Hi John, > > Hi Brian, > > > > > Hi Michael > > > > > > You have named twice on that whitelist. > > > While I haven't studied the code to see what happens, that doesn't > > > look right to me. > > > Specifying an app name twice in the whitelist makes no difference, only > the checked app name on its own or the app name and its version > number will be used. Any other occurance of the app name is simply > not used.
Ok. > > Yeah I didn't notice that. I changed the line to: > > > > APP_WHITELIST="httpd:2.2.3 named:9.3.6-P1 sshd:4.3p2 php:5.1.6 > > openssl:0.9.8e" > > > > and re-ran /etc/cron.daily/rkhunter > > > > and got the output: > > > > Warning: Application 'named', version '9.3.6-P1', is out of date, and > > possibly > > a security risk. > > Warning: Application 'sshd', version '4.9p1', is out of date, and possibly a > > security risk. > > > > So I then changed it to: > > > > APP_WHITELIST="httpd:2.2.3 named:9.3.6-P1 sshd:4.9p1 php:5.1.6 > > openssl:0.9.8e" > > > > and got the output: > > > > Warning: Application 'named', version '9.3.6-P1', is out of date, and > > possibly > > a security risk. > > > > So it seems the named entry is still ignored? > > > Well I just tested this - with named version 9.6.1-p1 - and the > whitelisting worked fine. I would suggest looking in the RKH log > file. It will say what whitelisted apps it has found, and the I'm not sure why it works for you, because it definately doesn't work for me. All the servers I have with this named version (contained with EL5) do the same thing: [12:27:40] Checking application versions... [12:27:40] Info: Starting test name 'apps' [12:27:44] Info: Application 'exim' not found. [12:27:44] Checking version of GnuPG [ OK ] [12:27:44] Info: Application 'gpg' version '1.4.5' found. [12:27:45] Checking version of Apache [ OK ] [12:27:45] Info: Found application 'httpd' version '2.2.3': this version is whitelisted. [12:27:46] Checking version of Bind DNS [ Warning ] [12:27:46] Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk. [12:27:46] Checking version of OpenSSL [ OK ] [12:27:47] Info: Found application 'openssl' version '0.9.8e': this version is whitelisted. [12:27:47] Checking version of PHP [ OK ] [12:27:47] Info: Found application 'php' version '5.1.6': this version is whitelisted. [12:27:47] Checking version of Procmail MTA [ OK ] [12:27:48] Info: Application 'procmail' version '3.22' found. [12:27:48] Info: Application 'proftpd' not found. [12:27:48] Checking version of OpenSSH [ OK ] [12:27:48] Info: Found application 'sshd' version '4.3p2': this version is whitelisted. [12:27:48] Info: Applications checked: 7 out of 9 If it was just one server I'd say ok, but it's all my EL5 servers that are ignoring the entry "named:9.3.6-P1". I personally believe this is a rkhunter bug, but I guess that can only be proven if it's happening to others. > version of the apps it finds. The top of the log file will also say > which RKH config file(s) it is looking at - it may be that you are > looking at one config file, but RKH is looking at a different one. Yeah, I've checked that and it's: /etc/rkhunter.conf which is the correct log file. I use the rkhunter RPM from EPEL for my EL5 servers. > If necessary you can whitelist just 'named'. The test will then, in > effect, ignore the test for the 'named' version number (regardless of > what it is). I have opted to do this and the problem has gone away. Thanks and Happy New Year. Michael. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
