Subject: Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora Date: Tue, 01 Jun 2010 17:12:15 -0500 From: Mike McCarty <mike.mcca...@sbcglobal.net> To: Duane <bu...@loftusweb.com> References: <1274986056.1629.58.ca...@loftus49-desktop><bpfixtri...@helmut.hullen.de><0d1dfa82511d482d9deaa778837a0...@owner4bd5767af> <1275043656.29444.5.ca...@jhorne.csd.plymouth.ac.uk> <6c5748a4e5d94652b002043021573...@owner4bd5767af>
Duane wrote: [...] > In the "file properties" test I have 6 different "warnings". An example of > these are: > > [23:50:32] Warning: The command '/usr/bin/GET' has been replaced by a > script: /usr/bin/GET: perl script text executable $ file /usr/bin/GET /usr/bin/GET: perl script text executable That's normal. However, I would not whitelist that file, and I do not, and I also don't get that warning. I've set RPM as the package manager for my system, and so rkhunter "knows" about it. > [23:50:32] Warning: The command '/usr/bin/groups' has been replaced by a > script: /usr/bin/groups: Bourne shell script text executable $ file /usr/bin/groups /usr/bin/groups: Bourne shell script text executable Ditto. > My understanding is to insert a statement in the "rkhunter.conf.local" file > (below whitelist) to say by example: > > #SCRIPTWHITELIST=/usr/bin/GET > > Is this correct? Also, how do I go about to insure these are safe to > whitelist prior to doing this? Don't whitelist them, and then the tool can work as intended. > John wrote: "Copy the DISABLED_TESTS line from /etc/rkhunter.conf, and paste > it into /etc/rkhunter.conf.local. Then add onto the end of the line the > 'loaded_modules' test name. RKH will then skip that particular test." > > I'm a little unclear on this. My line is: > > DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" > > Does this mean it should be: > > DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps > loaded_modules" If that line isn't split, that would do it. I don't disable that test. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users