Hi.
Ive found that if I have multiple ALLOWPROCDELFILE entries (i.e.
whitelisting more than one process to have deleted files) then they
were all getting ignored and the processes reported as having deleted
files open.
After some investigation, I think the problem is with rkhunter not
resetting $IFS correctly when parsing the ALLOWPROCDELFILE entries.
The following patch seems to fix it (though it feels like a quick and
dirty hack)..
*** 11955,11961 ****
PROCWHITELISTED=0
PROCDELFILES_GIVEN=0
!
for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
PROCDELFILES_GIVEN=0
--- 11955,11961 ----
PROCWHITELISTED=0
PROCDELFILES_GIVEN=0
! IFS=$RKHIFS
for RKHTMPVAR in ${ALLOWPROCDELFILES}; do
PROCDELFILES_GIVEN=0
***************
*** 12008,12014 ****
#
# Now display the results.
#
!
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN
--result NONE_FOUND --color
GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
else
--- 12008,12014 ----
#
# Now display the results.
#
! IFS=$NLIFS
if [ $FOUND -eq 0 ]; then
display --to SCREEN+LOG --type PLAIN
--result NONE_FOUND --color
GREEN --log-indent 2 --screen-indent 4 ROOTKIT_MALWARE_DELETED_FILES
else
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
