On Monday 30 November 2009 1:33:18 pm Mike McCarty
wrote:
> Dick Gevers wrote:
>
> [...]
>
> > My STARTUP_PATHS includes /etc/rc.d in which
> > the file rc.sysinit contains the word
> > 'hdparm', which causes a warning by rkh:
> >
> > Found string 'hdparm' in file
> > '//etc/rc.d/rc.sysinit'. Possible rootkit:
> > Xzibit Rootkit
> >
> > But rpm finds the file to be in order.
> >
> > For info:
> >
> > grep -n hdparm rc.sysinit
> > 1132:# after installing the hdparm-RPM. If
> > you need different hdparm parameters
> > 1153:# resyncing and disks heavily active,
> > because hdparm might hang and 1157: if [ -x
> > /sbin/hdparm ]; then 1190:
> > action "Setting hard drive parameters
> > for %s: " ${disk[$device]} /sbin/hdparm
> > ${HDFLAGS[$device]} /dev/${disk[$device]}
> >
> > Is there a way I can exclude this file?: I
> > searched, but didn't see an option for this
> > check.
>
> Perhaps the tool could be made smart enough to
> notice that the string occurs in a comment.
> Another possibility is to edit that file to
> remove the string.
>
> Personally, I don't like whitelisting.
>
> Mike
> --
I, too, got a fp regarding hdparm
in /etc/rc.d/rc.sysinit. At least in my CentOS
systems, the hdparm directives seem to be
defaults. I've implemented the suggestion by
John Horne that I
add "RTKT_FILE_WHITELIST="/etc/rc.d/rc.sysinit"
in rkhunter.conf. However, by the mere fact that
rc.sysinit is checked by rkunter as a place where
rootkits might cause issues makes me uneasy about
whitelisting that file in its entirety. Is there
no way to deal just with the hdparm part of this
issue?
Thanks.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
