Le mercredi 10 octobre 2007 à 00:39 +0200, intrigeri a écrit : > Hello, > > Julien Valroff wrote (08 Oct 2007 04:35:38 GMT) : > > Le lundi 08 octobre 2007 à 08:45 +1000, Tim Connors a écrit : > >> > >> I'm getting false positives that I can't seem to disable except by > >> disabling the rather course grained "SCAN_MODE_DEV=THOROUGH" tests. > > [...] > > > This is well commented in the configuration file: > > # > > # Allow the specified files to be present in the /dev directory. > > # One file per line (use multiple ALLOWDEVFILE lines). > > # > > #ALLOWDEVFILE=/dev/abc > > Are shell (or whatever) patterns allowed in ALLOWDEVFILE ?
They are. I have just tried and created a /dev/shm/pulse-shm-1633006343 file with some random text. Added the following to my /etc/rkhunter.conf: ALLOWDEVFILE=/dev/shm/pulse-shm-* Here is the log: [[..]] [19:05:40] Performing filesystem checks [19:05:40] Info: Starting test name 'filesystem' [19:05:40] Info: SCAN_MODE_DEV set to 'THOROUGH' [19:05:41] Info: Found file '/dev/shm/pulse-shm-1633006343': it is whitelisted. [[..]] Cheers, Julien
