On 2023-09-13 at 14:15:53, Moritz Mühlenhoff (j...@inutil.org) wrote: > https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7
My summary of this is: it's possible to figure out what files/ports/etc. rkhunter is looking for by looking at the log file. That log file is: -rw-r----- 1 root adm 502K 13 sep 07:41 rkhunter.log and on my machine that means only root and logcheck can see it: $ grep adm /etc/group adm:x:4:logcheck Of course, it's also possible to find out what files/ports/etc. rkhunter is looking for by looking in /usr/share/rkhunter/scripts/ or looking at the source code (https://sourceforge.net/p/rkhunter/rkh_code/ci/develop/tree/files/). So am I missing something here or is this simply not relevant given the rkhunter threat model of being an Open Source tool with a public database? Francois