On Sat, 2010-05-15 at 11:55 -0400, Charles wrote: > Hi all, > > Ok, 1.3.4 has been running daily for months, with no warnings. I just > updated to 1.3.6, and got a bunch or warnings... I'm hoping these are > just a result of the upgrade, and mean that I need to edit the config > file again - but is 1.3.6 really so much more thorough that I'm going to > have to manually whitelist so much more? > Quite possibly, although I don't think much was changed about the immutable test.
I would suggest putting any changes into a 'local' config file - that is, /etc/rkhunter.conf.local. Then next time all you have to do is update RKH (using the installer --overwrite option) and then only need to modify your local config file rather than the supplied config file. > > myhost : Sat May 15, 11:35:08 : /var/log > # less rkhunter.log | grep Warning > [11:30:28] /usr/bin/chattr [ Warning ] > [11:30:28] Warning: File '/usr/bin/chattr' has the immutable-bit set. > [11:30:28] /usr/bin/curl [ Warning ] > [11:30:28] Warning: File '/usr/bin/curl' has the immutable-bit set. > You can either whitelist the files or disable the 'immutable' test completely. > [11:30:55] /usr/x86_64-pc-linux-gnu/binutils-bin/2.18/strings [ Warning ] > [11:30:55] Warning: File > '/usr/x86_64-pc-linux-gnu/binutils-bin/2.18/strings' has the > immutable-bit set. > [11:32:14] Checking for string 'hdparm' [ Warning ] > [11:32:15] Warning: Checking for possible rootkit strings [ Warning ] > [11:32:32] Checking for hidden files and directories [ Warning ] > [11:32:32] Warning: Hidden directory found: /dev/.lvm > You will need to look in the log file to see why RKH thinks 2 rootkits have been found. The 'hdparm' one is possibly a false-positive, but that's for you to check. It is possibly caused by 'hdparm' appearing in one of your system startup files. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
