[SOLVED]Rkhunter again - rkhunter.log

Discussion in 'Linux Beginners' started by Taxick, May 28, 2023.

  1. Taxick

    Taxick Member

    Hi :)
    In this post, I got this code.
    Code:
    grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g"
    if I go to this dir: /var/log and run the above command, I get no output.
    It usually posts info about what to allow in my config file.
    There is a file called /var/log/rkhunter.log
    I hope someone can help me.

    EDIT: I don't know its another command when I use ISPConfig?

    EDIT 2: Its a newly installed ubuntu server

    EDIT 3: Anytime I run rkhunter, I get a mail whit this warning -> Please inspect this machine, because it may be infected. - I have tried to run: "sudo /usr/bin/rkhunter --propupd"

    EDIT 4:
    On my old server it print me output like this if i run the first command in this post.
     
    Last edited: May 28, 2023
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you're grepping for /dev/shm/.* in rkhunter.log, if it doesn't exist, then there's nothing to return, or pipe into the following commands.

    if you're trying to set it to allow or ignore the existence of those files, it should be set in /etc/rkhunter.conf anyway, not in /var/log/rkhunter.log

    you'll get warnings, on screen if rkhunter's run manually, or via email, if rkhunter scans find any issue, whether that be with any files, processes, or configs.
    rkhunter --propupd will update the checksum's for any changed files.. so it won't warn about them, rkhunter will still warn, however, if it finds processes using excessively large amounts of ram, or root ssh access being allowed if the rkhunter configuration file settings don't match the sshd.config settings, or various other things it may find, unless it's configured to allow or ignore them.
    read through the logfiles, find what it's warning about and then address that issue.
     
  3. Taxick

    Taxick Member

    Hi :)
    Thanks for the reply.
    I'm trying to ignore files and dirs - Like: (the belove files from my old server)
    Code:
    # Dirs
    
    ALLOWHIDDENDIR=/etc/.java
    
    # SCRIPTWHITELIST
    
    SCRIPTWHITELIST=/usr/bin/egrep
    SCRIPTWHITELIST=/usr/bin/fgrep
    SCRIPTWHITELIST=/usr/bin/ldd
    SCRIPTWHITELIST=/usr/sbin/adduser
    SCRIPTWHITELIST=/usr/bin/which.debianutils
    
    # DEVFILE
    
    ALLOWDEVFILE=/dev/shm/mono.*
    ALLOWDEVFILE=/dev/shm/sem.netdata_sem_cgroup_ebpf
    ALLOWDEVFILE=/dev/shm/netdata_shm_cgroup_ebpf
    ALLOWDEVFILE=/dev/shm/PostgreSQL.*
    Of course, I will add it to this file: /etc/rkhunter.conf - But I don't know what to add to the file!
    On my old server, I cut run this command and I will show what to add to the /etc/rkhunter.conf
    Code:
    grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' rkhunter.log |\awk '{print "ALLOWDEVFILE="$2}' | sed -e "s|:$||g"
    Where can I find what to add to the /etc/rkhunter.conf

    EDIT: Yes im new to linux :)
     
    Last edited: May 29, 2023
  4. Taxick

    Taxick Member

    After some time on google, I found a solution!
     

Share This Page