Hi,
Le 02/11/2010 10:09, John Horne a écrit :
On Tue, 2010-11-02 at 06:34 +0100, Patrick Gouin wrote:
Okay. The current CVS version has a fix in for it.
Thanks.
But that in itself leads to problems. If you said
rkhunter --enable malware
should this run the 'suspscan' test (which is part of 'malware') or not?
Most likely no, the test is disabled be default in the config file, it
can produce FPs, takes a long time to run, and causes a config error
if /dev/shm does not exist (as on non-Linux systems). So the user then
has to type in:
rkhunter --enable malware --disable suspscan
I can just agree with respect to the suspscan test :)
Maybe there should be a different treatment for --enable depending on
whether the test is a grouped one or not
But that is the same as the config file settings! So it made more sense
to do what 'usually' happens according to the config file - that is, if
'--disable' is not specified then the config file disabled tests would
not be run.
As said, RKH will try and do what is expected. In the above example,
what is expected is to to run the malware tests *as would normally be
run*. Not to run all the malware tests, because some of them are
disabled for a reason and do not normally run. (Obviously if you have
enabled 'suspscan' in your config file, then it will run.) It would be
more misleading to run tests that are not normally run.
The same is true with the 'hidden_procs' test. Most users do not have
'unhide' installed, so rather than throw out a message saying so every
time, the test is disabled by default. If you install 'unhide' then
modify your /etc/rkhunter.conf.local and remove it from the default
disabled list. Then RKH will run unhide simple by saying
rkhunter --enable hidden_procs
This works even if hidden_procs is disabled in the config file.
On the other hand, I suspect that if someone do
rkhunter --enable all,hidden_procs
he knows what he is doing and do have 'unhide' or 'unhide.rb' installed.
I did some more testing with the default config file of RKH let
unmodified (suspscan is disabled)
rkhunter --enable malware,suspscan
run the the suspscan test but
rkhunter --enable all,suspscan
don't run it.
That don't seem very consistent to me. (and I clearly prefer the first
behavior :)
Why is there a difference between the grouped test malware and the
"super-grouped" test all ?
Coming back to the test of the new version of RKH.
By reading carefully the RKH log, I Discover a ... well I can't call it
a bug, maybe a glitch.
It was probably in previous version too, but as I was not testing RKH, I
only inspected the warnings.
My distro recently changes from syslog to rsyslog. RKH correctly find it
running.
Due to my lack of attention and/or my laziness. the old syslog.conf is
still in /etc as the new rsyslog.conf.
This make RKH reports :
[20:21:26] Checking for running syslog daemon [ Found ]
[20:21:27] Checking for syslog configuration file [ Found ]
[20:21:27] Info: Found syslog configuration file: /etc/syslog.conf
RKH should probably looks only for the config file corresponding to the
syslog utility it found just before.
Best regards,
Patrick.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
