[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rkhunter aborting



On Sun, 8 Jun 2008 09:45:15 -0300
promac gmail com ("Paulo Cavalcanti") wrote:

> Hi,
> 
> the latest rkhunter is using the following tmp file
> (/etc/cron.dayly/rkhunter):
> 
> # Get a secure tempfile
> TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` ||
> exit 1
> 
> However,  /var/rkhunter/tmp is not create by the rpm, and of course,
> the script always stops.
> 
> Previously, it was being used /var/run/rkhunter.
> 
> My question is: what the new version is supposed to do?

It should be using /var/run/rkhunter. 

What version is this? Output of: 

rpm -q rkhunter
rpm -V rkhunter

?
> 
> Maybe it wanted to use /var/tmp/rkhunter (not /var/rkhunter/tmp)
> instead of writing in /var/run/rkhunter.
> In this case, I also think the permission of this directory should
> 700.

No, it should be using /var/run/rkhunter
 
> Another point, is that rkhunter always send messages even when there
> is no warning,

Correct. This is due to the idea that an email sent at run time is
harder for an intruder to be able to later modify when they compromise
the machine. Changing /var/log/rkhunter.log files is easy... 

> and sometimes it complains that there is no copy of /etc/group and
> /etc/passwd.
> How can I fix that?

As the cron email says, confirm your machine is clean and do: 

rkhunter --propupd

> 
> Thanks.
> 

kevin

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]