On Tue, 2007-10-23 at 21:10 +0100, Arthur Dent wrote: > > Well actually I run the script that I found years ago on the web (in the FAQ?) > It is as follows: > [EMAIL PROTECTED] ~]# cat scripts/rkhscript.sh > #!/bin/sh > ( > /usr/local/bin/rkhunter --versioncheck > /usr/local/bin/rkhunter --update > /usr/local/bin/rkhunter --cronjob --report-warnings-only > ) | /bin/mail -s 'rkhunter Daily Run' root > [EMAIL PROTECTED] ~]# > > I presume I need to add the argument "--nocolors" to the versioncheck line? > Yes, but add it to the '--update' line as well. Alternatively, you can combine it all in one:
rkhunter --versioncheck --update --cronjob --report-warnings-only | ... You then don't need the '--nocolors' option because '--cronjob' assumes it. > > > > > > > 2) Deleted files: > > > > > > Warning: The following processes are using deleted files: > > > Process: /bin/bash PID: 4037 File: /dev/pts/0 > > > Process: /bin/mail PID: 13513 File: /tmp/Rsw5uchv > > > > > In the first line, the process 4037 is running the /bin/bash command and > > is using the file /dev/pts/0 for some purpose. However, that file does > > not exist. In the second line, /bin/mail is using the > > file /tmp/Rsw5uchv, but that file does not exist either. > > > > What to do is difficult to say since it depends on the process involved. > > However, it generally implies that something has gone wrong. At work I > > currently have a web server which shows the web process running with it > > using 2 deleted files. These files are the (Apache) web log files > > access_log and error_log. The files should have been created when the > > service was restarted, but for some reason they were not. The solution > > in my case is to stop and start the web process, so that it creates the > > files it needs. In your case I would suggest seeing who is running these > > processes and what they are doing. The 'mail' command I would suspect is > > transient, so it may be that a user was doing something odd but that > > they have now closed the mail command. Hence if you run RKH again it may > > not show any warnings. > > Well, process 4037 seems to be "/bin/sh /etc/X11/prefdm -nodaemon" and that > hasn't changed since I installed v1.3.0. Any ideas? (Mind you, I don't think > I've rebooted the machine since then. - I'll try that too...) > As for the mail process - that PID changes every day. Maybe a reboot will sort > that out as well. I'll keep you posted. > RKH is only going to report what it finds at the time it is run. So it is possible for it to report deleted files, and the next minute report none. I suspect if you do something like 'ls -l /dev/pts/0' it will report that there is no such file (which would agree with what RKH is saying). However, missing /dev/pts/0 seems a bit odd. A reboot should fix it. > > > > Warning: Suspicious files found in /dev: > > > /dev/shm/suspscan.16568.strings: ASCII English text > > > > > > Why does RKH trigger its own suspect file warning? Should these be > > > whitelisted > > > or deleted? > > > > > They should be deleted. This is a bug, fixed in CVS. Unfortunately the > > suspscan process creates a temporary file in /dev/shm, but doesn't > > remove it. Hence subsequent runs of RKH may treat the file as > > suspicious. If you want to use the suspscan check regularly, then I > > would suggest getting a copy of the CVS version. Alternatively, just > > remember to delete any 'suspscan' files in /dev/shm on a regular basis. > > Ahh... OK No problem. I've just added a "rm /dev/suspscan.*" line to my > rkhunter cron script (but haven't tested it yet). > That should be '/dev/shm/...'. > Are you planning a v1.3.1 release any time soon? > Well I have a small list of things to fix, let alone adding anything new. So I doubt it will be too soon. However, that is for unSpawn, the project leader, to decide. Also, the next official release will be version 1.3.2. The current CVS version is 1.3.1. There was an email about the version numbers a short while ago :-) John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
