rkhunter aborting
Kevin Fenzi
kevin at scrye.com
Sun Jun 8 22:20:49 UTC 2008
On Sun, 8 Jun 2008 09:45:15 -0300
promac at gmail.com ("Paulo Cavalcanti") wrote:
> Hi,
>
> the latest rkhunter is using the following tmp file
> (/etc/cron.dayly/rkhunter):
>
> # Get a secure tempfile
> TMPFILE1=`/bin/mktemp -p /var/rkhunter/tmp rkhcronlog.XXXXXXXXXX` ||
> exit 1
>
> However, /var/rkhunter/tmp is not create by the rpm, and of course,
> the script always stops.
>
> Previously, it was being used /var/run/rkhunter.
>
> My question is: what the new version is supposed to do?
It should be using /var/run/rkhunter.
What version is this? Output of:
rpm -q rkhunter
rpm -V rkhunter
?
>
> Maybe it wanted to use /var/tmp/rkhunter (not /var/rkhunter/tmp)
> instead of writing in /var/run/rkhunter.
> In this case, I also think the permission of this directory should
> 700.
No, it should be using /var/run/rkhunter
> Another point, is that rkhunter always send messages even when there
> is no warning,
Correct. This is due to the idea that an email sent at run time is
harder for an intruder to be able to later modify when they compromise
the machine. Changing /var/log/rkhunter.log files is easy...
> and sometimes it complains that there is no copy of /etc/group and
> /etc/passwd.
> How can I fix that?
As the cron email says, confirm your machine is clean and do:
rkhunter --propupd
>
> Thanks.
>
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080608/e49fe066/attachment.sig>
More information about the fedora-devel-list
mailing list