ELS - Easy Linux Security script

[morfargekko]

Hello, can You explain why I get the following message when I install chkrootkit using ELS:
====================================================
els --chkrootkit

ELS can now install CHKROOTKIT.
Proceed? (y/n): y
Downloading CHKROOTKIT...
Download Successful!
MD5 matches.
Extracting...
Extraction Successful!
Installing...
chkwtmp.c: In function âmainâ:
chkwtmp.c:95: warning: incompatible implicit declaration of built-in function âexitâ
CHKROOTKIT Install Completed Successfully!

Thanks.

 

[morfargekko]

Hello, here is one more.

I installed "rootloginmail" with ELS and the next time I logged in to my box I got the following message:
==============================================
The program 'mail' can be found in the following packages:
* mailx
* mailutils
Try: apt-get install <selected package>
Make sure you have the 'universe' component enabled
-bash: mail: command not found
==============================================

I surpose that it is something missing in my system.

Can I do "apt-get install mailx mailutils" without messing things up?

 

[jca]

After upgrading rkhunter the cronjob stop working. Any ideas?

 

[digi]

After upgrading rkhunter the cronjob stop working. Any ideas?

checked /etc/crontab ??

 

[jca]

Yes digi. I do get chkrootkit mail but not rkhunter. Either of those 2 are inside /etc/crontab.

 

[pucky]

Eeek! I ran this script on a Centos5 box to secure tmp. Shortly after that, the box went down. I didnt even reboot it, it just died on me. I hope it wanst a result of what happened here. I hope it comes back up after the reboot. Didnt even have a chance to look at fstab yet.

/usr/local/bin/els: line 1554: [: =: unary operator expected
ELS can secure your /tmp, /var/tmp, and /dev/shm partitions.
Proceed? (y/n): y
No /tmp partition in /etc/fstab.
No /tmp partition mounted.
Backing up current fstab...
Successfully backed up as '/usr/local/els/bakfiles/fstab.bak'!
Making extended filesystem for /tmp... (this may take a few moments)
524288+0 records in
524288+0 records out
536870912 bytes (537 MB) copied, 18.1044 seconds, 29.7 MB/s
Please press "y" when prompted...
mke2fs 1.39 (29-May-2006)
/var/tmpFS is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
131072 inodes, 524288 blocks
26214 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Stopping MySQL: [ OK ]
mv: cannot stat `/tmp/*': No such file or directory
mv: cannot move `/tmp/.' to `/tmp_backup/.': Device or resource busy
mv: cannot remove `/tmp/..': Is a directory
Mounting /tmp...
mv: cannot stat `/tmp_backup/*': No such file or directory
mv: inter-device move failed: `/tmp_backup/.' to `/tmp/.'; unable to remove target: Is a directory
mv: cannot remove `/tmp_backup/..': Is a directory
Done.
Starting MySQL: [ OK ]
Done. /tmp has been secured.

Found /var/tmp partition in /etc/fstab.
/etc/fstab already backed up as /usr/local/els/bakfiles/fstab.bak
Modifying /etc/fstab...
Done.
Remounting /var/tmp...
[mntent]: line 8 in /etc/fstab is bad
mount: can't find /var/tmp in /etc/fstab or /etc/mtab
Done.
You should check '/etc/fstab' before you reboot your system!!!

Found /dev/shm partition in /etc/fstab.
Backing up current configuration file...
/etc/fstab already backed up as /usr/local/els/bakfiles/fstab.bak
Modifying /etc/fstab...
Done.
Remounting /dev/shm...
[mntent]: line 2 in /etc/fstab is bad
[mntent]: line 4 in /etc/fstab is bad
[mntent]: line 5 in /etc/fstab is bad
[mntent]: line 6 in /etc/fstab is bad
[mntent]: line 7 in /etc/fstab is bad; rest of file ignored
mount: can't find /dev/shm in /etc/fstab or /etc/mtab
Done.
You should check '/etc/fstab' before you reboot your system!!!

This is what fstab looked like before

/dev/md0  /  ext3  grpquota,usrquota,rw  0  1
LABEL=/boot             /boot                   ext3    defaults        1 2
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
sysfs                   /sys                    sysfs   defaults        0 0
LABEL=SWAP-hdc1         swap                    swap    defaults        0 0

This is what it look like now

/dev/md0  /  ext3  grpquota,usrquota,rw  0  1
LABEL=/boot             /boot                   ext3    tmpfs
/dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0        1 2
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
tmpfs                   /dev/shm                tmpfs   tmpfs
/dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0        0 0
proc                    /proc                   proc    tmpfs
/dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0        0 0
sysfs                   /sys                    sysfs   tmpfs
/dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0        0 0
LABEL=SWAP-hdc1         swap                    swap    tmpfs
/dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0        0 0
/var/tmpFS /tmp ext3 /var/tmpFS /tmp ext3 rw,noexec,nosuid,nodev,bind 0 0 0 0

 

[pucky]

els --rkhuntercron

does not create the cron job in /etc/cron.daily. No filter there.

 

[jca]

I was further reading and the script is indeed in /etc/cron.daily/rkhunter.sh

#!/bin/bash
(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" [email protected])

now, running it shows:

Default logfile will be used (/var/log/rkhunter.log).
Default temporary directory will be used (/usr/local/rkhunter/lib/rkhunter/tmp).
Default database directory will be used (/usr/local/rkhunter/lib/rkhunter/db).
The internationalisation directory does not exist: /usr/local/rkhunter/lib/rkhunter/db/i18n

So I'm guessing it's not installed correctly. Any ideas on how to fix it?

Smtalk is this script still supported?

Thanks

 

[smtalk]

Yes, it's still supported. rkhunter and /tmp problems should be fixed in 3.0.0.3 version of it.

 

[pucky]

Yes, it's still supported. rkhunter and /tmp problems should be fixed in 3.0.0.3 version of it.

els --securepartitions

Secure /tmp function is temporary disabled on CentOS 5.

How do i revese what has already been done, see the output above?

 

[smtalk]

Just copy this file to /etc/fstab: /usr/local/els/bakfiles/fstab.bak.

 

[miltongoh]

is it fully functionable on centos 5.0 yet?

 

[smtalk]

Yes it is, just "secure /tmp" function is disabled.

 

[miltongoh]

Thanks smtalk, will try it on my box!

 

[venon]

now when I try to log in I get this after using this script :

server is up but websites are down
DA is down
when using SSH I get this
/tmp/RsmQLB8e: Read-only file system

I still have sftp but wont let me chm to 777

 

[smtalk]

Try:

mount -o remount,rw /
mount -o remount,rw /tmp

 

[venon]

ok I trying to contact tech to see if they can do it for me because I cant ssh to it .
when using SSH I get this
/tmp/RsmQLB8e: Read-only file system
and no commands work

or anything I can overwrite with sftp?

 

[Internet54]

I would be nervous to use this script due to all the issues I have seen.

I think smtalk, you should break the script up a bit. Your trying to install everything with one script. Why not create two seperate scripts, one that is 100% stable and known to have no issues, and the next that is beta?

 

[k9federation]

Im getting these errors from Centos 5 64bit from APF

[root@server apf]# /etc/init.d/apf stop
/etc/apf/conf.apf: line 6: APF: command not found
/etc/apf/conf.apf: line 10: NOTE:: command not found
/etc/apf/conf.apf: line 12: if: command not found
/etc/apf/conf.apf: line 14: syntax error near unexpected token `('
/etc/apf/conf.apf: line 14: `IG_TCP_CPORTS="21,22,25,53,80,110,143,443,993,995,2222,3306,35000_35999"#       (e.g: pico -w filename)'
/etc/apf/internals/internals.conf: line 59: /internals/rab.ports: No such file or directory
/etc/apf/internals/internals.conf: line 61: /internals/functions.apf: No such file or directory
Stopping APF:/etc/apf/conf.apf: line 6: APF: command not found
/etc/apf/conf.apf: line 10: NOTE:: command not found
/etc/apf/conf.apf: line 12: if: command not found
/etc/apf/conf.apf: line 14: syntax error near unexpected token `('
/etc/apf/conf.apf: line 14: `IG_TCP_CPORTS="21,22,25,53,80,110,143,443,993,995,2222,3306,35000_35999"#       (e.g: pico -w filename)'
/usr/local/sbin/apf: line 181: flush: command not found

and when starting back up

[root@server apf]# /etc/init.d/apf start
/etc/apf/conf.apf: line 6: APF: command not found
/etc/apf/conf.apf: line 10: NOTE:: command not found
/etc/apf/conf.apf: line 12: if: command not found
/etc/apf/conf.apf: line 14: syntax error near unexpected token `('
/etc/apf/conf.apf: line 14: `IG_TCP_CPORTS="21,22,25,53,80,110,143,443,993,995,2222,3306,35000_35999"#       (e.g: pico -w filename)'
/etc/apf/internals/internals.conf: line 59: /internals/rab.ports: No such file or directory
/etc/apf/internals/internals.conf: line 61: /internals/functions.apf: No such file or directory
Starting APF:/etc/apf/conf.apf: line 6: APF: command not found
/etc/apf/conf.apf: line 10: NOTE:: command not found
/etc/apf/conf.apf: line 12: if: command not found
/etc/apf/conf.apf: line 14: syntax error near unexpected token `('
/etc/apf/conf.apf: line 14: `IG_TCP_CPORTS="21,22,25,53,80,110,143,443,993,995,2222,3306,35000_35999"#       (e.g: pico -w filename)'
/usr/local/sbin/apf: line 136: eout: command not found
/usr/local/sbin/apf: line 138: /internals/.last.full: No such file or directory
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
/usr/local/sbin/apf: line 152: devm: command not found
/usr/local/sbin/apf: line 154: /vnet/vnetgen: No such file or directory
/usr/local/sbin/apf: line 156: /firewall: No such file or directory
/usr/local/sbin/apf: line 160: bandmin: command not found
/usr/local/sbin/apf: line 162: eout: command not found
/usr/local/sbin/apf: line 168: /internals/.apf.restore: No such file or directory
/usr/local/sbin/apf: line 169: eout: command not found
                                                           [  OK  ]

 

[hs-server]

ok I trying to contact tech to see if they can do it for me because I cant ssh to it .
when using SSH I get this
/tmp/RsmQLB8e: Read-only file system
and no commands work

or anything I can overwrite with sftp?

I have same problem too plz help me out or do I need to reinstall OS ?