logfile-/var/log/rkhunter.log starts
[partial starts]
19:19:36] Info: Starting test name 'running_procs'
[19:19:39] Checking running processes for suspicious files [ None found ]
[19:19:39]
[19:19:39] Info: Starting test name 'hidden_procs'
[19:19:39] Info: Unable to find the 'unhide' command
[19:19:39] Info: Unable to find the 'unhide-linux' command
[19:19:39] Checking for hidden processes [ Skipped ]
[partial ends]
logfile-var/log/rkhunter.log ends
What rkhunter is telling you here is that it is unable to unhide the process because your system is lacking an application, "unhide" and "unhide-tcp". Install it first with : #pacman -S unhide unhide-tcp #to install unhide and unhide-tcp, forensic tools
Running rkhunter this time it gave me this bit of warning.
logfile-/var/log/rkhunter.log starts
[partial starts]
[19:19:46] Info: Starting test name 'packet_cap_apps'
[19:19:46] Checking for packet capturing applications [ Warning ]
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/dhcpcd' (PID 527) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[19:19:46] Warning: Process '/usr/bin/wpa_supplicant' (PID 565) is listening on the network.
[partial ends]
logfile-/var/log/rkhunter.log ends
dhcpcd and wpa_supplicant are valid services obviously. So to whitelist these processes in /etc/rkhunter.conf all I did was to remove the #.
file-/etc/rkhunter.conf starts
[partial starts]
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWPROCLISTEN=/sbin/dhclient
ALLOWPROCLISTEN=/usr/bin/dhcpcd
ALLOWPROCLISTEN=/usr/bin/wpa_supplicant
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
[partial ends]
file-/etc/rkhunter.conf ends
Running rkhunter again I get this non-warnings.
logfile-/var/log/rkhunter.log starts
[partial starts]
[20:00:48] Info: Starting test name 'hidden_ports'
[20:00:48] Info: Found the 'unhide-tcp' command: /usr/bin/unhide-tcp
[20:00:48] Checking for hidden ports [ None found ]
[20:00:48]
[20:00:48] Performing checks on the network interfaces
[20:00:48] Info: Starting test name 'promisc'
[20:00:48] Checking for promiscuous interfaces [ None found ]
[20:00:48]
[20:00:48] Info: Starting test name 'packet_cap_apps'
[20:00:49] Checking for packet capturing applications [ None found ]
[20:00:49] Info: Found process '/usr/bin/dhcpcd': it is whitelisted.
[20:00:49] Info: Found process '/usr/bin/wpa_supplicant': it is whitelisted.
[partial ends]
logfile-/var/log/rkhunter.log ends
Important: After modifying /etc/rkhunter.conf run #rkhunter -C to check the config file.
