有人可以告訴我如何設定/強迫 rkhunter 檢查我係統上的所有內容嗎?即使我運行,也會跳過檢查rkhunter --checkall
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Applications checks...
All checks skipped
答案1
無論出於何種原因,當我使用 --checkall 修飾符時,我的應用程式掃描都被忽略,因為在我的 /etc/rkhunter.conf 檔案中,「apps」選項預設包含這些DISABLE_TESTS選項。刪除它可以掃描我的應用程式。
#
# These two options determine which tests are to be performed. The ENABLE_TESTS
# option can use the word 'ALL' to refer to all of the available tests. The
# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
# be specified more than once. The currently available test names can be seen
# by using the command 'rkhunter --list tests'.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered 'advanced'
# or that are prone to produce more than the average number of false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# The default values are to enable all tests and to disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
ENABLE_TESTS=ALL
#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps
DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps ipc_shared_mem
對於任何 rkhunter 的“新手”
https://sourceforge.net/ <-- 擁有 rkhunter 的主要支援/資訊
我還建議您:
1.) (#) 在 /etc/rkhunter.conf 中註解掉 DISABLE_TESTS
2.) 使用 virtualbox 設定測試伺服器(重複等效環境)並執行校驗和來驗證誤報
3.) 在 /etc/rkhunter.conf 中使用各種形式的“白名單”來清除所有警告
4.) 安裝名為“unhide”的Linux 應用程序,以便可以掃描隱藏端口和隱藏目錄