LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-25-2011, 08:58 AM   #1
scam
Member
 
Registered: Jun 2011
Location: UK
Distribution: Slackware 13.1, Slackware 13.37
Posts: 92

Rep: Reputation: Disabled
Rkhunter warnings.


Hi all, I use rkhunter and I'm getting these warning on commands ..adduser,ldd and whereis and was wondering if this is normal for Slackware. I use rkhunter on FreeBSD and don't get these warnings, this happens even with a fresh install of Slackware. Wondered if anyone else get the same warnings as I do....

http://pastebin.com/0nXQNUNB
 
Old 09-25-2011, 09:20 AM   #2
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 390

Rep: Reputation: 49
I get the same warnings on every Slackware installation. I cannot remember the exact cause but it has something to do with the modifications of those files. When you are performing system updates or other system maintenance you modify some of those files (or its properties). After this (you actually don't know what is modified) you confirm that those modifications are something that you know about. Then you use the rkhunter --propund to update this information.
From man:
Quote:
rkhunter --propupd [{filename | directory | package name},...]
One of the checks rkhunter performs is to compare various current file properties of various
commands, against those it has previously stored. This command option causes rkhunter to
update its data file of stored values with the current values.
...
It is the users responsibility to ensure that the files on the system are genuine
and from a reliable source. rkhunter can only report if a file has changed, but not on what has caused the change. Hence, if a file has changed, and the --propupd command option is used, then rkhunter will assume that the file is genuine.
EDITED:
OK, here are some new results. There are these warnings in new Slackware installation:
Allow the specified commands to be scripts:
Quote:
/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis
It looks like these files are not usual binary executable files but some script like files.
Solution:
Quote:
SCRIPTWHITELIST="/usr/sbin/adduser /usr/bin/ldd /usr/bin/whatis"
rkhunter.conf file modification. Since you change the configuration file.
Solution:
Quote:
rkhunter --propupd
SSH root login allowed, week SSH protocol Version1 allowed.
Solution: in /etc/sshd_config
Quote:
Protocol 2
PermitRootLogin=no
Hidden directory in /dev/.udev.
Solution: Whitelist in rkhunter.conf
Quote:
ALLOWHIDDENDIR="/dev/.udev"
Application version checks. Depends on Slackware version.
Solution: either upgrade the listed applications (or OS) or whitelist them.
Quote:
APP_WHITELIST="gpg sshd"
I think thats all.

Last edited by hua; 09-25-2011 at 11:28 AM.
 
1 members found this post helpful.
Old 09-26-2011, 11:30 AM   #3
scam
Member
 
Registered: Jun 2011
Location: UK
Distribution: Slackware 13.1, Slackware 13.37
Posts: 92

Original Poster
Rep: Reputation: Disabled
Thanks hua, that solved it.. Don't know if anyone uses chkrootkit, but I haven't noticed an update like rkhunter(rkhunter --update).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter warnings qwertyjjj Linux - Security 1 04-28-2011 04:05 AM
[SOLVED] rkhunter warnings skoinga Linux - Security 1 12-23-2010 10:49 AM
Three new Rkhunter warnings... Amdx2_x64 Linux - Security 2 10-27-2010 10:48 PM
rkhunter warnings adityavpratap Slackware 15 02-24-2007 07:11 AM
rkhunter warnings jantman Linux - Security 4 01-23-2007 02:39 PM


All times are GMT -5. The time now is 05:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration