* Russ Fineman <russbucket@nwi.net> [01-25-09 22:31]:
On Sunday 25 January 2009 06:55:39 pm Russ Fineman wrote:
I'm getting the following warns from rkhuner. I know you can white list them, etc. My question is: how does the everyday user know if the command script found is a valid warning or a valid change that should be white listed?
Forgot to attach messages: Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/ bin/ldd: Bourne-Again shell script text
Warning: The command '/sbin/chkconfig' has been replaced by a script: /s bin/chkconfig: a /usr/bin/perl script text
[11:23:37] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/i fup: Bourne-Again shell script text
Warning: Suspicious file types found in /dev: [11:24:41] /dev/shm/sysconfig/ifup-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/if-eth0: ASCII text [11:24:41] /dev/shm/sysconfig/ifup-lo: ASCII text [11:24:41] /dev/shm/sysconfig/if-lo: ASCII text [11:24:41] /dev/shm/sysconfig/network: ASCII text [11:24:42] /dev/shm/sysconfig/config-lo: ASCII text [11:24:42] /dev/shm/sysconfig/config-eth0: ASCII text [11:24:42] /dev/shm/sysconfig/new-stamp-2: ASCII text [11:24:42] Checking for hidden files and directories [ Warning ] [11:24:42] Warning: Hidden directory found: /dev/.udev
rkhunter is not suse'fied, it does not appreciate the opensuse file locations. /sbin/chkconfig has not been "replaced by a script" but has been a script on SuSE/openSUSE for many distributions as has ldd and have the "ascii text" files below /dev/shm/sysconfig, etc., etc., etc. So, you may whitelist them, but then, if a rootkit did change one of the you would not know. But rootkit will not tell you either way on an openSUSE box :^(,. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org