On Wed, Oct 24, 2007 at 11:31:50PM +0100, John Horne wrote: > On Wed, 2007-10-24 at 10:35 +0100, Arthur Dent wrote: > > > 'ls -l /dev/pts/0' does indeed report no such file even after a > > reboot. Should I be concerned about this? > > > It is difficult to say. You haven't said what O/S you are running, but > you may want to ask the question on a user mailing list for your O/S. Sorry - should have said earlier. Fedora Core 6 [EMAIL PROTECTED] ~]$ uname -a Linux troodos.org.uk 2.6.22.9-61.fc6 #1 SMP Thu Sep 27 18:48:03 EDT 2007 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] ~]$
> > b) Whitelist the processes using ALLOWPROCDELFILE=/bin/bash and
> > ALLOWPROCDELFILE/bin/mail
> > (This works by the way - but I am a bit nervous of allowing any /bin/bash
> > process. Can I make it more specific?)
> >
> No, you can't make it more specific, but I will note that for
> consideration in my TODO list.
Thank You.
>
>
> No, you cannot whitelist files from the suspscan test. unSpawn has done
> the work for this test, so you may want to enter this as a feature
> request in the RKH bugzilla. (He's a bit busy, but does pick up on
> reported bugs/requests.)
Done that. Feature request no. 1820049
> > Point no. 4 (suspcan finding its own files)
> >
> No I don't think that's right. The suspscan test will create a temporary
> file, but it is the subsequent 'filesystem' test that then detects it
> in /dev. I have noted that the warning message for the filesystem test
> says something like 'suspicious file', but I will change that to say
> 'suspicious file type'. The two tests are seperate in that suspscan
> checks file contents, whereas 'filesystem' (amongst other things) checks
> the file type. An ascii file type in the /dev directory is suspicious,
> hence you get the warning.
>
> If you run 'rkhunter --enable suspscan' you may or may not get warnings,
> but they won't include the temporary file. If you look in /dev/shm you
> will see that the file has been created though.
>
>
> > However, I have discovered that placing the following line:
> > ALLOWDEVFILE=/dev/shm/suspscan.*
> > in rkhunter.conf does away with this problem.
> >
> Because this has whitelisted the file from the 'filesystem' test, not
> the 'suspscan' test.
On closer inspection I realise that you are absolutely correct.
Warning: Suspicious file types found in /dev:
/dev/shm/suspscan.10233.strings: ASCII English text
It is indeed "suspicious file type" not "suspicious content"
so my combination of "rm /dev/shm/suspcan.*" at the end of the script and
ALLOWDEVFILE=/dev/shm/suspscan.* in rkhunter.conf give me a satisfactory
method of maintaining a clean sheet.
I have not yet tried the cvs 1.3.1 version. Whilst it clears up the suspscan.*
files after itself do they still need to be allowed with the ALLOWDEVFILE
option to prevent them being reported as suspicious file types during the
scan?
Anyway. Many many thanks for all your help. Great product!
AD
pgpFwzDAN9dR8.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
