Re: [Rkhunter-users] Which tests do you enable?

2009-12-03 Thread John Horne 
On Wed, 2009-12-02 at 07:52 -0500, Tanstaafl wrote:
 Hi everyone,
 
 I'm still a bit new to rkhunter.
 
 I've been running the apps test ever since I installed rkhunter, and the
 only time I got a hit was after updating the core tools, which makes
 sense, since those executables are updated, and a quick --propupd fixes it.
 
 I also recently had a hit on the same two apps (gpg and ?), and based on
 the comments here, decided to disable the apps test.
 
 Now, I am only apparently running two tests: File properties, and rootkits.
 
You need to check your config file to see what tests have been disabled.
However, even without the apps test you should have whole sections of
tests stating what they are doing:

Checking system commands... (which includes the file properties test,
but is not restricted to just that)
Checking the network...
Checking the local host...

Each of these have several tests within them. So unless you have
disabled a lot of tests, you shouldn't have just the file properties and
rootkit tests running.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001


--
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Which tests do you enable?

2009-12-03 Thread Tanstaafl 
On 12/2/2009 2:11 PM, John Horne wrote:
 Now, I am only apparently running two tests: File properties, and
 rootkits.

 You need to check your config file to see what tests have been
 disabled.

Well, like I said before, I'm new to rkhunter, so I basically just left
it at the defaults. I'm using gentoo, so those are what the gentoo
ebuild maintainer set them to:

DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules
packet_cap_apps suspscan

I added the 'apps' to the above, so, subtract that, and that is what the
defaults were set to after installation.

 However, even without the apps test you should have whole sections of
 tests stating what they are doing:
 
 Checking system commands... (which includes the file properties test,
 but is not restricted to just that)
 Checking the network...
 Checking the local host...

I do see these in the log, but not in the email summary I get (see below)?

 Each of these have several tests within them. So unless you have 
 disabled a lot of tests, you shouldn't have just the file properties
 and rootkit tests running.

Here is the email result of last nights test:

* Bgn

[ Rootkit Hunter version 1.3.4 ]

Checking rkhunter data files...
  Checking file mirrors.dat[ No update ]
  Checking file programs_bad.dat[ No update ]
  Checking file backdoorports.dat[ No update ]
  Checking file suspscan.dat[ No update ]
  Checking file i18n/cn[ No update ]
  Checking file i18n/de[ No update ]
  Checking file i18n/en[ No update ]
  Checking file i18n/zh[ No update ]
  Checking file i18n/zh.utf8[ No update ]


System checks summary
=

File properties checks...
Files checked: 136
Suspect files: 0

Rootkit checks...
Rootkits checked : 116
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 1 minute and 15 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

No warnings were found while checking the system.

* End

(also - whats with the little squares in the email report?)

So, again - what makes for a sensible set of tests to run in most cases?
Which of the tests should I (or most people in general) have
enabled? I understand that every case is different, but I'm assuming
(uh-oh) that there are a basic set of tests that should be enabled for
most use cases?

This is a basic gentoo linux server, running iptables, postfix, dovecot,
mailman, apache, and squirrelmail (soon to be roundcube).

I really appreciate your helping out a noob... :)

-- 

Best regards,

Charles

--
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Which tests do you enable?

2009-12-03 Thread Tanstaafl 
On 12/3/2009, Brian McKee (m...@map-heb.com) wrote:
 Look at the --cronjob option, which implies the --nocolors option.

Ah... cool, thanks. :)


-- 

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6200 x224
678.514.6299 fax

--
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] Which tests do you enable?

2009-12-03 Thread John Horne 
On Thu, 2009-12-03 at 11:56 -0500, Tanstaafl wrote:
 On 12/2/2009 2:11 PM, John Horne wrote:
  Now, I am only apparently running two tests: File properties, and
  rootkits.
 
  You need to check your config file to see what tests have been
  disabled.
 
 Well, like I said before, I'm new to rkhunter, so I basically just left
 it at the defaults. I'm using gentoo, so those are what the gentoo
 ebuild maintainer set them to:
 
 DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules
 packet_cap_apps suspscan
 
These are the default supplied disabled tests (apart from apps). So, it
means you are running the usual tests.

 I added the 'apps' to the above, so, subtract that, and that is what the
 defaults were set to after installation.
 
  However, even without the apps test you should have whole sections of
  tests stating what they are doing:
  
  Checking system commands... (which includes the file properties test,
  but is not restricted to just that)
  Checking the network...
  Checking the local host...
 
 I do see these in the log, but not in the email summary I get (see below)?
 

 
 Here is the email result of last nights test:
 
 * Bgn
 
 [ Rootkit Hunter version 1.3.4 ]
 
 Checking rkhunter data files...
   Checking file mirrors.dat[ No update ]
   Checking file programs_bad.dat[ No update ]
   Checking file backdoorports.dat[ No update ]
   Checking file suspscan.dat[ No update ]
   Checking file i18n/cn[ No update ]
   Checking file i18n/de[ No update ]
   Checking file i18n/en[ No update ]
   Checking file i18n/zh[ No update ]
   Checking file i18n/zh.utf8[ No update ]
 
 
This is the output of running 'rkhunter --update'. These files rarely
change, but you should use '--update' every so often just in case they
do change. As already mentioned the 'funny characters' above are due to
coloured output. You should get your maintainer to change the options an
use '--nocolors', or '--cronjob' if that is more appropriate.


 System checks summary
 =
 
 File properties checks...
 Files checked: 136
 Suspect files: 0
 
 Rootkit checks...
 Rootkits checked : 116
 Possible rootkits: 0
 
 Applications checks...
 All checks skipped
 
 The system checks took: 1 minute and 15 seconds
 
 All results have been written to the logfile (/var/log/rkhunter.log)
 
 No warnings were found while checking the system.
 
This is just the summary, and again can be seen by using something like
'rkhunter --check -q --summary' (I think).

It shows no warnings were found, so nothing to worry about.

 * End
 
 (also - whats with the little squares in the email report?)
 
 So, again - what makes for a sensible set of tests to run in most cases?
 Which of the tests should I (or most people in general) have
 enabled? I understand that every case is different, but I'm assuming
 (uh-oh) that there are a basic set of tests that should be enabled for
 most use cases?
 
I would say leave things as they are. You seem to be running the
standard tests that most RKH user run. As faras I can tell you aren;t
being shown the tests being run, or their results, but just the summary.
That's fine. In which case just take not as to whether any warnings were
found or not. If any are found then look in the log file, it will give
more details of what was wrong.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001


--
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

[Rkhunter-users] Website causes Mozilla to abort?

2009-12-03 Thread Mike McCarty 
When I went to the sourceforge page to download 1.3.6, it caused
Mozilla to abort, closing the window it was running in. Tried
again with same results. And again. The page mostly loads, so I
can see what is selectable, but before it finishes, it causes
the program to blow up.

I wonder what's up?

Mike
-- 
p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!

--
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users