On Thu, 2014-04-17 at 14:06 -0400, m.r...@5-cent.us wrote: > Hi, folks, > > We're running CentOS 6.5, and rkhunter 1.4.0-2. My problem that's just > shown up, I think it was with the latest rkhunter update, is this: I've > got a user running jobs in R that run for days (not unusual around here > for jobs to run for days, or weeks). But R appears to use /dev/shm, and > of the three it creates (at least related to one job), one has a > prefix, one a postfix... and the main one has *nothing* other than a > random alphanumeric string as a filename. > > Now, I could just whitelist /dev/shm, but I'm *sure* there's malware > out there that makes use of that. So my question is, *should* I > whitelist /dev/shm, since I can't know in advance what the random name > is, or is there a better solution? > Take a look at EXISTWHITELIST. It can be used when something may or may not exist. However, it may not work well if you don't know the random name, although if it is (for example) just numbers you could try something like: EXISTWHITELIST=/dev/shm/[0-9][0-9]*
John. -- ---------------------------------------------------- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users