On Mon, 2009-11-30 at 12:33 -0600, Mike McCarty wrote:
> >
> > grep -n hdparm rc.sysinit
> > 1132:# after installing the hdparm-RPM. If you need different hdparm
> > parameters
> > 1153:# resyncing and disks heavily active, because hdparm might hang and
> > 1157: if [ -x /sbin/hdparm ]; then
> > 1190: action "Setting hard drive parameters for %s:
> > " ${disk[$device]} /sbin/hdparm ${HDFLAGS[$device]} /dev/${disk[$device]}
> >
> > Is there a way I can exclude this file?: I searched, but didn't see an
> > option for this check.
>
> Perhaps the tool could be made smart enough to notice that the
> string occurs in a comment.
>
Those last two occurrences aren't comments though, so the test is valid.
>
> Personally, I don't like whitelisting.
>
I would agree. However, as commented in the rkhunter.conf file, you can
whitelist a rootkit file but should then include the file in the file
properties check. That way if the file does become a genuine rootkit
file, you should still get a warning (albeit from the file properties
test rather than the rootkit test).
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
