On Sun, Apr 01, 2018 at 02:40 PM, stanislas.gal--- via Rkhunter-users wrote: > Hello, > > I run the latest version of rkhunter on macOs High Sierra 10.13.3 and have > warnings I already saw in the mailing list but I never saw a clear > explanation about them and I think, as written in the log, that it is needed > to deeply understand warnings before calling propupd.
Why bother. If you run RKHunter on a virgin 10.13.3 (or preferably 10.13.4 now) and see all of these "warnings" why would you not accept all as legitimate and whitelist them? Also, running propupd will not make any of the ones you listed go away. The Properties check only identifies critial files that were changed since the last run. > I may have missed many things while looking for solutions and please show me > where I should investigate if so. > > here are the warnings : > > [22:31:59] /usr/bin/fuser [ Warning ] > [22:31:59] Warning: The command '/usr/bin/fuser' has been replaced by a > script: /usr/bin/fuser: Perl script text executable > > [22:32:03] /usr/bin/whatis [ Warning ] > [22:32:03] Warning: The command '/usr/bin/whatis' has been replaced by a > script: /usr/bin/whatis: POSIX shell script text executable, ASCII text > > [22:32:03] /usr/bin/shasum [ Warning ] > [22:32:03] Warning: The command '/usr/bin/shasum' has been replaced by a > script: /usr/bin/shasum: Perl script text executable > > [22:33:24] Warning: Checking for possible rootkit strings [ Warning ] > [22:33:24] No system startup files found.I have all of the above > whitelisted and most have been since I started using RKHunter over a decade > ago. If you want to understand the first three, then you need to take a look at and fully understand what those scripts are actually doing to determine if they are acting as expected. Not something an average user will have the skills to do. It's not uncommon for some Unix binaries to be replaced by a script. > Checking for promiscuous interfaces [ Warning ] > [22:33:32] Warning: Possible promiscuous interfaces: > [22:33:32] 'ifconfig' command output: > .... This is relatively new and appears to be associated with the use of Thunderbolt Bridge as a path to network access. I have not researched what possible disadvantages exist by allowing promiscuous interfaces, but chose to accept Apple's decision to implement it this way. > [22:33:34] Info: Starting test name 'startup_malware' > [22:33:34] Checking for system startup files [ Warning ] > [22:33:34] Warning: No system startup files found. I don't really understand why this is a warning. RKHunter is checking to see if there is any malware in system startup files, so if there aren't any to check then why bother giving the warning? > [22:33:35] Checking if SSH root access is allowed [ Warning ] > [22:33:35] Warning: The SSH configuration option 'PermitRootLogin' has not > been set. > The default value may be 'yes', to allow root access. > > [22:33:35] Checking if SSH protocol v1 is allowed [ Warning ] > [22:33:35] Warning: The SSH configuration option 'Protocol' has not been set. > The default value may be '2,1', to allow the use of protocol > version 1. I know that you can change the macOS default settings to overcome both of these and seem to remember having done so awhile ago, but haven't bothered since. If you feel it's important to your setup, then go ahead and tighten up security and make those changes, realizing it might prevent your being able to remotely access your computer if you needed to at some time in the future. > [22:33:46] Checking for hidden files and directories [ Warning ] > [22:33:46] Warning: Hidden file found: /usr/share/man/man5/.rhosts.5: troff > or preprocessor input text, ASCII text I can confirm that this is a legitimately hidden file, although I can't really imagine why. I have it whitelisted. > Thank you, > > Stan -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users