Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

rkhunter & Gentoo
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hujuice
Guru
Guru


Joined: 16 Oct 2007
Posts: 346
Location: Nicosia, Cyprus
PostPosted: Sun Jan 24, 2010 1:26 pm    Post subject: rkhunter & Gentoo Reply with quote
While checking my system(s) with rkhunter, I should modify the default configuration file as follow.
I believe that my configuration is due to "tipical" Gentoo customizations (amd64).

Please, help me (us) to verify / improve this list with a community purpose:
Code:

# Allow the specified commands to be scripts.
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/lwp-request

# Allow the specified hidden directories.
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.lvm

The last line, obviously, make sense (?) if you have lvm installed.

Do you think that this list is correct?
What Gentoo users should add in different situations?

Regards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Jimmy Jazz
Guru
Guru


Joined: 04 Oct 2004
Posts: 333
Location: Strasbourg
PostPosted: Thu Jan 28, 2010 11:16 am    Post subject: Re: rkhunter & Gentoo Reply with quote
hujuice wrote:
While checking my system(s) with rkhunter, I should modify the default configuration file as follow.
I believe that my configuration is due to "tipical" Gentoo customizations (amd64).

Please, help me (us) to verify / improve this list with a community purpose:
Code:

# Allow the specified commands to be scripts.
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/lwp-request

# Allow the specified hidden directories.
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.lvm

The last line, obviously, make sense (?) if you have lvm installed.

Do you think that this list is correct?
What Gentoo users should add in different situations?

Regards,
HUjuice


Here a more complete one,

Code:

AUTO_X_DETECT=1
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan"
PKGMGR=NONE
USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"
USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENDIR=/etc/.pamauth.otp
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.lvm
ALLOWHIDDENFILE=/dev/.mdadm.map
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWPROCDELFILE=/usr/libexec/dovecot/imap
ALLOWPROCDELFILE=/usr/sbin/fcron
ALLOWPROCDELFILE=/usr/bin/gnome-terminal
ALLOWPROCDELFILE=/usr/bin/nautilus
ALLOWPROCDELFILE=/usr/sbin/apache2
ALLOWPROCDELFILE=/usr/sbin/mysqld
ALLOWPROCDELFILE=/bin/bash
ALLOWPROMISCIF="eth0"
PHALANX2_DIRTEST=0
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/suspscan.*.strings
XINETD_ALLOWED_SVC=/etc/xinetd.d/echo-stream
XINETD_ALLOWED_SVC=/etc/xinetd.d/echo-dgram
XINETD_ALLOWED_SVC=/etc/xinetd.d/saned
XINETD_ALLOWED_SVC=/etc/xinetd.d/chargen-dgram
XINETD_ALLOWED_SVC=/etc/xinetd.d/chargen-stream
XINETD_ALLOWED_SVC=/etc/xinetd.d/daytime-dgram
XINETD_ALLOWED_SVC=/etc/xinetd.d/daytime-stream
XINETD_ALLOWED_SVC=/etc/xinetd.d/git-daemon
XINETD_ALLOWED_SVC=/etc/xinetd.d/rsyncd
STARTUP_PATHS="/etc/init.d"
PASSWORD_FILE=/etc/shadow
SYSLOG_CONFIG_FILE=/etc/syslog-ng/syslog-ng.conf
ALLOW_SYSLOG_REMOTE_LOGGING=1
APP_WHITELIST="openssl:0.9.8l gpg apache:2.2.14"
SUSPSCAN_DIRS="/tmp /var/tmp /var/www /var/log/apache2"
SUSPSCAN_TEMP=/dev/shm
PORT_WHITELIST="TCP:25 /usr/sbin/squid"
RTKT_FILE_WHITELIST="/etc/init.d/pciparm /etc/init.d/hdparm"
WARN_ON_OS_CHANGE=1
SHOW_LOCK_MSGS=1


don't forget to update the database as well,

Code:
rkhunter --propupd

_________________
« La seule condition au triomphe du mal, c'est l'inaction des gens de bien » E.Burke
Code:

+----+----+----+
|    |::::|    |
|    |::::|    |
+----+----+----+

motto: WeLCRO
WritE Less Code, Repeat Often
Back to top
View user's profile Send private message
noclear2000
Apprentice
Apprentice


Joined: 21 Jun 2006
Posts: 153
Location: Germany
PostPosted: Mon Aug 12, 2013 4:36 pm    Post subject: Reply with quote
Hi there!


I know this is an age-old post however let me revive it.

I stumbled across this post when configuring rkhunter for my new gentoo installation. After some tweaking it looks just fine with one exception:
Code:

[18:32:01] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:32:01]   Checking /dev for suspicious file types         [ Warning ]
[18:32:01] Warning: Suspicious file types found in /dev:
[18:32:02]          /dev/.mdadm/map: ASCII text
[18:32:02] Info: Found hidden directory '/dev/.mdadm': it is whitelisted.
[18:32:02]   Checking for hidden files and directories       [ None found ]
[18:32:04]


My config for that part is:
Code:

ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENFILE="/dev/.mdadm/map"


As you see ALLOWHIDDENDIR directive results in this DIR being whitelisted as expected but ALLOWHIDDENFILE for /dev/.mdadm/map is not. I also made sure to run:
Code:

rkhunter --propupd


Any ideas?

Cheers
Back to top
View user's profile Send private message
noclear2000
Apprentice
Apprentice


Joined: 21 Jun 2006
Posts: 153
Location: Germany
PostPosted: Wed Sep 18, 2013 11:05 am    Post subject: Reply with quote
Hi,

Just today I finally solved the problem with /dev/.mdadm/map. Maybe it helps s/o else if I post it here.

Only ALLOWHIDDENFILE or only ALLOWDEVFILE in /etc/rkhunter.conf is not working. Adding both works out:
Code:

ALLOWHIDDENFILE=/dev/.mdadm/map
ALLOWDEVFILE=/dev/.mdadm/map

Cheers
Back to top
View user's profile Send private message
ShadowCat8
Apprentice
Apprentice


Joined: 07 Oct 2008
Posts: 173
Location: San Bernardino, CA, USA
PostPosted: Wed Sep 25, 2013 7:43 pm    Post subject: Reply with quote
Okay.

I agree with many of those... Especially /usr/bin/lwp-request which is required by git.

How about adding these? :)

Code:
[10:56:16]   Checking system startup files for malware       [ Warning ]
[10:56:16] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Knark Rootkit
...<snip>...
[10:56:17]   Checking /dev for suspicious file types         [ Warning ]
[10:56:17] Warning: Suspicious file types found in /dev:
[10:56:17]          /dev/mdev.seq: ASCII text, with no line terminators


As a note, the Knark false-positive is discussed in this thread. And, I know that the /dev/mdev.seq is a legacy, orphaned file on my system because I am currently running udev-204, but those that do run mdev might appreciate it being whitelisted.

HTH. Let us know.
_________________
________________________

"As far as the laws of mathematics refer to reality, they are not
certain, and as far as they are certain, they do not refer to reality."

-- Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy