On 12/2/2009 2:11 PM, John Horne wrote:
>> Now, I am only apparently running two tests: File properties, and
>> rootkits.
> You need to check your config file to see what tests have been
> disabled.
Well, like I said before, I'm new to rkhunter, so I basically just left
it at the defaults. I'm using gentoo, so those are what the gentoo
ebuild maintainer set them to:
DISABLE_TESTS="apps deleted_files hidden_procs loaded_modules
packet_cap_apps suspscan"
I added the 'apps' to the above, so, subtract that, and that is what the
defaults were set to after installation.
> However, even without the apps test you should have whole sections of
> tests stating what they are doing:
>
> Checking system commands... (which includes the file properties test,
> but is not restricted to just that)
> Checking the network...
> Checking the local host...
I do see these in the log, but not in the email summary I get (see below)?
> Each of these have several tests within them. So unless you have
> disabled a lot of tests, you shouldn't have just the file properties
> and rootkit tests running.
Here is the email result of last nights test:
***************************************** Bgn
[ Rootkit Hunter version 1.3.4 ]
�[1;33mChecking rkhunter data files...�[0;39m
Checking file mirrors.dat�[34C[ �[1;32mNo update�[0;39m ]
Checking file programs_bad.dat�[29C[ �[1;32mNo update�[0;39m ]
Checking file backdoorports.dat�[28C[ �[1;32mNo update�[0;39m ]
Checking file suspscan.dat�[33C[ �[1;32mNo update�[0;39m ]
Checking file i18n/cn�[38C[ �[1;32mNo update�[0;39m ]
Checking file i18n/de�[38C[ �[1;32mNo update�[0;39m ]
Checking file i18n/en�[38C[ �[1;32mNo update�[0;39m ]
Checking file i18n/zh�[38C[ �[1;32mNo update�[0;39m ]
Checking file i18n/zh.utf8�[33C[ �[1;32mNo update�[0;39m ]
System checks summary
=====================
File properties checks...
Files checked: 136
Suspect files: 0
Rootkit checks...
Rootkits checked : 116
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 15 seconds
All results have been written to the logfile (/var/log/rkhunter.log)
No warnings were found while checking the system.
***************************************** End
(also - whats with the little squares in the email report?)
So, again - what makes for a sensible set of tests to run in most cases?
Which of the tests should I (or most people in general) have
enabled? I understand that every case is different, but I'm assuming
(uh-oh) that there are a basic set of tests that should be enabled for
most use cases?
This is a basic gentoo linux server, running iptables, postfix, dovecot,
mailman, apache, and squirrelmail (soon to be roundcube).
I really appreciate your helping out a noob... :)
--
Best regards,
Charles
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
