subject:"Re\: \[Rkhunter\-users\] DISABE_TESTS=group_accounts still complains about file property changes"

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-20 Thread John Horne

On Mon, 2018-06-18 at 10:35 +, Kielbasiewicz, Peter wrote:
> I had tried this option before but it only works on USER files.
> Files like /etc/passwd or group are built in system files.
>
Hi,

Okay, I see the problem. Your root account PATH includes '/etc'. Although your
server will find the actual 'passwd' command in an earlier PATH directory, RKH
checks all the directories to ensure that any links or copies of commands are
detected. As such '/etc/passwd' gets added to the list of files which are to
have their properties checked (and cannot be modified).
(The test worked for me because my root account doesn't include '/etc'.)

I'm not too sure what to do about this. I'll have to think about it.


John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-20 Thread John Horne

On Wed, 2018-06-20 at 09:55 +, Kielbasiewicz, Peter wrote:
> Hi John,
> I have systems with rkhunter 1.4.0, 1.4.2 and 1.4.6 as I use the rkhunter
> from the official Ubuntu repos.
> I have tested it on a latest Ubuntu 18.04 LTS which has rkhunter 1.4.6 as
> shown below in the propupd segment.
> The --debug option gave no output

Correct because it writes everything to a debug file. Look in /tmp.


John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-20 Thread Kielbasiewicz, Peter

Hi John,
I have systems with rkhunter 1.4.0, 1.4.2 and 1.4.6 as I use the rkhunter from 
the official Ubuntu repos.
I have tested it on a latest Ubuntu 18.04 LTS which has rkhunter 1.4.6 as shown 
below in the propupd segment.
The --debug option gave no output and the problem with the cron job is still 
there if I run it without the --debug option.
Strange to me though the latest output did give slightly different warnings as 
shown below.

Peter

...
DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd
...

# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 181 files, found 155
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --enable properties --debug
# rkhunter --cronjob --rwo
Warning: The file properties have changed:
 File: /etc/passwd
 Current hash: 
62c4b7b0c08c72ece48f1bfcf4c5d17c84371b5cc7ea3d31bde0a8c781905068
 Stored hash : 
bbbc0647692a5a98a7aafd5c0a5910dbef4d41ee6f1e96c565a98c2ce5013dae
 Current inode: 1577114Stored inode: 1577115
 Current size: 3044Stored size: 3045
 Current file modification time: 1529487378 (20-Jun-2018 11:36:18)
 Stored file modification time : 1529487306 (20-Jun-2018 11:35:06)
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo --debug
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo --debug
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
# rkhunter --cronjob --rwo
Warning: The file properties have changed:
 File: /etc/passwd
 Current inode: 1577114Stored inode: 1577115
 Current file modification time: 1529488189 (20-Jun-2018 11:49:49)
 Stored file modification time : 1529487306 (20-Jun-2018 11:35:06)

-Original Message-
Sent: Mittwoch, 20. Juni 2018 11:08
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Wed, 2018-06-20 at 04:47 +, Kielbasiewicz, Peter wrote:
> Sorry John,
> no change.
> Did YOU ever try it on your machine?
>
Yes. It worked fine.

You are running rkhunter version 1.4.6?

Can you leave the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file 
and make a change to the /etc/passwd file. Then run 'rkhunter --enable 
properties --debug' and send me the output file found in /tmp please.

John.

--
John Horne | Senior Operations Analyst | Technology and Information Services 
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK 

[https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350=upoV3eNOCSN1l%2BBkvzElOfj%2B9DF73ykw4u1oCsNEzH0%3D=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350=BY4uRdWs92lUEoWyDuOnJ5gIqRNBTGBwc9ZI1Ag%2BQfw%3D=0>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! 
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C225bc7cd8173401475e108d5d68d98d7%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650826012059350=4AE%2BAqdnTgfnIDbTbm91feEoimDan6o885mmVhEsyoo%3D=0
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-20 Thread John Horne

On Wed, 2018-06-20 at 04:47 +, Kielbasiewicz, Peter wrote:
> Sorry John,
> no change.
> Did YOU ever try it on your machine?
>
Yes. It worked fine.

You are running rkhunter version 1.4.6?

Can you leave the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file
and make a change to the /etc/passwd file. Then run 'rkhunter --enable
properties --debug' and send me the output file found in /tmp please.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-19 Thread Kielbasiewicz, Peter

Sorry John,
no change.
Did YOU ever try it on your machine?
I wonder if it is possibly distro dependent.

# grep -e DISABLE_TESTS -e USER_FILEPROP_FILES /etc/rkhunter.conf.local
DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd

# rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 179 files, found 162
# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
rkhunter --cronjob --rwo
Warning: The file properties have changed:
 File: /etc/passwd
 Current hash: 
8d8d9f0c04a5af1ad313b0fcf68e1bf0234964db8a6300330d5528cec0291306
 Stored hash : 
07b9812cafc0e00ec278c8037f8a7923e81bf48ba05fd971eecfad692ca7a42e
 Current inode: 795719Stored inode: 795717
 Current size: 166673Stored size: 166674
 Current file modification time: 1529469637 (20-Jun-2018 06:40:37)
 Stored file modification time : 1529456603 (20-Jun-2018 03:03:23)

regards
 Peter

-Original Message-
Sent: Dienstag, 19. Juni 2018 15:30
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Tue, 2018-06-19 at 10:41 +, Kielbasiewicz, Peter wrote:
> Sorry for the confusion.
> I did copy the wrong statement in my last answer.
> Of course I had added the values shown below
> DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
> EXCLUDE_USER_FILEPROP_FILES_DIRS="etc/passwd"
>
Remove the double-quotes. Also you need a '/' before 'etc' - that is:

EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services 
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK 
 
[https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C33425e67485949b3937108d5d5e902b9%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650119113138844=UVl4KpyNA6aLP03729SQnx40dY817oV3F91UkLgM2e4%3D=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C33425e67485949b3937108d5d5e902b9%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650119113138844=CfrP%2F5xNNT8Lt5UnDztrkIcjYqeWwuqqrE7KbAD14lE%3D=0>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! 
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C33425e67485949b3937108d5d5e902b9%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650119113138844=dFDjVvPyRT%2FtddxeqhkRd7gD0VBZjgqFhuKkYLLQIjA%3D=0
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Frkhunter-users=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C33425e67485949b3937108d5d5e902b9%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636650119113138844=VfNK2HkXe%2BWfVD1K0Cr4j4yBfE6yK5AM2AmMOJCBbD8%3D=0


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-19 Thread John Horne

On Tue, 2018-06-19 at 10:41 +, Kielbasiewicz, Peter wrote:
> Sorry for the confusion.
> I did copy the wrong statement in my last answer.
> Of course I had added the values shown below
> DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
> EXCLUDE_USER_FILEPROP_FILES_DIRS="etc/passwd"
>
Remove the double-quotes. Also you need a '/' before 'etc' - that is:

EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/passwd



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-19 Thread Kielbasiewicz, Peter

Sorry for the confusion.
I did copy the wrong statement in my last answer.
Of course I had added the values shown below
DISABLE_TESTS=passwd_changes group_changes deleted_files suspscan
EXCLUDE_USER_FILEPROP_FILES_DIRS="etc/passwd"

But still after a change to /etc/passwd the command rkhunter --cronjob --rwo 
reports the following warning on my ubuntu 16.04 LTS.
Warning: The file properties have changed:
 File: /etc/passwd
 Current hash: 
8d8d9f0c04a5af1ad313b0fcf68e1bf0234964db8a6300330d5528cec0291306
 Stored hash : 
a75a2f6cc6136ba5875078d4d96cdb7977ee764a681b2027b9fec9057aaa23d3
 Current inode: 795718Stored inode: 795719
 Current size: 166673Stored size: 166674
 Current file modification time: 1529404430 (19-Jun-2018 12:33:50)
 Stored file modification time : 1529404397 (19-Jun-2018 12:33:17)

Does it really work on your machine ?

Regards
  Peter


-Original Message-
From: John Horne 
Sent: Dienstag, 19. Juni 2018 11:42
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Tue, 2018-06-19 at 05:24 +, Kielbasiewicz, Peter wrote:
> As I said, I had tried it before.
> I added
> USER_FILEPROP_FILES_DIRS="/etc/passwd"
> to rkhunter.conf.local but still got messages that the checksum of
> passwd had changed.
>
Yes, you will. That option says to monitor the file for changes.
I said to use the 'EXCLUDE_USER_FILEPROP_FILES_DIRS' option.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services 
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK 
 
[https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C9c742098fa8947678ede08d5d5c935dc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636649982522354633=fN%2Bn44X8uLz010CrCefvU9JF14x27zykmY0C30lmy1g%3D=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C9c742098fa8947678ede08d5d5c935dc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636649982522354633=EDjtH%2BjwUT3kpN3WF4FVmBvfdV0b8UeHJMr5IXZcBO8%3D=0>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! 
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C9c742098fa8947678ede08d5d5c935dc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636649982522354633=hCHNah%2B3W7bUK2Vd%2Bmvimh2HTZaw4ghkFEdTRAlaBhs%3D=0
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Frkhunter-users=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7C9c742098fa8947678ede08d5d5c935dc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636649982522354633=0Bn2cFrLadBQUue6Aevtw3ALd4R%2Bo%2Fcm3Pck10Y9%2F%2F0%3D=0


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-19 Thread John Horne

On Tue, 2018-06-19 at 05:24 +, Kielbasiewicz, Peter wrote:
> As I said, I had tried it before.
> I added
> USER_FILEPROP_FILES_DIRS="/etc/passwd"
> to rkhunter.conf.local but still got messages that the checksum of passwd had
> changed.
>
Yes, you will. That option says to monitor the file for changes.
I said to use the 'EXCLUDE_USER_FILEPROP_FILES_DIRS' option.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-18 Thread Kielbasiewicz, Peter

As I said, I had tried it before.
I added
USER_FILEPROP_FILES_DIRS="/etc/passwd"
to rkhunter.conf.local but still got messages that the checksum of passwd had 
changed.
You can try it easily by just adding a blank somewhere in a gcos field, run 
rkhunter --propupd and rkhunter --cronjob --rwo.
In rkhunter.conf it says:
  # NOTE: Only files and directories which have been added by the user,
  # and are not part of the internal lists, can be excluded.
So I assumed /etc/passwd is on an internal list.

Peter

-Original Message-
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Mon, 2018-06-18 at 10:35 +, Kielbasiewicz, Peter wrote:
> I had tried this option before but it only works on USER files.
>
Not really. It is not possible to disable some commands, but /etc/passwd is 
just a data file.

John.

--

The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-18 Thread John Horne

On Mon, 2018-06-18 at 10:35 +, Kielbasiewicz, Peter wrote:
> I had tried this option before but it only works on USER files.
>
Not really. It is not possible to disable some commands, but /etc/passwd is
just a data file.




John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-18 Thread Kielbasiewicz, Peter

I had tried this option before but it only works on USER files.
Files like /etc/passwd or group are built in system files.
The only option to disable the warnings is to disable file properties testing 
for ALL files.
Security wise I think it is not a good solution but unfortunately there seems 
to be no alternative.

Peter


-Original Message-
From: John Horne 
Sent: Donnerstag, 14. Juni 2018 21:46
To: rkhunter-users@lists.sourceforge.net
Subject: Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about 
file property changes

On Thu, 2018-06-14 at 05:48 +, Kielbasiewicz, Peter wrote:
> I support >200 RnD Linux Boxes and maintain a local mechanism to
> monitor and update passwd and group files.
> So I needed to disable the test for group_accounts as changes to these
> files occur consolidated on all machines and I want to avoid daily
> warnings from every host on this as these are likely to obfuscate real 
> problems.
> Alas rkhunter still complains about file property changes so I needed
> to disable the test on file properties too.
> In general I think it is good  to monitor file property changes but I
> did not find a way to disable the test on individual system files.
> Is there a trick to do this?
>
Hi,

Take a look at the EXCLUDE_USER_FILEPROP_FILES_DIRS option.


John.

--
John Horne | Senior Operations Analyst | Technology and Information Services 
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK 
 
[https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fimages%2Femail_footer.gif=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7Cce5aeebf234c4571692608d5d231fedc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C1%7C636646034528303378=8roQtWFJ7P5Xr20LIwgp4P9eC%2FKJosqEEfT%2Fhca8Uwo%3D=0]<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.plymouth.ac.uk%2Fworldclass=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7Cce5aeebf234c4571692608d5d231fedc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C1%7C636646034528303378=usKf8L%2BkQ8d%2BS2Fu4x0bn6fYMapIVarzqrPh%2Bpwt77Y%3D=0>

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! 
https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsdm.link%2Fslashdot=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7Cce5aeebf234c4571692608d5d231fedc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C1%7C636646034528303378=deAiRmzRp8hNQrHMXMUmJmq9oGuJvjwf9WpEVo7RUGI%3D=0
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Frkhunter-users=02%7C01%7Cpeter.kielbasiewicz%40philips.com%7Cce5aeebf234c4571692608d5d231fedc%7C1a407a2d76754d178692b3ac285306e4%7C0%7C1%7C636646034528303378=p%2BxYv%2FyeWG8Vy9KgsSaCJATGRtAP99c9AIf11%2BZ8EaI%3D=0


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

2018-06-14 Thread John Horne

On Thu, 2018-06-14 at 05:48 +, Kielbasiewicz, Peter wrote:
> I support >200 RnD Linux Boxes and maintain a local mechanism to monitor and
> update passwd and group files.
> So I needed to disable the test for group_accounts as changes to these files
> occur consolidated on all machines and I want to avoid daily warnings from
> every host on this as these are likely to obfuscate real problems.
> Alas rkhunter still complains about file property changes so I needed to
> disable the test on file properties too.
> In general I think it is good  to monitor file property changes but I did not
> find a way to disable the test on individual system files.
> Is there a trick to do this?
>
Hi,

Take a look at the EXCLUDE_USER_FILEPROP_FILES_DIRS option.


John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK

[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

Re: [Rkhunter-users] DISABE_TESTS=group_accounts still complains about file property changes

12 matches

Site Navigation

Mail list logo

Footer information