see these in the log, but not in the email summary I get (see below)? > Each of these have several tests within them. So unless you have > disabled a lot of tests, you shouldn't have just the file properties > and rootkit tests running. Here is the email result of last nights test: ***************************************** Bgn [ Rootkit Hunter version 1.3.4 ] [1;33mChecking rkhunter data files...[0;39m Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ] Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ] Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ] Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ] Checking file i18n/cn[38C[ [1;32mNo update[0;39m ] Checking file i18n/de[38C[ [1;32mNo update[0;39m ] Checking file i18n/en[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh.utf8[33C[ [1;32mNo update[0;39m ] System checks summary ===================== File properties checks... Files checked: 136 Suspect files: 0 Rootkit checks... Rootkits checked : 116 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 15 seconds All results have been written to the logfile (/var/log/rkhunter.log) No warnings were found while checking the system. ***************************************** End (also - whats with the little squares in the email report?) So, again - what makes for a sensible set of tests to run in most cases? Which of the tests should I (or most people in general) have enabled? I understand that every case is different, but I'm assuming (uh-oh) that there are a basic set of tests that should be enabled for most use cases? This is a basic gentoo linux server, running iptables, postfix, dovecot, mailman, apache, and squirrelmail (soon to be roundcube). I really appreciate your helping out a noob... :) -- Best regards, Charles ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users