Hi John, > On Wed, 2009-12-30 at 01:13 +1100, Michael Mansour wrote: > > > > So it seems if I wanted to whitelist the sshd versions above, I'd then > > really > > need two entries like: > > > > APP_WHITELIST="httpd:2.2.3 named:9.3.6-P1 sshd:4.9p1 sshd:4.3p2 php:5.1.6 > > openssl:0.9.8e" > > > > ie. if the code supports that. > > > Well it won't complain about it :-) However, it only tests for one > app at a time. That is, if 'sshd' is found then it is tested. It doesn't > then look for further occurances of sshd. > > The test works by looking for the app (e.g. 'sshd') in the root > PATH. It then tests that app. So if you have sshd installed in /sbin > and /usr/local/sbin, but your PATH is '/sbin:/usr/local/sbin' then > only /sbin/sshd is checked. The /usr/local/sbin/sshd file is ignored.
The odd thing there is, I have: PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin for root's PATH and: # ll /usr/bin/ssh /usr/local/bin/ssh -rwxr-xr-x 1 root root 312672 Oct 1 02:39 /usr/bin/ssh -rwxr-xr-x 1 root root 283580 Jan 22 2009 /usr/local/bin/ssh # which ssh /usr/local/bin/ssh # ssh -V OpenSSH_4.9p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 # /usr/local/bin/ssh -V OpenSSH_4.9p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 # /usr/bin/ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 So we know that the /usr/local/bin/ssh (should be) used for the test. However, I have this in my whitelist entry: APP_WHITELIST="httpd:2.2.3 named sshd:4.9p1 php:5.1.6 openssl:0.9.8e" and rkhunter still comes back with: Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk. If I changed the APP_WHITELIST sshd entry to "sshd:4.3p2" and re-ran rkhunter, rkhunter will then warn about " 'sshd', version '4.9p1' ". I've verified this behaviour on the server. I'm going to just try: APP_WHITELIST="httpd:2.2.3 named sshd php:5.1.6 openssl:0.9.8e" now and hopefully get rid of the warning. Thanks. Michael. > John. > > -- > John Horne, University of Plymouth, UK > Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast > and easy Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------- End of Original Message ------- ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
