On Mon, 2011-08-01 at 11:46 +0100, John Horne wrote: > On Sat, 2011-07-30 at 14:12 +0100, Arthur Dent wrote: > > I know you are probably going to (gently) remind me that this is > > probably an issue for the Fedora list, > > > No, it's on topic for this list :-) > > > > > Have I messed something up, or is this version of RKH simply not > > reading .conf.local ? > > > Look in the rkhunter.log log file. It will say which config files it is > using, including the '.local' one if it sees it. However in answer to > your question, yes, the current version of RKH should be using > the .local config file.
Hmm.. Interesting... [03:35:35] Running Rootkit Hunter version 1.3.8 on mydomain [03:35:35] [03:35:35] Info: Start date is Sun Jul 31 03:35:35 BST 2011 [03:35:35] [03:35:35] Checking configuration file and command-line options... [03:35:35] Info: Detected operating system is 'Linux' [03:35:35] Info: Found O/S name: Fedora release 15 (Lovelock) [03:35:35] Info: Command line is /usr/bin/rkhunter --update --nocolors [03:35:35] Info: Environment shell is /bin/sh; rkhunter is using bash [03:35:35] Info: Using configuration file '/etc/rkhunter.conf' [03:35:35] Info: Using local configuration file '/etc/rkhunter.conf.local' [03:35:35] Info: Installation directory is '/usr' [03:35:35] Info: Using language 'en' [03:35:35] Info: Using '/var/lib/rkhunter/db' as the database directory [03:35:35] Info: Using '/usr/share/rkhunter/scripts' as the support script directory [03:35:35] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories [03:35:35] Info: Using '/' as the root directory by default [03:35:35] Info: Using '/var/lib/rkhunter' as the temporary directory [03:35:35] Info: X will be automatically detected So it looks like it *is* reading the local .conf.local file. Why isn't it working? > > ALLOWPROCDELFILE="/bin/bash /tmp/file*" > > ALLOWPROCDELFILE="/bin/gawk /tmp/file*" > > > These entries should be colon separated. Although the option allows for > space-separated command pathnames, if a specific filename is to be > whitelisted for that command then it must follow the command name > separated by a colon (:). The main config file (rkhunter.conf) has an > example: > > #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" > > So any files used by 'cardmgr' are whitelisted, but only '/etc/x11/abc' > used by 'gpm' is whitelisted. > > In your case any files used by 'bash' or 'gawk' will have been > whitelisted. OK - I didn't understand that. Thanks. I have now edited /etc/rkhunter.conf.local to read: ALLOWPROCDELFILE="/bin/bash:/tmp/file*" ALLOWPROCDELFILE="/bin/gawk:/tmp/file*" I have initiated another run and it is running as I write this. I'll report back. Thanks for your help so far. Best regards Mark
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
