Bug#662128: rkhunter: "Check for suspicious files" message triggers "warnings found" e-mail

Sun, 04 Mar 2012 09:51:16 -0800 

Am 04.03.2012 12:49, schrieb Julien Valroff:

Hi Thomas,

Le dimanche 04 mars 2012 à 11:33:50 (+0100 CET), Thomas Lamy a écrit :
[...]

After configuring rkhunter, filtering false positives etc, I get this daily 
report:

---
Warning: Checking for files with suspicious contents [ Warning ]

And what triggers this warning? You can check this in /var/log/rkhunter.log

I guess you have missed a file in your whitelist or something like that.

Cheers,
Julien



From the log:
[06:27:59]   Performing check of files with suspicious contents
[06:27:59] Info: Starting test name 'suspscan'
[06:27:59]     Directories to check are: /tmp /var/tmp
[06:27:59]     Temporary directory to use: /dev/shm
[06:27:59]     Maximum file size to check (in bytes): 10240000
[06:27:59]     Score threshold is set to: 200
[06:29:20]     Checking directory: '/tmp'
[06:29:20]       File checked: Name: '/tmp/mysql-30seconds.png' Score: 10
[06:29:20]       File checked: Name: '/tmp/lav-3day.png' Score: 20
[06:29:20]       File checked: Name: '/tmp/mem-3day.png' Score: 20
[....]
[06:29:21]       File checked: Name: '/tmp/mailq-3day.png' Score: 20
[06:29:21]       File checked: Name: '/tmp/mysql-3day.png' Score: 31
[06:29:21]       File ignored: empty: '/tmp/#sql_365a_0.MYD'
[06:29:21]       File checked: Name: '/tmp/service.lock' Score: 0
[06:29:21]       File ignored: empty: '/tmp/fileonso16'
[06:29:21]       File ignored: empty: '/tmp/fileAu7HQu'
[06:29:21]       File ignored: empty: '/tmp/fileaE9yRm'
[06:29:21]     Checking directory: '/var/tmp'
[06:29:21] Warning: Checking for files with suspicious contents [ Warning ]
[06:29:21]

None of the files have score >= 200.
....
[06:29:27] System checks summary
[06:29:27] =====================
[06:29:27]
[06:29:27] File properties checks...
[06:29:27] Files checked: 131
[06:29:27] Suspect files: 0
[06:29:27]
[06:29:27] Rootkit checks...
[06:29:27] Rootkits checked : 244
[06:29:27] Possible rootkits: 0
[06:29:27]
Even from rkh's log I would not expect to get a warning mail; everything is whitelisted and/or below reporting thresholds.
Unfotunately, the level of shell scripting needed to track this down is beyond my skills... 

Sincerly
Thomas





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to