On Mon, 2011-08-01 at 12:23 +0100, Arthur Dent wrote: > On Mon, 2011-08-01 at 11:46 +0100, John Horne wrote: > > On Sat, 2011-07-30 at 14:12 +0100, Arthur Dent wrote: > > > I know you are probably going to (gently) remind me that this is > > > probably an issue for the Fedora list, > > > > > No, it's on topic for this list :-) > > > > > > > > Have I messed something up, or is this version of RKH simply not > > > reading .conf.local ? > > > > > Look in the rkhunter.log log file. It will say which config files it is > > using, including the '.local' one if it sees it. However in answer to > > your question, yes, the current version of RKH should be using > > the .local config file. > > Hmm.. Interesting... > > [03:35:35] Running Rootkit Hunter version 1.3.8 on mydomain > [03:35:35] > [03:35:35] Info: Start date is Sun Jul 31 03:35:35 BST 2011 > [03:35:35] > [03:35:35] Checking configuration file and command-line options... > [03:35:35] Info: Detected operating system is 'Linux' > [03:35:35] Info: Found O/S name: Fedora release 15 (Lovelock) > [03:35:35] Info: Command line is /usr/bin/rkhunter --update --nocolors > [03:35:35] Info: Environment shell is /bin/sh; rkhunter is using bash > [03:35:35] Info: Using configuration file '/etc/rkhunter.conf' > [03:35:35] Info: Using local configuration file '/etc/rkhunter.conf.local' > [03:35:35] Info: Installation directory is '/usr' > [03:35:35] Info: Using language 'en' > [03:35:35] Info: Using '/var/lib/rkhunter/db' as the database directory > [03:35:35] Info: Using '/usr/share/rkhunter/scripts' as the support script > directory > [03:35:35] Info: Using '/sbin /bin /usr/sbin /usr/bin /usr/local/bin > /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories > [03:35:35] Info: Using '/' as the root directory by default > [03:35:35] Info: Using '/var/lib/rkhunter' as the temporary directory > [03:35:35] Info: X will be automatically detected > > So it looks like it *is* reading the local .conf.local file. Why isn't > it working? > > > > > ALLOWPROCDELFILE="/bin/bash /tmp/file*" > > > ALLOWPROCDELFILE="/bin/gawk /tmp/file*" > > > > > These entries should be colon separated. Although the option allows for > > space-separated command pathnames, if a specific filename is to be > > whitelisted for that command then it must follow the command name > > separated by a colon (:). The main config file (rkhunter.conf) has an > > example: > > > > #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" > > > > So any files used by 'cardmgr' are whitelisted, but only '/etc/x11/abc' > > used by 'gpm' is whitelisted. > > > > In your case any files used by 'bash' or 'gawk' will have been > > whitelisted. > > > OK - I didn't understand that. Thanks. I have now > edited /etc/rkhunter.conf.local to read: > ALLOWPROCDELFILE="/bin/bash:/tmp/file*" > ALLOWPROCDELFILE="/bin/gawk:/tmp/file*" > > I have initiated another run and it is running as I write this. I'll > report back.
Well I didn't expect this:
Warning: The following processes are using deleted files:
Process: /usr/sbin/dovecot PID: 709 File:
/run/dovecot/login-master-notifyb6a920783290559f
Process: /usr/bin/python PID: 743 File: /tmp/ffixWTeCg
Process: /usr/libexec/mysqld PID: 1278 File: /tmp/ibNuqKo8
Process: /usr/bin/pulseaudio PID: 1738 File: /usr/bin/pulseaudio
Process: /usr/libexec/dovecot/imap-login PID: 4470 File:
/run/dovecot/login-master-notifyf79914a30abb39fe
Process: /usr/libexec/dovecot/imap-login PID: 4474 File:
/run/dovecot/login-master-notifyf79914a30abb39fe
Process: /usr/bin/gedit PID: 6570 File: /tmp/ffiKvWZQp
Process: /bin/mailx PID: 6640 File: /tmp/Rs68fPz4
Notice the /bin/bash & /bin/gawk entries are now gone, but all the
others are still there. Each an every one is in the .conf.local file.
My brain hurts...
Thanks again
Mark
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
