Finally had the time and opportunity to upgrade OpenBSD to 4.2 and rkhunter to 1.3.0
Actually it is an improvement; though not complete. There is still at least one of the 'ksh' problems: # rkhunter --update [ Rootkit Hunter version 1.3.0 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] /usr/local/bin/rkhunter[12229]: [: file: unexpected operator/operand Checking file i18n/cn [ No update ] Checking file i18n/en [ No update ] (of course, I am talking about the '[: file: unexpected') Also, the daily output looks kind of ugly now: [ Rootkit Hunter version 1.3.0 ] [1;33mChecking rkhunter version... [0;39m This version : 1.3.0 Latest version: 1.3.0 [ Rootkit Hunter version 1.3.0 ] [1;33mChecking rkhunter data files... [0;39m Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ] Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ] Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ] Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ] Checking file i18n/cn [38C[ [1;32mNo update [0;39m ] Checking file i18n/en [38C[ [1;32mNo update [0;39m ] Finally, I needed to make some changes for a proper run on OpenBSD 4.2 without too much of 'wrong' warnings. May I suggest to provide some 'basic' rkhunter.conf for the various systems (e.g. through 'uname') ? Here is a diff to make it run properly out of the box (I hope Google's formatting doesn't interfere !?): --- rkhunter.conf.orig Mon Nov 19 18:34:14 2007 +++ rkhunter.conf Mon Nov 19 19:12:12 2007 @@ -276,6 +276,8 @@ #SCRIPTWHITELIST=/sbin/ifup #SCRIPTWHITELIST=/sbin/ifdown #SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/whoami # # Allow the specified commands to have the immutable attribute set. @@ -303,6 +305,7 @@ #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz #ALLOWHIDDENFILE=/etc/.pwd.lock #ALLOWHIDDENFILE=/etc/.init.state +ALLOWHIDDENFILE=/usr/share/man/cat5/.rhosts.0 # # Allow the specified processes to use deleted files. @@ -329,6 +332,7 @@ # One file per line (use multiple ALLOWDEVFILE lines). # #ALLOWDEVFILE=/dev/abc +ALLOWDEVFILE=/dev/MAKEDEV # # This setting tells rkhunter where the inetd configuration @@ -339,6 +343,12 @@ # # Allow the following enabled xinetd services. # Only one service per line (use multiple INETD_ALLOWED_SVC lines). +INETD_ALLOWED_SVC=daytime +INETD_ALLOWED_SVC=time +INETD_ALLOWED_SVC=ident +INETD_ALLOWED_SVC=127.0.0.1:comsat +INETD_ALLOWED_SVC=[::1]:comsat + # # Below are some Solaris 9 and 10 services that may want to be whitelisted. # @@ -396,6 +406,7 @@ # need to be set. # #SYSTEM_RC_DIR=/etc/rc.d +SYSTEM_RC_DIR=/etc # # This setting tells rkhunter the pathname to the file containing the @@ -441,6 +452,7 @@ # For example: APP_WHITELIST="openssl:0.9.7d gpg:1.2.0" # #APP_WHITELIST="" +APP_WHITELIST="httpd:1.3.29" # # Scan for suspicious files in directories containing temporary files. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
