Subject: Re: [Rkhunter-users] rkhunter 1.3.6 / Red Hat Fedora
Date: Tue, 01 Jun 2010 17:12:15 -0500
From: Mike McCarty <mike.mcca...@sbcglobal.net>
To: Duane <bu...@loftusweb.com>
References: 
<1274986056.1629.58.ca...@loftus49-desktop><bpfixtri...@helmut.hullen.de><0d1dfa82511d482d9deaa778837a0...@owner4bd5767af>
 
<1275043656.29444.5.ca...@jhorne.csd.plymouth.ac.uk> 
<6c5748a4e5d94652b002043021573...@owner4bd5767af>

Duane wrote:

[...]

> In the "file properties" test I have 6 different "warnings". An example of
> these are:
> 
> [23:50:32] Warning: The command '/usr/bin/GET' has been replaced by a
> script: /usr/bin/GET: perl script text executable

$ file /usr/bin/GET
/usr/bin/GET: perl script text executable

That's normal. However, I would not whitelist that file, and I do not,
and I also don't get that warning. I've set RPM as the package manager
for my system, and so rkhunter "knows" about it.

> [23:50:32] Warning: The command '/usr/bin/groups' has been replaced by a
> script: /usr/bin/groups: Bourne shell script text executable 

$ file /usr/bin/groups
/usr/bin/groups: Bourne shell script text executable

Ditto.

> My understanding is to insert a statement in the "rkhunter.conf.local" file
> (below whitelist) to say by example:
>  
> #SCRIPTWHITELIST=/usr/bin/GET
> 
> Is this correct?  Also, how do I go about to insure these are safe to
> whitelist prior to doing this?

Don't whitelist them, and then the tool can work as intended.

> John wrote: "Copy the DISABLED_TESTS line from /etc/rkhunter.conf, and paste
> it into /etc/rkhunter.conf.local. Then add onto the end of the line the
> 'loaded_modules' test name. RKH will then skip that particular test."
> 
> I'm a little unclear on this.  My line is:
> 
> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"
> 
> Does this mean it should be:
> 
> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps
> loaded_modules"

If that line isn't split, that would do it. I don't disable that test.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!

------------------------------------------------------------------------------

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to