On Wed, 2007-09-26 at 08:53 -0400, Dimitri Yioulos wrote: > Warning: Package manager verification has failed: > File: /usr/sbin/tcpd > The file permissions have changed > Warning: Suspicious files found in /dev: > /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 > (SYSV), > for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped > > I suspect that the warnings regarding e.g. /sbin/depmod may have to do with > Bastille settings. That being the case, I's like to whitelist these. I > think I would use the "RTKT_FILE_WHITELIST" directive. > No, the "RTKT_FILE_WHITELIST" option is for specific instances where a rootkit is being checked. It does not apply here.
You are using RPM verification, as such there is no whitelisting. You either trust the RPM database or you don't. If the RPM files have changed because of Bastille then you can't use the RPM database. You will have to let RKH default to using MD5/SHA1 verification. To do this remove, or comment out, the PKGMGR option in your config file. Then run 'rkhunter --propupd'. > > Regarding the suspicious files found in /dev, I get that on all my CentOS 3.8 > boxes. I tried whitelisting this with the "ALLOWDEVFILE" directive, but no > joy. How would I whitelist this? > This is odd. We have CentOS 5 systems, and Fedora ones which have /dev/MAKEDEV in them. However, RKH has no problem with that because they are symbolic links, hence I have not had to whitelist them on any system. The "ALLOWDEVFILE" option should whitelist the file if necessary. As a start, could you run 'ls -l /dev/MAKEDEV' to see if it is a symbolic link or not. If it isn't then could you run 'file /dev/MAKEDEV' as well, and send me the output. Thanks. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
