On Tue, 2010-11-02 at 21:21 +0100, Patrick Gouin wrote: > > But that in itself leads to problems. If you said > > > > rkhunter --enable malware > > > > should this run the 'suspscan' test (which is part of 'malware') or not? > > Most likely no, the test is disabled be default in the config file, it > > can produce FPs, takes a long time to run, and causes a config error > > if /dev/shm does not exist (as on non-Linux systems). So the user then > > has to type in: > > > > rkhunter --enable malware --disable suspscan > > > I can just agree with respect to the suspscan test :) > Maybe there should be a different treatment for --enable depending on > whether the test is a grouped one or not > There is a difference. If you enable a specific test name, then the test is run. If you enable a grouped test name, then only those tests which are not disabled in the config file are run. However, see below about how 'all' works. It is not a specific test name (so the config file is looked at for disabled tests), and will cause any other test names to be ignored.
> > > rkhunter --enable hidden_procs > > > This works even if hidden_procs is disabled in the config file. > Yes, because it is a specific test name - not a grouped one - and you are explicitly telling RKH to run it. RKH will try and work out what you want to do, and in this instance because you have given the specific test name it assumes you actually want to run the test (despite it normally being disabled). > On the other hand, I suspect that if someone do > rkhunter --enable all,hidden_procs > he knows what he is doing and do have 'unhide' or 'unhide.rb' > installed. > In this case though RKH sees the 'all'. Once this is seen, all the other test names are ignored. As such this becomes '--enable all'. RKH does not treat 'all' as a specific test name, and so will look in the config file to see which tests are disabled. Since 'hidden_procs' is disabled, it does not run. > I did some more testing with the default config file of RKH let > unmodified (suspscan is disabled) > > rkhunter --enable malware,suspscan > > run the the suspscan test but > > rkhunter --enable all,suspscan > > don't run it. > Yes, see above about 'all'. > Why is there a difference between the grouped test malware and the > "super-grouped" test all ? > See above. 'all' is not a specific test name, and so RKH will check further to see if a test is disabled. When using the '--enable' and '--disable' options it must be remembered that RKH will run non-specific tests according to the rules in the configuration file (that is, it won't run a disabled test). With the '--disable' option there is a --nocf' option to indicate that the config file is not to be used, and only the specified disabled tests are to be disabled. Some examples: --enable hidden_procs runs the test whether it is disabled or not because it is a specific test name. --enable malware runs the malware tests provided they are not disabled in the config file (because 'malware' is not a specific test name). As such hidden_procs does not run. --enable all runs all tests that have not been disabled in the config file. 'all' is not a specific test name. --enable malware,all,hidden_procs exactly the same as '--enable all'. --enable all --disable none runs all tests. --disable none runs all tests (because the default config file enables all tests). --enable malware --disable other_malware runs the 'malware' tests except for 'other_malware' and any other tests disabled in the config file. --enable malware,suspscan --disable deleted_files runs the malware tests, including 'suspscan' because it is a specific test name, but not 'deleted_files' or any other tests disabled in the config file. --enable malware --disable deleted_files --nocf runs all the malware tests except for 'deleted_files'. Because '--nocf' is used, the config file is not looked at. --enable malware --nocf this is the same as '--enable malware'. The '--nocf' option only works when used with '--disable'. --enable malware,suspscan --disable suspscan runs the malware tests except for 'suspscan' and any other tests disabled in the config file. 'suspscan' does not run because, despite being explicitly enabled, it has also been explicitly disabled. If you tell RKH not to run a test, it will not run it regardless of what has been enabled. In effect, 'disable' overrides 'enable'. --enable suspscan --disable suspscan --enable malware --disable malware both of these will give an error ('no tests to run'). --enable malware --disable other_malware,deleted_files,running_procs This will all give an error ('no tests to run'). The '--disable' tests are all part of 'malware', and when combined with the default disabled tests in the config file, there are no tests left to run. --enable suspscan --disable malware will give an error ('no tests to run'). 'suspscan' does not run, despite being explicitly enabled, because 'malware', which includes the suspscan test, has been explicitly disabled. As said above, if a test is explicitly disabled, then it will not run regardless of what has been enabled. Note: although 'malware' is a grouped name, when it is disabled it applies to all the specific tests within it. It is not possible to enable a specific part of a disabled group. The converse, however, is true - it is possible to enable a group, and disable specific parts of it. --enable none --disable all both of these will give an error. > > My distro recently changes from syslog to rsyslog. RKH correctly find > it running. > Due to my lack of attention and/or my laziness. the old syslog.conf > is still in /etc as the new rsyslog.conf. > This make RKH reports : > > [20:21:26] Checking for running syslog daemon [ Found ] > [20:21:27] Checking for syslog configuration file [ Found ] > [20:21:27] Info: Found syslog configuration file: /etc/syslog.conf > > RKH should probably looks only for the config file corresponding to > the syslog utility it found just before. > I don't quite follow this. Are you saying: 1) that /etc/syslog.conf is a symbolic link to /etc/rsyslog.conf, and that RKH should show the true file name (rsyslog.conf) rather than the link name? 2) or that both /etc/syslog.conf and /etc/rsyslog.conf exist as files, but the 'syslogd' daemon does not exist, and as such RKH should instead show the /etc/rsyslog.conf file because rsyslogd is running? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users