On Wednesday 26 September 2007 9:51 am, John Horne wrote: > On Wed, 2007-09-26 at 08:53 -0400, Dimitri Yioulos wrote: > > Warning: Package manager verification has failed: > > File: /usr/sbin/tcpd > > The file permissions have changed > > Warning: Suspicious files found in /dev: > > /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 > > (SYSV), > > for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped > > > > I suspect that the warnings regarding e.g. /sbin/depmod may have to do > > with Bastille settings. That being the case, I's like to whitelist > > these. I think I would use the "RTKT_FILE_WHITELIST" directive. > > No, the "RTKT_FILE_WHITELIST" option is for specific instances where a > rootkit is being checked. It does not apply here. > > You are using RPM verification, as such there is no whitelisting. You > either trust the RPM database or you don't. If the RPM files have > changed because of Bastille then you can't use the RPM database. You > will have to let RKH default to using MD5/SHA1 verification. To do this > remove, or comment out, the PKGMGR option in your config file. Then run > 'rkhunter --propupd'. > > > Regarding the suspicious files found in /dev, I get that on all my CentOS > > 3.8 boxes. I tried whitelisting this with the "ALLOWDEVFILE" directive, > > but no joy. How would I whitelist this? > > This is odd. We have CentOS 5 systems, and Fedora ones which > have /dev/MAKEDEV in them. However, RKH has no problem with that because > they are symbolic links, hence I have not had to whitelist them on any > system. The "ALLOWDEVFILE" option should whitelist the file if > necessary. > > As a start, could you run 'ls -l /dev/MAKEDEV' to see if it is a > symbolic link or not. If it isn't then could you run 'file /dev/MAKEDEV' > as well, and send me the output. Thanks. > > > > John. > > -- <CLIP>
/dev/MAKEDEV is not a symlink. Output of "file /dev/MAKEDEV": /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
