I have a doubt (sorry, not exactly concerned to this mail ...)<div><br></div><div>Rkhunter only suggests unhide.rb ? or is a Debian decision </div><div><br></div><div>Thank you <br><br><div class="gmail_quote">2012/12/4 Frederik Himpe <span dir="ltr"><<a href="mailto:fhimpe@vub.ac.be" target="_blank">fhimpe@vub.ac.be</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Package: rkhunter<br>
Version: 1.4.0-1<br>
Severity: normal<br>
<br>
When unhide.rb (recommended by rkhunter) is installed, this results in a spurious<br>
warning because unhide.rb is a ruby script and not a binary file:<br>
[09:47:05] /usr/bin/unhide.rb [ Warning ]<br>
[09:47:05] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text<br>
<br>
I had to add:<br>
SCRIPTWHITELIST=/usr/bin/unhide.rb<br>
<br>
to rkhunter.conf to stop this warning. This should probably be done by default.<br>
<br>
-- System Information:<br>
Debian Release: wheezy/sid<br>
APT prefers testing<br>
APT policy: (300, 'testing'), (200, 'unstable')<br>
Architecture: amd64 (x86_64)<br>
<br>
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)<br>
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)<br>
Shell: /bin/sh linked to /bin/dash<br>
<br>
Versions of packages rkhunter depends on:<br>
ii binutils 2.22-7.1<br>
ii debconf [debconf-2.0] 1.5.46<br>
ii file 5.11-2<br>
ii net-tools 1.60-24.2<br>
ii perl 5.14.2-15<br>
ii ucf 3.0025+nmu3<br>
<br>
Versions of packages rkhunter recommends:<br>
ii curl 7.28.0-3<br>
ii elinks 0.12~pre5-9<br>
ii exim4-daemon-light [mail-transport-agent] 4.80-5.1<br>
ii iproute 20120521-3<br>
ii lsof 4.86+dfsg-1<br>
ii unhide.rb 13-1<br>
ii wget 1.14-1<br>
<br>
Versions of packages rkhunter suggests:<br>
ii bsd-mailx [mailx] 8.1.2-0.20111106cvs-1<br>
pn libdigest-whirlpool-perl <none><br>
pn liburi-perl <none><br>
pn libwww-perl <none><br>
pn powermgmt-base <none><br>
pn tripwire <none><br>
<br>
-- Configuration Files:<br>
/etc/rkhunter.conf changed:<br>
ROTATE_MIRRORS=1<br>
UPDATE_MIRRORS=1<br>
MIRRORS_MODE=0<br>
MAIL-ON-WARNING="root"<br>
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"<br>
TMPDIR=/var/lib/rkhunter/tmp<br>
DBDIR=/var/lib/rkhunter/db<br>
SCRIPTDIR=/usr/share/rkhunter/scripts<br>
UPDATE_LANG=""<br>
LOGFILE=/var/log/rkhunter.log<br>
APPEND_LOG=0<br>
COPY_LOG_ON_ERROR=0<br>
COLOR_SET2=0<br>
AUTO_X_DETECT=1<br>
WHITELISTED_IS_WHITE=0<br>
ALLOW_SSH_ROOT_USER=no<br>
ALLOW_SSH_PROT_V1=0<br>
ENABLE_TESTS="all"<br>
DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"<br>
SCRIPTWHITELIST=/bin/egrep<br>
SCRIPTWHITELIST=/bin/fgrep<br>
SCRIPTWHITELIST=/bin/which<br>
SCRIPTWHITELIST=/usr/bin/groups<br>
SCRIPTWHITELIST=/usr/bin/ldd<br>
SCRIPTWHITELIST=/usr/bin/lwp-request<br>
SCRIPTWHITELIST=/usr/sbin/adduser<br>
SCRIPTWHITELIST=/usr/sbin/prelink<br>
SCRIPTWHITELIST=/usr/bin/unhide.rb<br>
IMMUTABLE_SET=0<br>
PHALANX2_DIRTEST=0<br>
ALLOW_SYSLOG_REMOTE_LOGGING=0<br>
SUSPSCAN_TEMP=/dev/shm<br>
SUSPSCAN_MAXSIZE=10240000<br>
SUSPSCAN_THRESH=200<br>
USE_LOCKING=0<br>
LOCK_TIMEOUT=300<br>
SHOW_LOCK_MSGS=1<br>
DISABLE_UNHIDE=1<br>
INSTALLDIR="/usr"<br>
<br>
<br>
-- debconf information:<br>
* rkhunter/apt_autogen: true<br>
* rkhunter/cron_daily_run: true<br>
* rkhunter/cron_db_update: true<br>
<br>
_______________________________________________<br>
forensics-devel mailing list<br>
<a href="mailto:forensics-devel@lists.alioth.debian.org">forensics-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel</a><br>
</blockquote></div><br></div>