A little help in interpreting the results from rkhunter please

taylorkh · 02-13-2009, 09:52 AM

I just installed rkhunter and chkrootkit on my Ubuntu 8.04 machine. chkrootkit shows all is clean. rkhunter told me that "ssh is enabled for root" - event though there is no root account in the conventional sense in Ubuntu I added "PermitRootLogin no" to /etc/ssh/sshd_config and restarted sshd. Here are the other results. I do not know what to make of them

Quote:

[10:31:56] Checking /dev for suspicious file types [ Warning ]
[10:31:56] Warning: Suspicious files found in /dev:
[10:31:56] /dev/shm/pulse-shm-2926552250: data
[10:31:56] Checking for hidden files and directories [ Warning ]
[10:31:57] Warning: Hidden directory found: /dev/.static
[10:31:57] Warning: Hidden directory found: /dev/.udev
[10:31:57] Warning: Hidden directory found: /dev/.initramfs

I have learned that shm has to do with shared memory and I think .initramfs has to do with a ramdisk. Other than that I have no idea if any of the warnings are of any significance.

Thanks for any enlightenment.

Ken

p.s. just finished a second run of rkhunter - it still thinks that root access for ssh is enabled(?)

jschiwal · 02-13-2009, 10:05 AM

I have /dev/.udev. The use of udev/hal/dbus to automatically mount devices and alternate names make use of these hidden directories. So this is a false positive. The pulse-shm line is OK.

Do you have "PermitRootLogin No"? If you do, perhaps it didn't match the case, but this is just a guess.

taylorkh · 02-13-2009, 10:19 AM

Thanks jschiwal. I found the same warnings on a second machine. I guess false positives are not too uncommon. As to the root thing... There was no PermitRootLogin statement to start with. I copied the string from a page on go2linux.org. I tried "No" and the system barfed when I restarted sshd so I guess "no" is correct.

Ken

unSpawn · 02-13-2009, 11:30 AM

Quote:

Originally Posted by jschiwal

I have /dev/.udev. The use of udev/hal/dbus to automatically mount devices and alternate names make use of these hidden directories. So this is a false positive.

Minor nit, doesn't mean I don't acknowledge shortcuts in practice, but something is not a FP because you or I say it is. Something is a FP if you can verify, using independent and trustworthy means, it is.

Quote:

Originally Posted by taylorkh

I guess false positives are not too uncommon.

No, they aren't. That's why whitelisting examples are listed in rkhunter.conf and the FAQ.

jschiwal · 02-13-2009, 06:41 PM

unSpawn: Point taken. I should have said "probably a false positive". Examining the items to see if anything is amiss would be prudent.

I noticed that the "PermitRootLogin" line is missing from the initial /etc/ssh/sshd_config after installation. IIRC, the default is yes, so adding "PermitRootLogin no" will fix that problem.

There is another root kit scanner, chkrootkit. One began as an upgrade of the other. The author runs both himself.

Also, look at this blog post. Lynis is written by the team that wrote rkhunter. It checks for configuration errors.
http://saschasbacktrace.blogspot.com...per-lynis.html

The build shown may be configured for SuSE, I haven't looked at it yet. ( Found it looking for the name "chkrootkit". I had forgot it temporarily.)