FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-08-2008, 12:45 PM
"Paulo Cavalcanti"
 
Default rkhunter aborting

Hi,

the latest rkhunter is using the following tmp file (/etc/cron.dayly/rkhunter):

# Get a secure tempfile
TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` || exit 1

However,* /var/rkhunter/tmp is not create by the rpm, and of course, the script always stops.


Previously, it was being used /var/run/rkhunter.

My question is: what the new version is supposed to do?

Maybe it wanted to use /var/tmp/rkhunter (not /var/rkhunter/tmp) instead of writing in /var/run/rkhunter.

In this case, I also think the permission of this directory should 700.

Another point, is that rkhunter always send messages even when there is no warning,
and sometimes it complains that there is no copy of /etc/group and /etc/passwd.

How can I fix that?

Thanks.

--
Paulo Roma Cavalcanti
LCG - UFRJ
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-08-2008, 10:20 PM
Kevin Fenzi
 
Default rkhunter aborting

On Sun, 8 Jun 2008 09:45:15 -0300
promac@gmail.com ("Paulo Cavalcanti") wrote:

> Hi,
>
> the latest rkhunter is using the following tmp file
> (/etc/cron.dayly/rkhunter):
>
> # Get a secure tempfile
> TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` ||
> exit 1
>
> However, /var/rkhunter/tmp is not create by the rpm, and of course,
> the script always stops.
>
> Previously, it was being used /var/run/rkhunter.
>
> My question is: what the new version is supposed to do?

It should be using /var/run/rkhunter.

What version is this? Output of:

rpm -q rkhunter
rpm -V rkhunter

?
>
> Maybe it wanted to use /var/tmp/rkhunter (not /var/rkhunter/tmp)
> instead of writing in /var/run/rkhunter.
> In this case, I also think the permission of this directory should
> 700.

No, it should be using /var/run/rkhunter

> Another point, is that rkhunter always send messages even when there
> is no warning,

Correct. This is due to the idea that an email sent at run time is
harder for an intruder to be able to later modify when they compromise
the machine. Changing /var/log/rkhunter.log files is easy...

> and sometimes it complains that there is no copy of /etc/group and
> /etc/passwd.
> How can I fix that?

As the cron email says, confirm your machine is clean and do:

rkhunter --propupd

>
> Thanks.
>

kevin

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-09-2008, 12:04 AM
"Paulo Cavalcanti"
 
Default rkhunter aborting

2008/6/8 Kevin Fenzi <kevin@scrye.com>:

On Sun, 8 Jun 2008 09:45:15 -0300

promac@gmail.com ("Paulo Cavalcanti") wrote:



> Hi,

>

> the latest rkhunter is using the following tmp file

> (/etc/cron.dayly/rkhunter):

>

> # Get a secure tempfile

> TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` ||

> exit 1

>

> However, */var/rkhunter/tmp is not create by the rpm, and of course,

> the script always stops.

>

> Previously, it was being used /var/run/rkhunter.

>

> My question is: what the new version is supposed to do?



It should be using /var/run/rkhunter.



What version is this? Output of:



rpm -q rkhunter

rpm -V rkhunter



[lua:~] rpm -q rkhunter
rkhunter-1.3.2-3.fc8.noarch
[lua:~] rpm -V rkhunter
S.?....T c /etc/rkhunter.conf
..?..... c /etc/sysconfig/rkhunter

--
Paulo Roma Cavalcanti
LCG - UFRJ
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-09-2008, 12:33 AM
Kevin Fenzi
 
Default rkhunter aborting

> > What version is this? Output of:
> >
> > rpm -q rkhunter
> > rpm -V rkhunter
>
> [lua:~] rpm -q rkhunter
> rkhunter-1.3.2-3.fc8.noarch
> [lua:~] rpm -V rkhunter
> S.?....T c /etc/rkhunter.conf
> ..?..... c /etc/sysconfig/rkhunter

Rats. I see the problem, the updated cron script didn't get copied
right into F-7 and F-8 branches. ;( My fault entirely...

Can you try putting this one:
http://cvs.fedoraproject.org/viewcvs/*checkout*/devel/rkhunter/01-rkhunter
in /etc/cron.daily/rkhunter ?

I'll try and get this fixed in the next few days... I am planning
updates for that script anyhow.

Thanks for pointing this out!

kevin
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-09-2008, 09:30 AM
"Paulo Cavalcanti"
 
Default rkhunter aborting

2008/6/8 Kevin Fenzi <kevin@scrye.com>:



> > What version is this? Output of:

> >

> > rpm -q rkhunter

> > rpm -V rkhunter

>

> [lua:~] rpm -q rkhunter

> rkhunter-1.3.2-3.fc8.noarch

> [lua:~] rpm -V rkhunter

> S.?....T c /etc/rkhunter.conf

> ..?..... c /etc/sysconfig/rkhunter



Rats. I see the problem, the updated cron script didn't get copied

right into F-7 and F-8 branches. ;( My fault entirely...



Can you try putting this one:

http://cvs.fedoraproject.org/viewcvs/*checkout*/devel/rkhunter/01-rkhunter

in /etc/cron.daily/rkhunter ?



I'll try and get this fixed in the next few days... I am planning

updates for that script anyhow.



It worked. The only thing is that /var/run/rhhunter is 775.
Since the copy of /etc/passwd and /etc/group is saved there after executing

--propupd
should not it be 700?
*Thanks.
--
Paulo Roma Cavalcanti
LCG - UFRJ
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 06-09-2008, 03:52 PM
Kevin Fenzi
 
Default rkhunter aborting

On Mon, 9 Jun 2008 06:30:35 -0300
promac@gmail.com ("Paulo Cavalcanti") wrote:

> 2008/6/8 Kevin Fenzi <kevin@scrye.com>:
>
> >
> > > > What version is this? Output of:
> > > >
> > > > rpm -q rkhunter
> > > > rpm -V rkhunter
> > >
> > > [lua:~] rpm -q rkhunter
> > > rkhunter-1.3.2-3.fc8.noarch
> > > [lua:~] rpm -V rkhunter
> > > S.?....T c /etc/rkhunter.conf
> > > ..?..... c /etc/sysconfig/rkhunter
> >
> > Rats. I see the problem, the updated cron script didn't get copied
> > right into F-7 and F-8 branches. ;( My fault entirely...
> >
> > Can you try putting this one:
> > http://cvs.fedoraproject.org/viewcvs/*checkout*/devel/rkhunter/01-rkhunter
> > in /etc/cron.daily/rkhunter ?
> >
> > I'll try and get this fixed in the next few days... I am planning
> > updates for that script anyhow.
> >
> > <https://www.redhat.com/mailman/listinfo/fedora-devel-list>
>
>
> It worked.

Excellent.

> The only thing is that /var/run/rhhunter is 775.
> Since the copy of /etc/passwd and /etc/group is saved there after
> executing --propupd
> should not it be 700?

Well, anyone can read /etc/passwd and /etc/group directly right?

> Thanks.

kevin
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 03:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org