[Rkhunter-users] Many new warnings on FreeBSD
Hello, since upgrading RKHunter to the current version 1.3.0 i got multiple new warning messages on my FreeBSD box. I was able to get rid of many of them by using whitelists etc. But for some of them is have no clue how do suppress them. Can anyone give me a hint how to suppress the following messages: /usr/bin/whatis [ Warning ] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Info: Starting test name 'possible_rkt_strings' Warning: Checking for possible rootkit strings [ Warning ] No system startup files found. - Why is this resulting in a warning if no startup file was found? Info: Starting test name 'startup_malware' Checking for local startup files [ Warning ] Warning: No local startup files found. Checking local startup files for malware [ Skipped ] Warning: No local startup files found. - Why is this resulting in a warning if no local startup file was found? Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'. Checking if SSH root access is allowed [ Warning ] Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. Checking if SSH protocol v1 is allowed [ Warning ] Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol v1. - The default configuration in FreeBSD is already what RKHunter is checking for. Even if a add these settings to the /etc/ssh/ss_config file the message is still the same. Thank you for any advice, Thomas - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hallo, Avalon, Du (third-chance) meintest am 23.10.07: Can anyone give me a hint how to suppress the following messages: /usr/bin/whatis [ Warning ] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Take /etc/rkhunter.conf, search for SCRIPTWHITELIST Info: Starting test name 'possible_rkt_strings' Warning: Checking for possible rootkit strings [ Warning ] No system startup files found. - Why is this resulting in a warning if no startup file was found? Take /etc/rkhunter.conf, search for startup Viele Gruesse! Helmut - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
On Tue, 2007-10-23 at 13:02 +0200, Avalon wrote: since upgrading RKHunter to the current version 1.3.0 i got multiple new warning messages on my FreeBSD box. I was able to get rid of many of them by using whitelists etc. But for some of them is have no clue how do suppress them. Hello, Helmut Hullen has already pointed out that several of these can be whitelisted in the rkhunter.conf file. Info: Starting test name 'possible_rkt_strings' Warning: Checking for possible rootkit strings [ Warning ] No system startup files found. - Why is this resulting in a warning if no startup file was found? The test is looking for the files which start up various system services. Typically the directory is something like /etc/init.d or /etc/rc.d. In your case it could not find either, and a system without such a directory seems suspicious. Hence the warning. Info: Starting test name 'startup_malware' Checking for local startup files [ Warning ] Warning: No local startup files found. Checking local startup files for malware [ Skipped ] Warning: No local startup files found. - Why is this resulting in a warning if no local startup file was found? In this case the check is for the file used for local startup modifications. Typically something like /etc/rc.d/rc.local or rc.sysinit. Again, having no such file is suspicious. RKH will try several locations and file names, but it is possible that a system will have these files located in a directory it does not know about. For that reason, you can specify the locations in the rkhunter.conf file. Look for the SYSTEM_RC_DIR and LOCAL_RC_PATH entries. I would be grateful if you could let me know what values you use for these entries, so that we can include them in RKH by default. Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'. Checking if SSH root access is allowed [ Warning ] Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. Checking if SSH protocol v1 is allowed [ Warning ] Warning: The SSH configuration option 'Protocol' has not been set. The default value may be '2,1', to allow the use of protocol v1. Different systems will install SSH using different default configuration values. However, the software itself defaults to allowing root logins, and allowing the less secure SSH protocol version 1. Hence RKH will test that these have been disabled in the sshd_config file. The value of 'PermitRootLogin' in the sshd_config must be exactly the same as that in the rkhunter.conf file (the ALLOW_SSH_ROOT_USER option). Since SSH defaults to 'yes', and RKH defaults to 'no', you get a warning. You need to set the option in the sshd_config file to some value suitable for your requirements, and then set ALLOW_SSH_ROOT_USER to the same value in the rkhunter.conf file. (I guess we should allow some setting for when the 'PermitRootLogin' is unset.) Similarly, RKH checks that only SSH protocol version 2 is enabled. Since it was not set in the sshd_config file, and SSH defaults to it being version 1 and 2, RKH gives a warning. You can set ALLOW_SSH_PROT_V1 in the rkhunter.conf file if you really want to enable SSH protocol version 1 (setting it also allows versions 1 and 2 together of course). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hi, thank you, Helmut, for your fast reply. I must have been blind when i was looking over the default config. I found the settings you described and they worked well. Also thank you, John, for the other details, but i have some more questions regarding these warnings: Helmut Hullen has already pointed out that several of these can be whitelisted in the rkhunter.conf file. Info: Starting test name 'possible_rkt_strings' Warning: Checking for possible rootkit strings [ Warning ] No system startup files found. - Why is this resulting in a warning if no startup file was found? The test is looking for the files which start up various system services. Typically the directory is something like /etc/init.d or /etc/rc.d. In your case it could not find either, and a system without such a directory seems suspicious. Hence the warning. My FreeBSD has of course a directory /etc/rc.d so any idea why RKH gives me a warning? Info: Starting test name 'startup_malware' Checking for local startup files [ Warning ] Warning: No local startup files found. Checking local startup files for malware [ Skipped ] Warning: No local startup files found. - Why is this resulting in a warning if no local startup file was found? In this case the check is for the file used for local startup modifications. Typically something like /etc/rc.d/rc.local or rc.sysinit. Again, having no such file is suspicious. As far as i know FreeBSD does not have those files and i have no idea which files are the equivalent to these linux-files. So i do not know what directory to set the SYSTEM_RC_DIR and LOCAL_RC_PATH to - my first guess would be SYSTEM_RC_DIR=/etc/rc.d and LOCAL_RC_PATH=/usr/local/etc/rc.d ? I would be grateful if you could let me know what values you use for these entries, so that we can include them in RKH by default. Different systems will install SSH using different default configuration values. However, the software itself defaults to allowing root logins, and allowing the less secure SSH protocol version 1. Hence RKH will test that these have been disabled in the sshd_config file. This seems to be different under FreeBSD too. Both settings PermitRootLogin no and Protocol 2 are commented out in my sshd_config, which is the default on FreeBSD. Root-Login is definitely not permitted under FreeBSD out-of-the-box - until now i was quite sure about that ;-) Do i have to add those settings anyway so that RKH recognizes them or can i skip these specific tests? Or can RKH somehow know the different default values under FreeBSD? Thank you, Thomas - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
On Tue, 2007-10-23 at 17:41 +0200, Avalon wrote: Info: Starting test name 'possible_rkt_strings' Warning: Checking for possible rootkit strings [ Warning ] No system startup files found. - Why is this resulting in a warning if no startup file was found? The test is looking for the files which start up various system services. Typically the directory is something like /etc/init.d or /etc/rc.d. In your case it could not find either, and a system without such a directory seems suspicious. Hence the warning. My FreeBSD has of course a directory /etc/rc.d so any idea why RKH gives me a warning? Can you send me a copy of the rkhunter log file please (probably /var/log/rkhunter.log). Info: Starting test name 'startup_malware' Checking for local startup files [ Warning ] Warning: No local startup files found. Checking local startup files for malware [ Skipped ] Warning: No local startup files found. - Why is this resulting in a warning if no local startup file was found? In this case the check is for the file used for local startup modifications. Typically something like /etc/rc.d/rc.local or rc.sysinit. Again, having no such file is suspicious. As far as i know FreeBSD does not have those files and i have no idea which files are the equivalent to these linux-files. So i do not know what directory to set the SYSTEM_RC_DIR and LOCAL_RC_PATH to - my first guess would be SYSTEM_RC_DIR=/etc/rc.d and LOCAL_RC_PATH=/usr/local/etc/rc.d ? Unfortunately my NetBSD system at work is turned off at the moment, and I won't be able to check this on that system until tomorrow. (I make the asumption that NetBSD and FreeBSD are similar when it comes to this test!) Different systems will install SSH using different default configuration values. However, the software itself defaults to allowing root logins, and allowing the less secure SSH protocol version 1. Hence RKH will test that these have been disabled in the sshd_config file. This seems to be different under FreeBSD too. Both settings PermitRootLogin no and Protocol 2 are commented out in my sshd_config, which is the default on FreeBSD. Root-Login is definitely not permitted under FreeBSD out-of-the-box - until now i was quite sure about that ;-) Either the comments in the sshd_config file or the man page for sshd_config should be able to provide you with a definite answer as to what the defaults are. It could be that FreeBSD modify the code, rather than the config file, to provide more secure defaults (although that seems like more work than just modifying a text config file!) Do i have to add those settings anyway so that RKH recognizes them or can i skip these specific tests? Or can RKH somehow know the different default values under FreeBSD? You can avoid the SSH tests by disabling the 'system_configs' test. Either use '--disable system_configs' on the command-line, or add 'system_configs' to the DISABLE_TESTS option in rkhunter.conf. Note though, that 'system_configs' includes the syslog file tests, so disabling it will disable those tests too. If you do not want to allow root to log in directly, and do not want to use SSH protocol version 1, then there should be no problem adding the options in to your sshd_config file regardless of what the defaults are. Rather than modifying RKH to allow no specific values being set, I think it would be better to separate the SSH tests from the syslog tests, so it would then be possible to diable just the SSH tests. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hi John, I would suggest checking /etc/rc.conf to see if 'local_startup' has been set, and then set LOCAL_RC_PATH in rkhunter.conf to that path. If it is not set, then look in the above directories (/usr/local/etc/rc.d, /usr/X11R6/etc/rc.d) to see if some local startup script has been set in there. It may be that you will need to set LOCAL_RC_PATH to several file names if the directories contain several files. I added all startup scripts from /usr/local/etc/rc.d/ to LOCAL_RC_PATH and it works without any warnings. This is not ideal, but for the moment should work. As mentioned we should modify RKH to allow for several startup directories. Since i have quite some scripts in that directory i would like it if a new version would not require adding all scripts from one directory manually ;-) Thank you, Thomas - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hallo, John, Du (john.horne) meintest am 23.10.07: This seems to be different under FreeBSD too. Both settings PermitRootLogin no and Protocol 2 are commented out in my sshd_config, which is the default on FreeBSD. Root-Login is definitely not permitted under FreeBSD out-of-the-box - until now i was quite sure about that ;-) Either the comments in the sshd_config file or the man page for sshd_config should be able to provide you with a definite answer as to what the defaults are. From where gets RKH the information: from the config file or from the running daemon? Viele Gruesse! Helmut - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hallo, Avalon, Du (third-chance) meintest am 23.10.07: thank you, Helmut, for your fast reply. I must have been blind when i was looking over the default config. I found the settings you described and they worked well. Don't mention - I had searched for these errors some hours ago ... This seems to be different under FreeBSD too. Both settings PermitRootLogin no and Protocol 2 are commented out in my sshd_config, which is the default on FreeBSD. Root-Login is definitely not permitted under FreeBSD out-of-the-box - until now i was quite sure about that ;-) In Linux-SSHD PermitRootLogin=yes is the default value. Viele Gruesse! Helmut - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
On Tue, 2007-10-23 at 19:37 +0200, Helmut Hullen wrote: Hallo, John, Du (john.horne) meintest am 23.10.07: since upgrading RKHunter to the current version 1.3.0 i got multiple new warning messages on my FreeBSD box. Warning: No local startup files found. - Why is this resulting in a warning if no local startup file was - found? In this case the check is for the file used for local startup modifications. Typically something like /etc/rc.d/rc.local or rc.sysinit. Again, having no such file is suspicious. Can you do some tricks with OS_VERSION_FILE? http://arktur.de/Wiki/Entwicklung:UIDGID#Kennungen http://arktur.shuttle.de/beta/Paketbau.shtml#init I have no informations about the BSD names and locations, but perhaps I (or someone else) could find them in packets which fit for many distributions, p.e. LTSP or apcupsd. Rather than trying to cater for all distributions by hardcoding in pathnames into RKH, it is easier to hardcode some of the more common ones and then allow the user to specify in the config file any remaining ones. This will allow FreeBSD to work. However, RKH should cater for more than one directory (this will then allow Avalon to add the directory rather than all the startup script filenames to the config file). The value of 'PermitRootLogin' in the sshd_config must be exactly the same as that in the rkhunter.conf file (the ALLOW_SSH_ROOT_USER option). Since SSH defaults to 'yes', and RKH defaults to 'no', you get a warning. You need to set the option in the sshd_config file to some value suitable for your requirements, and then set ALLOW_SSH_ROOT_USER to the same value in the rkhunter.conf file. (I guess we should allow some setting for when the 'PermitRootLogin' is unset.) But when RKH can find the actual value of PermitRootLogin: why does it need an entry in /etc/rkhunter.conf? To see if the value has been changed. If a hacker changes your PermitRootLogin to 'yes' in sshd_config, then you will probably want to know about it. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Many new warnings on FreeBSD
Hallo, John, Du (john.horne) meintest am 23.10.07: But when RKH can find the actual value of PermitRootLogin: why does it need an entry in /etc/rkhunter.conf? To see if the value has been changed. If a hacker changes your PermitRootLogin to 'yes' in sshd_config, then you will probably want to know about it. Ok - sounds reasonable. Viele Gruesse! Helmut - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
