On Wed, 2012-04-04 at 17:34 +0200, unsp...@hushmail.com wrote: > On Sun, 01 Apr 2012 02:15:49 +0200 John Horne > <john.ho...@plymouth.ac.uk> wrote: > >On Sat, 2012-03-31 at 17:08 -0600, Kevin Fenzi wrote: > >> It would be nice if it could see if /lib is a link and bypass > >> this test? Or if there was a way to whitelist this in config > >> (currently there isn't). > >> > >Tis very late - gone 1am here - so off the top of my head... > > > >It may be that only this one test is causing a problem, but I would > >rather not make any specific checks just for it but for all similar > >tests. In fact I'm a bit surprised if this is the only one that > >gets a warning :-) The current code lists it as a 'rootkit component', so > >there should be others parts of the rootkit tested too. Hence we could > >remove just this test, but I'll leave that to unSpawn to decide. > > Sorry, bit slow here. Indeed it's a decidedly weak check on its > own. > I agree it would be better to test for symlinks before running > other checks. > I'll have a go at it. > As a general check or just in this instance? I don't think checking for a symlink generally would be too good.
John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
