LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   rkhunter: whitelisting inetd services - talk, ntalk, ident (http://www.linuxquestions.org/questions/linux-security-4/rkhunter-whitelisting-inetd-services-talk-ntalk-ident-757681/)

tsuchan1 09-25-2009 04:24 AM

rkhunter: whitelisting inetd services - talk, ntalk, ident
 
Hi...

I've been trying to make exceptions to suppress these rkhunter warnings, so far without success:

Quote:

Warning: Found enabled inetd service: talk
Warning: Found enabled inetd service: ntalk
Warning: Found enabled inetd service: ident
My best research was that these files may need to be excepted:

/usr/sbin/in.ntalkd
/usr/sbin/in.talkd
/usr/sbin/identd

so I added to /etc/rkhunter.conf:

Code:

INETD_ALLOWED_SVC=/usr/sbin/in.ntalkd
INETD_ALLOWED_SVC=/usr/sbin/in.talkd
INETD_ALLOWED_SVC=/usr/sbin/identd

and ran rkhunter again. But it still gives the same warnings.

If the information helps, the program I believe is using these services is 'utalk', and I'm running it under Debian Linux.

Can anybody tell me the exceptions I need to add to suppress the warnings?

Thanks

- tsu'

unSpawn 09-26-2009 05:10 AM

I think you better report this on the rkhunter-users mailing list or else add a ticket in our bug tracker at Sourceforge.

tsuchan1 09-26-2009 11:55 AM

Ok, I'll do that. (^_^)
Thanks for your advice.

unSpawn 09-30-2009 09:57 AM

Quote:

Originally Posted by tsuchan1 (Post 3697827)
Ok, I'll do that.

It's been four days now and I haven't seen a useradd request for the rkhunter users mailing list or a new ticket in our bug tracker. Are you one of those that say they will but then don't do anything?

tsuchan1 09-30-2009 11:23 AM

Sorry
 
Umm, no... it's just that my post to LinuxQuestions.org was looking for advice on what I might have been doing wrong, after I had made my best efforts and failed. You suggested raising a bug request, which I take as a serious matter, and wanted to run it past the sys admin who gives me occasional help on the box before passing the chance of raising a bug that might still be my user error.

But I'm sorry - I really hadn't guessed that you would waiting in anticipation of my bug report... I thought my process deliberations would be "too much information". Anyway, I can give an update...

The process I followed immediately before raising this ticket was:
  • Made the changes described above (and others)
  • Re-ran the daily cron, and received exactly the output pasted above
But the next morning, the cron ran automatically and returned only:
Quote:

Warning: Found enabled inetd service: ident
so I was a bit confused by that... other changes I'd made (eg. changing PermitRootLogin setting) had taken effect in the e-mail I triggered manually, so [rhetorical:] had something happened overnight to flush the rest of the settings, or had I made some mistake?

If I raised a bug at this moment, it would be:
  • rkhunter appears not to change all settings immediately the .conf file is updated
  • rkhunter appears not to exclude the inet service "ident" at all.

But as someone who is unaccomplished in Linux, I reasoned that I needed to take advice locally before potentially embarrassing myself and inconveniencing others.

I will raise a bug after I've had my actions reviewed, if they're confirmed; or write another update to this thread if it turns out to have been a fault of my own. But in may be a couple of weeks - the sys admin who can review my steps can only spare me occasional time.

All the best
- tsu'

unSpawn 09-30-2009 03:02 PM

Ah, OK, I see. Thanks for the update. The reason I asked is because we're in the process of finalizing RKH 1.3.6 for release so I'd like to fix all bugs we can Real Soon Now. If it indeed is a bug but I don't have any machines running identd to check on, nor have I seen any related errors on the list. I'd appreciate it if you let us know what you findings are. Thanks in advance!


All times are GMT -5. The time now is 06:05 AM.