0

W have here a CentOS 7 server with rkhunter installed. Since yesterday we get following rkhunter warning:

[01:10:30] Info: Starting test name 'packet_cap_apps'
[01:10:30]   Checking for packet capturing applications      [ Warning ]
[01:10:30] Warning: Process '/usr/sbin/NetworkManager' (PID 4654) is listening on the network.

Is there a way to whitelist /usr/sbin/NetworkManager for the packet_cap_apps test?

Steffen
  • 929
  • 3
  • 13
  • 28

2 Answers2

1

In the rkhunter.conf there is an option to disable tests on certain apps with the DISABLE_TESTS parameter where you can add the apps that you don't want to be tested as space separated value. Alternatively you can use SCRIPTWHITELIST option to whitelist /usr/sbin/NetworkManager in case you want to still run tests on packet_cap_apps.

AHT
  • 166
  • 1
  • 7
  • `SCRIPTWHITELIST` is what I want! :-) I know `SCRIPTWHITELIST`but don't know that I can also use that for the `packet_cap_apps` check. Thx. – Steffen Dec 05 '18 at 16:52
  • rkhunter documentation is not the best ;-) I was in your shoes when I first started using it. Glad it works. – AHT Dec 06 '18 at 11:36
  • After some days the error is still back. Not sure why. Error is: `Warning: Process '/usr/sbin/NetworkManager' (PID 4656) is listening on the network`. `NetworkManager` is whitelisted with: `SCRIPTWHITELIST=/usr/sbin/NetworkManager`. However, I have disable the test now by adding `packet_cap_apps` to `DISABLE_TESTS` – Steffen Dec 09 '18 at 10:53
  • One way to test would be to kill the process. In case this happens again then try to run a manual test with verbosity and check the logs, this might lead you to the cause. – AHT Dec 10 '18 at 09:33
1

You'll want to use the ALLOWPROCLISTEN directive instead of SCRIPTWHITELIST:

ALLOWPROCLISTEN=/usr/sbin/NetworkManager

Regards,

Michael

mbw
  • 11
  • 2