1
Just executed rkhunter on my new MBP which runs a freshly installed Mac OS X and I get the following warnings:
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking if syslog remote logging is allowed [ Warning ]
Checking for hidden files and directories [ Warning ]
Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, from Unix
Should I just ignore them..?
1
These warnings can be quite benign. Passwd, group and syslog changes can be quite normal in the usage of the system, for example, adding users and groups.
The hidden file is part of the Man packages, so I wouldn't worry too much as Man uses alot of compressed files in gz format.
Bottom line is, even if you ignore them how can you be sure they are not dangerous. You need complete understanding of the output to interpret it.
Imagine someone setting up a complex IDS but with no idea of how to interpret the logs. That is the biggest danger.
Aiden Bell
Posted 2009-07-15T12:40:40.967
Reputation: 692
1
rkhunter tends to produce a lot of false positives. Better safe than sorry for a server, but frustrating and confusing for the average computer user.
I don't mean to be cavalier, but unless you are using your laptop in some pretty unusual ways, it's exceedingly unlikely that you have a rootkit on it. So my answer is "Yes, ignore it." Frankly, I wouldn't use rkhunter at all on a laptop - assuming the laptop gets normal laptop use (so to speak) and isn't a server on the weekends or a peer-to-peer hub. (I would, however, check the firewall settings, practice safe browsing, be careful about files from other people, etc.)
Telemachus
Posted 2009-07-15T12:40:40.967
Reputation: 5 695