On Sun, 2010-02-07 at 08:26 +0100, Helmut Hullen wrote:
>
> I can put a line
>
> RTKIT_DIR_WHITELIST=/dev/ida
>
That should be 'RTKT_DIR_WHITELIST'.
> into "/etc/rkhunter.conf", but then I see two problems:
>
> 1) "rkhunter" finds no entries like "/dev/ida/.inet/logclear"
>
Seems to work fine for me. From my log file:
[20:58:11] Checking for directory '/dev/ida/.inet' [ Found ]
[20:58:11] Warning: Xzibit Rootkit [ Warning ]
[20:58:11] File '/dev/ida/.inet/logclear' found
[20:58:11] Directory '/dev/ida/.inet' found
[20:58:17] Info: Found directory '/dev/ida': it is whitelisted for
the 'possible_rkt_files' check.
[20:58:17] Checking for directory '/dev/ida' [ Found ]
[20:58:18] Checking for possible rootkit files and directories
[ None found ]
> 2) a comment in "rkhunter.conf" says the directory must exist - if
> "udev" is running and no "ida" device exists then "udev" doesn't produce
> a "/dev/ida" directory.
>
> Any solution?
>
Sorry, but none that I can think of.
I realised a while ago that RKH is quite strict about the fact that any
configured or whitelisted file/dirs/pathnames must exist, but that that
may be a bit too strict in some cases. The objective was to alert the
user to the fact that they had (for example) configured a pathname which
does not exist, and hence the relevant test may be skipped (or even
pass) when in fact it should fail. It was felt important that RKH should
let the user know about this straight away, rather than the user finding
out about it some time later.
I'm currently thinking, but have not discussed this with the developers
yet, that maybe we can relax RKH from being so strict, but provide a
'consistency' option by which RKH will check that all
configured/whitelisted files/dirs/pathnames do exist. Then, as in your
case, you could configure RKH to whitelist something that may exist at
one time but not at others, but also be able to run RKH with the
consistency option to ensure that all your other pathnames etc are
correct. This option should only need to be run when the config file(s)
have been changed.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
