On Tue, 2007-10-23 at 17:41 +0200, Avalon wrote: > > > >> Info: Starting test name 'possible_rkt_strings' > >> Warning: Checking for possible rootkit strings [ Warning ] > >> No system startup files found. > >> > >> -> Why is this resulting in a warning if no startup file was found? > >> > > The test is looking for the files which start up various system > > services. Typically the directory is something like /etc/init.d > > or /etc/rc.d. In your case it could not find either, and a system > > without such a directory seems suspicious. Hence the warning. > > My FreeBSD has of course a directory /etc/rc.d so any idea why RKH gives > me a warning? > Can you send me a copy of the rkhunter log file please (probably /var/log/rkhunter.log).
> >> Info: Starting test name 'startup_malware' > >> Checking for local startup files [ Warning ] > >> Warning: No local startup files found. > >> Checking local startup files for malware [ Skipped ] > >> Warning: No local startup files found. > >> > >> -> Why is this resulting in a warning if no local startup file was found? > >> > > In this case the check is for the file used for local startup > > modifications. Typically something like /etc/rc.d/rc.local or > > rc.sysinit. Again, having no such file is suspicious. > > As far as i know FreeBSD does not have those files and i have no idea > which files are the equivalent to these linux-files. So i do not know > what directory to set the SYSTEM_RC_DIR and LOCAL_RC_PATH to - my first > guess would be SYSTEM_RC_DIR=/etc/rc.d and > LOCAL_RC_PATH=/usr/local/etc/rc.d ? > Unfortunately my NetBSD system at work is turned off at the moment, and I won't be able to check this on that system until tomorrow. (I make the asumption that NetBSD and FreeBSD are similar when it comes to this test!) > > Different systems will install SSH using different default configuration > > values. However, the software itself defaults to allowing root logins, > > and allowing the less secure SSH protocol version 1. Hence RKH will test > > that these have been disabled in the sshd_config file. > > This seems to be different under FreeBSD too. Both settings > "PermitRootLogin no" and "Protocol 2" are commented out in my > sshd_config, which is the default on FreeBSD. Root-Login is definitely > not permitted under FreeBSD out-of-the-box - until now i was quite sure > about that ;-) > Either the comments in the sshd_config file or the man page for sshd_config should be able to provide you with a definite answer as to what the defaults are. It could be that FreeBSD modify the code, rather than the config file, to provide more secure defaults (although that seems like more work than just modifying a text config file!) > Do i have to add those settings anyway so that RKH recognizes them or > can i skip these specific tests? Or can RKH somehow "know" the different > default values under FreeBSD? > You can avoid the SSH tests by disabling the 'system_configs' test. Either use '--disable system_configs' on the command-line, or add 'system_configs' to the DISABLE_TESTS option in rkhunter.conf. Note though, that 'system_configs' includes the syslog file tests, so disabling it will disable those tests too. If you do not want to allow root to log in directly, and do not want to use SSH protocol version 1, then there should be no problem adding the options in to your sshd_config file regardless of what the defaults are. Rather than modifying RKH to allow no specific values being set, I think it would be better to separate the SSH tests from the syslog tests, so it would then be possible to diable just the SSH tests. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
