On 12/2/2009 2:11 PM, John Horne wrote:
>> Now, I am only apparently running two tests: File properties, and
>> rootkits.

> You need to check your config file to see what tests have been
> disabled.

Well, like I said before, I'm new to rkhunter, so I basically just left
it at the defaults. I'm using gentoo, so those are what the gentoo
ebuild maintainer set them to:

DISABLE_TESTS="apps deleted_files hidden_procs loaded_modules
packet_cap_apps suspscan"

I added the 'apps' to the above, so, subtract that, and that is what the
defaults were set to after installation.

> However, even without the apps test you should have whole sections of
> tests stating what they are doing:
> 
> Checking system commands... (which includes the file properties test,
> but is not restricted to just that)
> Checking the network...
> Checking the local host...

I do see these in the log, but not in the email summary I get (see below)?

> Each of these have several tests within them. So unless you have 
> disabled a lot of tests, you shouldn't have just the file properties
> and rootkit tests running.

Here is the email result of last nights test:

***************************************** Bgn

[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
  Checking file mirrors.dat[ No update ]
  Checking file programs_bad.dat[ No update ]
  Checking file backdoorports.dat[ No update ]
  Checking file suspscan.dat[ No update ]
  Checking file i18n/cn[ No update ]
  Checking file i18n/de[ No update ]
  Checking file i18n/en[ No update ]
  Checking file i18n/zh[ No update ]
  Checking file i18n/zh.utf8[ No update ]


System checks summary
=====================

File properties checks...
    Files checked: 136
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 116
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 15 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

No warnings were found while checking the system.

***************************************** End

(also - whats with the little squares in the email report?)

So, again - what makes for a sensible set of tests to run in most cases?
Which of the tests should I (or most people in general) have
enabled? I understand that every case is different, but I'm assuming
(uh-oh) that there are a basic set of tests that should be enabled for
most use cases?

This is a basic gentoo linux server, running iptables, postfix, dovecot,
mailman, apache, and squirrelmail (soon to be roundcube).

I really appreciate your helping out a noob... :)

-- 

Best regards,

Charles

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to