On Fri, 2011-07-15 at 15:59 +0100, John Horne wrote: > On Fri, 2011-07-15 at 15:39 +0100, Tomasz Moskal wrote: > > Hello, > > > > My understanding is that the USER_FILEPROP_FILES_DIRS option is meant to > > exclude files from the file properties database and, as a consequence, > > from the file properties check. > > > No, wrong way round :-) The option is to allow users to *include* their > own files into the file properties check. However, it is also possible > to exclude some files using the '!' prefix. > > > So using the examples from the > > rkhunter.conf: > > > > 1. USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" > > 2. USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" > > 3. USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" > > 4. USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" > > 5. USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" > > 6. USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" > > > > The logic here is that 1, 2, 3 and 6 may change relatively often and > > including them in the file properties check may trigger false positives. > > > No, they are specified because we want to ensure they *are* checked. > > > 4 and 5 might (and will) change - rkhunter.dat will change with each > > --propup - but they are critical enough to warrant occasional false > > positive. > > > No, we do not monitor these files because they will change. However, it > is up to each user to modify these things according to their own > perceptions. In that respect there is nothing wrong with you monitoring > them, but as you said the files will change and cause a warning. > > > If I'm correct with the above assumptions the rule of the thumb for > > USER_FILEPROP_FILES_DIRS is to not assign any values to it if there is > > no false-positives warnings. In general only files that change > > frequently (thus changing the hash value) should be included here. > > > No :-) Include files which you *do* want to monitor and that rkhunter > does not already monitor by default. > > > > I just started to use RKH recently which means that I might be *very* > > wrong with all what I just said > > > What can I say?? Yup, you were wrong :-) However, don't feel bad about > it. I have to admit that it doesn't actually *say* what the option is > for in the config file. It is mentioned in the CHANGELOG file though. > > I'll see about adding a comment in the config file to say what the > option does. Thanks. > > > > > John. >
Ha! I Couldn't be more wrong about all of it :-) Thanks for correcting me - I could end up doing some rather stupid things in my rkhunter.conf... Tom ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
