Re: [Rkhunter-users] Which tests do you enable?
On Wed, 2009-12-02 at 07:52 -0500, Tanstaafl wrote: Hi everyone, I'm still a bit new to rkhunter. I've been running the apps test ever since I installed rkhunter, and the only time I got a hit was after updating the core tools, which makes sense, since those executables are updated, and a quick --propupd fixes it. I also recently had a hit on the same two apps (gpg and ?), and based on the comments here, decided to disable the apps test. Now, I am only apparently running two tests: File properties, and rootkits. You need to check your config file to see what tests have been disabled. However, even without the apps test you should have whole sections of tests stating what they are doing: Checking system commands... (which includes the file properties test, but is not restricted to just that) Checking the network... Checking the local host... Each of these have several tests within them. So unless you have disabled a lot of tests, you shouldn't have just the file properties and rootkit tests running. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Which tests do you enable?
On 12/2/2009 2:11 PM, John Horne wrote: Now, I am only apparently running two tests: File properties, and rootkits. You need to check your config file to see what tests have been disabled. Well, like I said before, I'm new to rkhunter, so I basically just left it at the defaults. I'm using gentoo, so those are what the gentoo ebuild maintainer set them to: DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules packet_cap_apps suspscan I added the 'apps' to the above, so, subtract that, and that is what the defaults were set to after installation. However, even without the apps test you should have whole sections of tests stating what they are doing: Checking system commands... (which includes the file properties test, but is not restricted to just that) Checking the network... Checking the local host... I do see these in the log, but not in the email summary I get (see below)? Each of these have several tests within them. So unless you have disabled a lot of tests, you shouldn't have just the file properties and rootkit tests running. Here is the email result of last nights test: * Bgn [ Rootkit Hunter version 1.3.4 ] [1;33mChecking rkhunter data files...[0;39m Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ] Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ] Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ] Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ] Checking file i18n/cn[38C[ [1;32mNo update[0;39m ] Checking file i18n/de[38C[ [1;32mNo update[0;39m ] Checking file i18n/en[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh.utf8[33C[ [1;32mNo update[0;39m ] System checks summary = File properties checks... Files checked: 136 Suspect files: 0 Rootkit checks... Rootkits checked : 116 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 15 seconds All results have been written to the logfile (/var/log/rkhunter.log) No warnings were found while checking the system. * End (also - whats with the little squares in the email report?) So, again - what makes for a sensible set of tests to run in most cases? Which of the tests should I (or most people in general) have enabled? I understand that every case is different, but I'm assuming (uh-oh) that there are a basic set of tests that should be enabled for most use cases? This is a basic gentoo linux server, running iptables, postfix, dovecot, mailman, apache, and squirrelmail (soon to be roundcube). I really appreciate your helping out a noob... :) -- Best regards, Charles -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Which tests do you enable?
On 12/3/2009, Brian McKee (m...@map-heb.com) wrote: Look at the --cronjob option, which implies the --nocolors option. Ah... cool, thanks. :) -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6200 x224 678.514.6299 fax -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Which tests do you enable?
On Thu, 2009-12-03 at 11:56 -0500, Tanstaafl wrote: On 12/2/2009 2:11 PM, John Horne wrote: Now, I am only apparently running two tests: File properties, and rootkits. You need to check your config file to see what tests have been disabled. Well, like I said before, I'm new to rkhunter, so I basically just left it at the defaults. I'm using gentoo, so those are what the gentoo ebuild maintainer set them to: DISABLE_TESTS=apps deleted_files hidden_procs loaded_modules packet_cap_apps suspscan These are the default supplied disabled tests (apart from apps). So, it means you are running the usual tests. I added the 'apps' to the above, so, subtract that, and that is what the defaults were set to after installation. However, even without the apps test you should have whole sections of tests stating what they are doing: Checking system commands... (which includes the file properties test, but is not restricted to just that) Checking the network... Checking the local host... I do see these in the log, but not in the email summary I get (see below)? Here is the email result of last nights test: * Bgn [ Rootkit Hunter version 1.3.4 ] [1;33mChecking rkhunter data files...[0;39m Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ] Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ] Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ] Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ] Checking file i18n/cn[38C[ [1;32mNo update[0;39m ] Checking file i18n/de[38C[ [1;32mNo update[0;39m ] Checking file i18n/en[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh[38C[ [1;32mNo update[0;39m ] Checking file i18n/zh.utf8[33C[ [1;32mNo update[0;39m ] This is the output of running 'rkhunter --update'. These files rarely change, but you should use '--update' every so often just in case they do change. As already mentioned the 'funny characters' above are due to coloured output. You should get your maintainer to change the options an use '--nocolors', or '--cronjob' if that is more appropriate. System checks summary = File properties checks... Files checked: 136 Suspect files: 0 Rootkit checks... Rootkits checked : 116 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 15 seconds All results have been written to the logfile (/var/log/rkhunter.log) No warnings were found while checking the system. This is just the summary, and again can be seen by using something like 'rkhunter --check -q --summary' (I think). It shows no warnings were found, so nothing to worry about. * End (also - whats with the little squares in the email report?) So, again - what makes for a sensible set of tests to run in most cases? Which of the tests should I (or most people in general) have enabled? I understand that every case is different, but I'm assuming (uh-oh) that there are a basic set of tests that should be enabled for most use cases? I would say leave things as they are. You seem to be running the standard tests that most RKH user run. As faras I can tell you aren;t being shown the tests being run, or their results, but just the summary. That's fine. In which case just take not as to whether any warnings were found or not. If any are found then look in the log file, it will give more details of what was wrong. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
[Rkhunter-users] Website causes Mozilla to abort?
When I went to the sourceforge page to download 1.3.6, it caused Mozilla to abort, closing the window it was running in. Tried again with same results. And again. The page mostly loads, so I can see what is selectable, but before it finishes, it causes the program to blow up. I wonder what's up? Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users