rkhunter warnings: Hidden Processes and Processes Listening On The Network

-
logfile-/var/log/rkhunter.log starts
[partial starts]
19:19:36] Info: Starting test name 'running_procs'
[19:19:39]   Checking running processes for suspicious files [ None found ]
[19:19:39]
[19:19:39] Info: Starting test name 'hidden_procs'
[19:19:39] Info: Unable to find the 'unhide' command
[19:19:39] Info: Unable to find the 'unhide-linux' command
[19:19:39]   Checking for hidden processes                   [ Skipped ]
[partial ends]
logfile-var/log/rkhunter.log ends

What rkhunter is telling you here is that it is unable to unhide the process because your system is lacking an application, "unhide" and "unhide-tcp". Install it first with : #pacman -S unhide unhide-tcp #to install unhide and unhide-tcp, forensic tools

Running rkhunter this time it gave me this bit of warning.

logfile-/var/log/rkhunter.log starts
[partial starts]
[19:19:46] Info: Starting test name 'packet_cap_apps'
[19:19:46]   Checking for packet capturing applications      [ Warning ]
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[partial ends]
logfile-/var/log/rkhunter.log ends

dhcpcd and wpa_supplicant are valid services obviously. So to whitelist these processes in /etc/rkhunter.conf all I did was to remove the #.

file-/etc/rkhunter.conf starts
[partial starts]
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWPROCLISTEN=/sbin/dhclient
ALLOWPROCLISTEN=/usr/bin/dhcpcd
ALLOWPROCLISTEN=/usr/bin/wpa_supplicant
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
[partial ends]
file-/etc/rkhunter.conf ends

Running rkhunter again I get this non-warnings.

logfile-/var/log/rkhunter.log starts
[partial starts]
[20:00:48] Info: Starting test name 'hidden_ports'
[20:00:48] Info: Found the 'unhide-tcp' command: /usr/bin/unhide-tcp 
[20:00:48]   Checking for hidden ports                       [ None found ]
[20:00:48]
[20:00:48] Performing checks on the network interfaces
[20:00:48] Info: Starting test name 'promisc'
[20:00:48]   Checking for promiscuous interfaces             [ None found ]
[20:00:48]
[20:00:48] Info: Starting test name 'packet_cap_apps'
[20:00:49]   Checking for packet capturing applications      [ None found ]
[20:00:49] Info: Found process '/usr/bin/dhcpcd': it is whitelisted.
[20:00:49] Info: Found process '/usr/bin/wpa_supplicant': it is whitelisted.
[partial ends]
logfile-/var/log/rkhunter.log ends

Important: After modifying /etc/rkhunter.conf run #rkhunter -C to check the config file.
Post a Comment

Popular posts from this blog

GnuCash In Arch Linux

-
I updated a number of packages today and Gnucash won't start. I immediately went to the Archlinux website to see what's happening. I can't seem to find the package in the community repo. There's a thread in AUR on how to compile Gnucash by hand no AUR helpers.

But I tried to compile goffice and webkit2, needed packages for Gnucash-git. No. It doesn't work for me.

Funny but I'm now using my Android Tablet with Gnucash app to record transactions. This is working. We need to have the stable GnuCash back. This is a stop gap on my part. Transactions don't stop when computers stop. Please don't make me go back to paper.
Read more

America Must Evolve Fast Or Die

-
Image
This was a music festival concert venue in Las Vegas, Nevada. A shooter in the 32nd floor of a nearby hotel across the general area opened fire then shot himself. He killed 59 people in what reports call the biggest mass shooting in modern American history to date.
America must learn from the lessons of previous mass shootings otherwise this tragedy will happen again. Reasonable animals evolve when their lives and the life of the pack or group are threatened. They change how they face the problem and not just move on. They don't dismiss reality. They recognize the problem and listen to reason. For those who say nothing can be done, you're wrong. There is something America can do. It is not premature to talk about gun control. This is the time to talk about it.

Read more

Update for Spectre And Meltdown, A Script for Checking Your System

-
I found a very nice program to run and check if my computer is vulnerable to Spectre and Meltdown. It is now March 2018. Two months after the initial reports of the vulnerabilities against computer processors, what is the state of security with regard to these two vulnerabilities?
Thank you to this script by Stephen Lesimple. The link is a git clone link. It will download everything in its directory. Inspect the script before running it as root.
There are no options. It will check your system against 3 CVE's made for the "speculative execution" vulnerability. This is my output.
Spectre and Meltdown mitigation detection tool v0.35
Checking for vulnerabilities on current systemKernel is Linux 4.15.5-1-ARCH #1 SMP PREEMPT Thu Feb 22 22:15:20 UTC 2018 x86_64CPU is Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
Hardware check* Hardware support (CPU microcode) for mitigation techniques  * Indirect Branch Restricted Speculation (IBRS)    * SPEC_CTRL MSR is available:  YES     * CPU indica…
Read more