主页 / ubuntu / 问题 / 605038
Accepted
user364819
Asked: 2015-04-04 12:55:36 +0800 CST

为什么 rkhunter 会跳过空的和丢失的日志文件扫描?

  • 772

我注意到在扫描我的机器时:

sudo rkhunter --checkall --sk

日志文件中的那部分输出是:

[21:50:51]   Checking for missing log files                  [ Skipped ]
[21:50:51]   Checking for empty log files                    [ Skipped ]
[21:50:51]
[21:50:51] Info: Test 'apps' disabled at users request.

为什么跳过其中一些测试?我怎么才能不跳过它们呢?还有它是什么意思Test 'apps' disabled at users request,因为我没有要求它不要测试任何东西?

操作系统信息:

Description:    Ubuntu 14.10
Release:    14.10

包装信息:

rkhunter:
  Installed: 1.4.0-3
  Candidate: 1.4.0-3
  Version table:
 *** 1.4.0-3 0
        500 http://gb.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
        100 /var/lib/dpkg/status
rkhunter

1 个回答

  1. Best Answer

    首先,根据联机帮助页 --checkall,这不是一个有效的命令。大概rkhunter解释为只是--check

    检查丢失和空的日志文件由文件系统测试执行。两者都是用户定义的检查;您必须告诉rkhunter它应该检查哪些日志文件。这是以下的相关部分/etc/rkhunter.conf

    # The two options below may be used to check if a file is missing or empty
# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
# if the file is missing, since that can be interpreted as a file of no size.
# However, the file will only be reported as missing if the MISSING_LOGFILES
# option hasn't already done this.
#
# Both options are space-separated lists of pathnames, and may be specified
# more than once.
#
# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
# perfectly possible for the file to be either missing or empty. As such these
# options may produce false-positive warnings when log files are rotated.
#
# For both options the default value is the null string.
#
#EMPTY_LOGFILES=""
#MISSING_LOGFILES=""

    我认为这是不言自明的。

    关于Test 'apps' disabled at users requestinfo message,答案也在/etc/rkhunter.conf。这是你应该看的地方:

    # These two options determine which tests are to be performed. The ENABLE_TESTS
# option can use the word 'ALL' to refer to all of the available tests. The
# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
# be specified more than once. The currently available test names can be seen
# by using the command 'rkhunter --list tests'.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered 'advanced'
# or that are prone to produce more than the average number of false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# The default values are to enable all tests and to disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
# hidden_procs test requires the unhide and/or unhide.rb commands which are
# part of the unhide respectively unhide.rb packages in Debian.
#
# apps test is disabled by default as it triggers warnings about outdated
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps

    如果您真的想运行所有测试,您可以从DISABLE_TESTS要运行的测试的名称中删除或将它们全部替换为。NONE或者,您可以告诉rkhunter运行所有测试:

    sudo rkhunter --sk --enable all --disable none
    • 3

相关问题