Hello Mark, Regarding Issue #1:
"--propupd" doesn't white-list files in cases where they are or are replaced by scripts; you have to do that manually, by adding SCRIPTWHITELIST items to your "/etc/rkhunter.conf": Inline docs there say: # Allow the specified commands to be scripts. # One command per line (use multiple SCRIPTWHITELIST lines). #SCRIPTWHITELIST=/path/to/file Be aware that it will complain if the white-listed file doesn't exist. And Issue #2/4: Take a look at the STARTUP_PATHS item in your "/etc/rkhunter.conf". I'm unfamiliar with MacOS, so I don't know the proper value to set, but I'll post the inline docs below: # This option tells rkhunter the local system startup file pathnames. # It is a space-separated list of files and directories. The directories # will be searched for files. By default rkhunter will use certain # filenames and directories. If the option is set to 'none', then # certain tests will be skipped. #STARTUP_PATHS="/etc/rc.d /etc/rc.local" Regards, Konrad Tegtmeier On 10/24/2016 12:44 AM, Mark CR wrote:
Hello,
I'm using rkhunter v1.4.2 on macOS, installed via Homebrew. Before I had
run rkhunter (after --propupd) and wouldn't receive any warnings, but
now I keep receiving these warnings even after --propupd.
The files listed as being replaced by a script do not appear different
on a VM of macOS I installed fresh. Also, the promiscuous interfaces
were never identified in the past: en1 and en2 (currently unused), and
awdl0 (which is an Apple interface for AirDrop I believe). Here are the
warnings:
1 - Warning: The command '/usr/bin/fuser' has been replaced by a script:
/usr/bin/fuser: a /usr/bin/perl -w script text executable, ASCII text
Warning: The command '/usr/bin/whatis' has been replaced by a script:
/usr/bin/whatis: POSIX shell script text executable, ASCII text
Warning: The command '/usr/bin/shasum' has been replaced by a script:
/usr/bin/shasum: a /usr/bin/perl script text executable, ASCII text
2 - Warning: Checking for possible rootkit strings [ Warning ]
No system startup files found.
3 - Warning: Possible promiscuous interfaces
4 - Warning: No system startup files found.
I had attempted to --propupd multiple times, --update and -C before
running as privileged user. This is the result from --propupd:
"File updated: searched for 166 files, found 98"
Unsure if this is related to performing several hardening procedures
(none of which should have affected these warnings, that I'm aware of)
or from using Homebrew and/or RubyGems/Bundle.
Thanks,
-Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
