On Thu, 2010-11-04 at 02:38 -0700, Al Varnell wrote: > > > Haven't noticed any Mac OS X testers report in, so I figured I'd better > spend the day getting you something. > Okay, many thanks for this.
> > 5) --propupd went well, which is a change from the previous versions where I > had to use STAT_CMD=BUILTIN to get it to do anything. > Yes, the OS X 'stat' command output was incompatible with previous RKH versions, so the builtin perl module had to be used. That was fixed for this next release. > 6) --enable all completed with the following warnings: > > [18:02:33] Performing file properties checks > [18:04:08] /usr/bin/fuser [ Warning ] > [18:04:09] Warning: The command '/usr/bin/fuser' has been replaced by a > script: /usr/bin/fuser: perl script text executable > > [18:05:33] /usr/bin/whatis [ Warning ] > [18:05:34] Warning: The command '/usr/bin/whatis' has been replaced by a > script: /usr/bin/whatis: Bourne shell script text executable > > [18:08:07] /sbin/nologin [ Warning ] > [18:08:08] Warning: The command '/sbin/nologin' has been replaced by a > script: /sbin/nologin: Bourne shell script text executable > Those look similar to what I had on my Mac, so can probably be whitelisted. > [18:10:05] Checking for rootkits... > [18:10:05] Performing check of known rootkit files and directories > [18:11:46] Checking for Dica-Kit Rootkit... > [18:11:56] Checking for file '/etc/sshd_config' [ Found ] > [18:12:01] Warning: Dica-Kit Rootkit [ Warning ] > [18:12:02] File '/etc/sshd_config' found > Yes, this has to be whitelisted for OS X. As the config file suggests though, you ma then want to add the file to the list of monitored files, just to ensure no-one does change it without your knowledge. (add USER_FILEPROP_FILES_DIRS=/etc/sshd_config) > [18:22:44] Performing check for possible rootkit strings > [18:22:44] Info: Using system startup paths: /etc/rc.d /etc/rc.local > /usr/local/etc/rc.d /usr/local/etc/rc.local /etc/conf.d/local.start > /etc/init.d /etc/inittab > [18:22:44] Warning: Checking for possible rootkit strings [ Warning ] > [18:22:45] No system startup files found. > I used: STARTUP_PATHS="/etc/rc.* /etc/*.rc" > [18:22:47] Info: Starting test name 'running_procs' > [18:25:42] Checking running processes for suspicious files [ Warning ] > [18:25:43] Warning: The following processes are using suspicious files: > [18:25:44] Command: launchd > [18:25:45] UID: 0 PID: 1 > [18:25:46] Pathname: /private/etc/crontab > [18:25:47] Possible Rootkit: Unknown rootkit > I suspect this is a false-positive. RKH just happened to catch launchd using crontab. On my Linux box it is probably possible for RKH to catch 'crond' catching the same crontab file. If you re-run RKH the warning may well have disappeared. > > [19:03:47] Checking if SSH root access is allowed [ Warning ] > [19:03:48] Warning: The SSH configuration option 'PermitRootLogin' has not > been set. > The default value may be 'yes', to allow root access. > On OS X the default is to allow root access. So I would suggest either setting 'PermitRootLogin' to no, or without-password, unless you actually want to allow root access. > > [19:04:18] Checking application versions... > [19:04:26] Checking version of Bind DNS [ Warning ] > [19:04:27] Warning: Application 'named', version '9.4.3-P3', is out of date, > and possibly a security risk. > I'm not a great fan of the 'apps' test, so I am not surprised by warnings here. > And noted the following skipped: > Most of these seem to be perfectly valid in being skipped for OS X. > > [18:26:05] Info: Starting test name 'os_specific' > [18:26:06] Performing Darwin specific checks [ Skipped ] > [18:26:06] Info: No specific tests available > correct, there are no OS X specific tests. You can either just ignore this, or disable the 'os_specific' test in the config file if you want. > > 9) You previously told us that RKH does not support any package manager for > OSX, so I'm guessing I can ignore this one. > Correct. I took a look at this but as far as I remember could find nothing suitable. > I've got some thoughts, but I'll save them for a separate email and if I run > into any further issues I'll be back. > Okay, thanks again. One point, OS X does not have a /dev/shm directory, so if you want to run 'suspscan', then I tend to use: SUSPSCAN_TEMP=/var/lib/rkhunter/tmp or wherever your TMPDIR in /etc/rkhunter.conf points to. The test won't run as fast as using /dev/shm, but at least it should work and any dumped files (there shouldn't be any!) will be secure there. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
