Re: [Rkhunter-users] Which tests do you enable?

[John Horne]

On Thu, 2009-12-03 at 11:56 -0500, Tanstaafl wrote:
> On 12/2/2009 2:11 PM, John Horne wrote:
> >> Now, I am only apparently running two tests: File properties, and
> >> rootkits.
> 
> > You need to check your config file to see what tests have been
> > disabled.
> 
> Well, like I said before, I'm new to rkhunter, so I basically just left
> it at the defaults. I'm using gentoo, so those are what the gentoo
> ebuild maintainer set them to:
> 
> DISABLE_TESTS="apps deleted_files hidden_procs loaded_modules
> packet_cap_apps suspscan"
> 
These are the default supplied disabled tests (apart from apps). So, it
means you are running the usual tests.

> I added the 'apps' to the above, so, subtract that, and that is what the
> defaults were set to after installation.
> 
> > However, even without the apps test you should have whole sections of
> > tests stating what they are doing:
> > 
> > Checking system commands... (which includes the file properties test,
> > but is not restricted to just that)
> > Checking the network...
> > Checking the local host...
> 
> I do see these in the log, but not in the email summary I get (see below)?
> 

> 
> Here is the email result of last nights test:
> 
> ***************************************** Bgn
> 
> [ Rootkit Hunter version 1.3.4 ]
> 
> Checking rkhunter data files...
>   Checking file mirrors.dat[ No update ]
>   Checking file programs_bad.dat[ No update ]
>   Checking file backdoorports.dat[ No update ]
>   Checking file suspscan.dat[ No update ]
>   Checking file i18n/cn[ No update ]
>   Checking file i18n/de[ No update ]
>   Checking file i18n/en[ No update ]
>   Checking file i18n/zh[ No update ]
>   Checking file i18n/zh.utf8[ No update ]
> 
> 
This is the output of running 'rkhunter --update'. These files rarely
change, but you should use '--update' every so often just in case they
do change. As already mentioned the 'funny characters' above are due to
coloured output. You should get your maintainer to change the options an
use '--nocolors', or '--cronjob' if that is more appropriate.


> System checks summary
> =====================
> 
> File properties checks...
>     Files checked: 136
>     Suspect files: 0
> 
> Rootkit checks...
>     Rootkits checked : 116
>     Possible rootkits: 0
> 
> Applications checks...
>     All checks skipped
> 
> The system checks took: 1 minute and 15 seconds
> 
> All results have been written to the logfile (/var/log/rkhunter.log)
> 
> No warnings were found while checking the system.
> 
This is just the summary, and again can be seen by using something like
'rkhunter --check -q --summary' (I think).

It shows no warnings were found, so nothing to worry about.

> ***************************************** End
> 
> (also - whats with the little squares in the email report?)
> 
> So, again - what makes for a sensible set of tests to run in most cases?
> Which of the tests should I (or most people in general) have
> enabled? I understand that every case is different, but I'm assuming
> (uh-oh) that there are a basic set of tests that should be enabled for
> most use cases?
> 
I would say leave things as they are. You seem to be running the
standard tests that most RKH user run. As faras I can tell you aren;t
being shown the tests being run, or their results, but just the summary.
That's fine. In which case just take not as to whether any warnings were
found or not. If any are found then look in the log file, it will give
more details of what was wrong.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users