[Rkhunter-users] More 1.30 config questions

Wed, 26 Sep 2007 05:54:00 -0700 

Might I start off again with effusive praise for John, unspawn, and any other 
maintainers of RKH.  The design of the program makes tweaking it extremely 
easy and, of course, we can sleep just a little easier each night knowing 
that RHK is watching over our systems.

Now, my questions:

Again on a CentOS 3.8 box, I get the following:

Warning: Package manager verification has failed:
         File: /sbin/depmod
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /sbin/init
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /sbin/insmod
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /sbin/modinfo
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /sbin/runlevel
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /sbin/syslogd
         The file permissions have changed
Warning: Package manager verification has failed:
         File: /usr/sbin/tcpd
         The file permissions have changed
Warning: Suspicious files found in /dev:
         /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 
(SYSV),
 for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

I suspect that the warnings regarding e.g. /sbin/depmod may have to do with 
Bastille settings.  That being the case, I's like to whitelist these.  I 
think I would use the "RTKT_FILE_WHITELIST" directive.  Do I add a separate 
line for each file, or do I add each file, space separated, on a single line?

Regarding the suspicious files found in /dev, I get that on all my CentOS 3.8 
boxes.  I tried whitelisting this with the "ALLOWDEVFILE" directive, but no 
joy.  How would I whitelist this?

Many thanks, as always.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to