On Tue, 2010-11-02 at 06:34 +0100, Patrick Gouin wrote:
> Le 01/11/2010 18:51, John Horne a écrit :
> > On Mon, 2010-11-01 at 17:02 +0100, Patrick Gouin wrote:
> >
> > Okay, but why does your path have a directory name with a trailing '/'?
> > I'll see if we can put a check in to remove trailing '/'.
> >
> That's just a copy/paste mistake, I add this path on the command line do
> run the test.
>
Okay. The current CVS version has a fix in for it.
> >
> Yes, I guessed how --enable and --disable work by reading the comments
> in the config file.
> I just find it misleading. Standard users expect the command line
> options overrides the config file ones.
>
But that in itself leads to problems. If you said
rkhunter --enable malware
should this run the 'suspscan' test (which is part of 'malware') or not?
Most likely no, the test is disabled be default in the config file, it
can produce FPs, takes a long time to run, and causes a config error
if /dev/shm does not exist (as on non-Linux systems). So the user then
has to type in:
rkhunter --enable malware --disable suspscan
But that is the same as the config file settings! So it made more sense
to do what 'usually' happens according to the config file - that is, if
'--disable' is not specified then the config file disabled tests would
not be run.
As said, RKH will try and do what is expected. In the above example,
what is expected is to to run the malware tests *as would normally be
run*. Not to run all the malware tests, because some of them are
disabled for a reason and do not normally run. (Obviously if you have
enabled 'suspscan' in your config file, then it will run.) It would be
more misleading to run tests that are not normally run.
The same is true with the 'hidden_procs' test. Most users do not have
'unhide' installed, so rather than throw out a message saying so every
time, the test is disabled by default. If you install 'unhide' then
modify your /etc/rkhunter.conf.local and remove it from the default
disabled list. Then RKH will run unhide simple by saying
rkhunter --enable hidden_procs
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
