On Tue, 2007-11-27 at 18:48 +1100, Gordy wrote: > > 1) My objective is to use a live cd that I can take to anyone's computer and > have it scan a hard > drive and not write to disk. So far, I have failed. Any assistance in the > objective will be > greatly appreciated. > > Looking at rkhunter --help I was unable to see a option --notmp or words to > that effect. > Correct. RKH requires a writable temporary directory because it uses temporary files for some of the tests. In fact it won't even install unless certain directories are writable.
The rkhunter program does have a '-r' option to allow a different root directory to be specified, but support for this is a bit flakey. The initial coding of it was not complete - some tests catered for it, others didn't. Version 1.3.0 is better, but there is no guarantee that it works at all well. I don't see that chroot is going to help. Using chroot requires that RKH is available within the jail, and if you are trying to scan a suspect disk then (a) you don't want to modify the disk at all by installing RKH onto it, and (b) you don't want to use RKH if it is already present on the disk because it may be corrupt. The only thing I can think of is that you will probably need to create your live cd and have rkh installed on it. You will need to have the cd either set up some sort of in-memory writable space, and configure RKH to use that. (If it's a live-cd then won't it already have /tmp set up as writeable in memory?). Then mount the disk you want to scan read-only, and run RKH using the '-r' option. All the commands RKH requires will come from the cd, and the only tests it can perform will depend on the available commands and what files are present on the read-only disk. However, this is going to be limited. As Uwe has already pointed out you cannot use this for any computer simply because some commands will work on one system but not another. Taking a Linux live-cd and trying to run it on a Solaris sparc system is not going to work. Secondly, because the commands present on the live-cd are for that O/S, RKH will have to skip tests specific for any other O/S (e.g. using a Linux live-cd, RKH will have to skip some BSD/Solaris tests). You can either reconfigure RKH each time according to the system you are scanning, or just let it run through the tests and ignore any warnings you know are due to O/S incompatabilities. Thirdly, you will probably have to disable all the tests relating to the local host and currently running processes - in particular 'hidden_procs, running_procs, deleted_files, network, group_accounts, shared_libs_path'. The 'attributes, hashes' file properties tests will only work if the 2 systems are identical, including being at the same patch level. The 'strings' test should work if you reconfigure the 'string' command location in RKH for each O/S. Overall I think it is possible to get some sort of scanning carried out, but it requires a bit of thought as to which tests to run or which warnings to ignore. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
