On Mon, 2010-05-17 at 09:04 -0400, Tanstaafl wrote: > On 2010-05-16 3:11 PM, Tanstaafl wrote: > >> The 'hdparm' one is possibly a false-positive, but that's for you to > >> check. > > > Ok, well, I examined the two scripts, and didn't see anything unusual > > about them... but I'm not a forensics expert, just a lowly admin > > wanna-be... any other suggestions/pointers? > > Ok, found a reference in the gentoo firums to these two files as needing > to be specified in rkhunter.conf as: > > USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm" > USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm" > > Does that look reasonable/right? > No. That just removes them from the file properties check. They will still be reported as infected.
See Helmut Hullen's answer: I had solved the "Xzibit" warnings with RTKT_FILE_WHITELIST=/etc/init.d/boot.local In your case use: RTKT_FILE_WHITELIST=/etc/init.d/hdparm RTKT_FILE_WHITELIST=/etc/init.d/pciparm John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users