Hello, I'd like to contribute in some way if I am able. I use rkhunter on majority of my systems, being Linux, as well as my Mac. Not sure how much I can contribute to the project though.
-Mark On 10/25/16 3:56 AM, Al Varnell wrote: > Was hoping another macOS user would join us... > > I'll start with a little preamble concerning Rootkit Hunter's applicability > to macOS. In the beginning it was meant as a tool for Unix admins to guard > against rooting attempts. Other platforms have been added, as an > afterthought, but never received the attention necessary to make them > essential. I've been a member of this list for years and don't recall ever > reading of a Mac user discovering anything. I'm sure it has happened, just > not very often. At some point I went through all the rootkit checks and > identified the ones that could impact OS X at the time. There were only a > handful and all were ancient history since they had long been patched or > eliminated. > > Then there is timeliness. You may have noticed that v1.4.2 was released over > two and a half years ago (Feb 2014) and even though you can find a v1.4.3 in > development, it didn't have any new Mac specific tests the last time I > checked. In fairness, the developers have welcomed the participation of any > Mac person to contribute, but so far, nobody seems to have the time to do so. > It's certainly conceivable that a zero day infection will be uncovered by > Rootkit Hunter some day, but I think it unlikely. I still use it and will > continue to do so, running it every time their is an OS update, but it's not > something I rely on, even though a big part of my hobby in retirement > involves contributing what I can to OS X/macOS security. >>>> 2 - Warning: Checking for possible rootkit strings [ Warning ] >>>> No system startup files found. >>> I would have to see what the log file says to comment on this one >>> (/var/log/rkhunter.log). I don’t get this for the possible rootkit string >>> check and in an earlier check see: >>> >>> Checking the local host... >>> Performing system boot checks >>> Checking for system startup files [ Found ] >>> >>> I know it depends on what are listed as startup paths, the defaults being >>> #STARTUP_PATHS="/etc/rc.d /etc/rc.local”. I suspect it is because I have >>> added /etc/rc.* and /etc/*.rc >>> >> Unfortunately that is all the log showed me. I'll include a link for a >> Pastebin of the log at the bottom. I'd include /etc/rc.* and /etc/*.rc >> as you've done but I'm skeptical to include every potential file >> beginning or end in rc. Perhaps I should only add the rc files in the >> /etc/ directory as I have them on my system? > To me it would be important to know if some new system startup file had been > added while I wasn't looking. The whole reason for locating these is in > preparation for the next step, which is to check them for known malware > strings. That's why I want them all to be screened. > >>>> 3 - Warning: Possible promiscuous interfaces >>> Yes, that’s something new starting with Yosemite, I believe, but I only get >>> it with en2. When I startup using a Verbose boot (hold “V” key down at >>> chime) I can see that en2 (which is not connected in my setup) is being >>> placed in promiscuous mode. Have not been able to run down why Apple made >>> this change. >>> >> Yes I've seen it with awdl0 but never en1 and en2... This is new. >> Perhaps since I've installed dnsmasq listening on lo0 then maybe a miss >> configuration with it? Might as well try and disable promisc on both >> those interfaces, or something. > I've been assuming that Apple has a good reason for making these interfaces > promiscuous and am not convinced that any threat exists which could take > advantage of it. I'd be interested in knowing if you have found a way to > disable it, whether doing so breaks anything and from anybody else that knows > how this could be used as a vector. > >>>> 4 - Warning: No system startup files found. > <snip> >>>> Unsure if this is related to performing several hardening procedures >>>> (none of which should have affected these warnings, that I'm aware of) >>>> or from using Homebrew and/or RubyGems/Bundle. >>> I guess I wouldn’t be surprised that if those hardening procedures caused >>> something, but have no ideas what those consisted of. >> The procedures were only directed towards certain macOS features such >> as: firewall, screensaver lock, Safari, JavaScript, etc.. Simply used >> the osx-config-check script from GitHub. > GitHub is a big place, with over 300,000 Google hits for "osx-config-check > script" but it seems you are referring to > <https://github.com/kristovatlas/osx-config-check/releases>. > > I remember going through a similar list that was derived from some guidance > by NSA for a much older OS X and quickly learned that I couldn't use my Mac > for anything if I followed all the recommendations. The list of adjustments > has grown greatly, but the results are the same. I would not be able to > implement even half of them and still be able to do my daily tasks. I might > as well disconnect from the Internet and tape over the camera and all > external drive ports. I'm guessing you were fairly selective, as well. In any > case, I suspect this had nothing to do with your current results. > >>>> -Mark >>> -Al- >> -Mark > -Al- > > > > ------------------------------------------------------------------------------ > The Command Line: Reinvented for Modern Developers > Did the resurgence of CLI tooling catch you by surprise? > Reconnect with the command line and become more productive. > Learn the new .NET and ASP.NET CLI. Get your free copy! > http://sdm.link/telerik > > > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
