John Horne wrote:
> On Mon, 2009-11-30 at 12:33 -0600, Mike McCarty wrote:
[...]
>> Perhaps the tool could be made smart enough to notice that the
>> string occurs in a comment.
>>
> Those last two occurrences aren't comments though, so the test is valid.
I missed that. Good point.
>> Personally, I don't like whitelisting.
>>
> I would agree. However, as commented in the rkhunter.conf file, you can
> whitelist a rootkit file but should then include the file in the file
> properties check. That way if the file does become a genuine rootkit
> file, you should still get a warning (albeit from the file properties
> test rather than the rootkit test).
That's a good idea, however, I'd rather just ignore the warning, and
have a "valid copy" stored away elsewhere, and do a diff each time. That
way, one could be sure things didn't get in trouble. Unless the "file
properties" includes a cryptologically secure hash value. That would be
acceptable.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
