On Mon, 2010-05-17 at 09:04 -0400, Tanstaafl wrote:
> On 2010-05-16 3:11 PM, Tanstaafl wrote:
> >> The 'hdparm' one is possibly a false-positive, but that's for you to
> >> check.
> 
> > Ok, well, I examined the two scripts, and didn't see anything unusual
> > about them... but I'm not a forensics expert, just a lowly admin
> > wanna-be... any other suggestions/pointers?
> 
> Ok, found a reference in the gentoo firums to these two files as needing
> to be specified in rkhunter.conf as:
> 
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"
> USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"
> 
> Does that look reasonable/right?
>
No. That just removes them from the file properties check. They will
still be reported as infected.

See Helmut Hullen's answer:

   I had solved the "Xzibit" warnings with

   RTKT_FILE_WHITELIST=/etc/init.d/boot.local

In your case use:

   RTKT_FILE_WHITELIST=/etc/init.d/hdparm
   RTKT_FILE_WHITELIST=/etc/init.d/pciparm




John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001


------------------------------------------------------------------------------

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to