On 31/03/10 11:34 AM, [email protected] wrote: > On Wed, 31 Mar 2010 15:33:18 +0200 Muskoka Auto Parts Limited > <[email protected]> wrote: >> rkhunter has warned me about /dev/.tmp-11-1 >> >> It's a block special file, and judging by creation date and what I > know of that system, I have an idea where it came from. > > Udev (say 'scsi_id')?
Yeah, that's roughly what I was thinking - I plugged in an
LCD projector at about that time, including it's USB cable which
presents itself as a CD-ROM
> The problem is I'm stumped how to 'prove' that. Googling about
> didn't find anything
>> useful. lsof doesn't show it (but also doesn't show any block
> special files, so I'm not surprised)
> If it's created after boot then you could use file-system
> notification to try an catch file creation.
> If it's created on
> boot then you need to get in before the service or application
> starts. Then you could use Auditd with a watch rule on /dev/
> ('auditctl -w /dev/ -k watch-dev'). OTOH if it's Udev then maybe it
> has some debug or verbosity switches that enhance reporting.
So I mucked around for a bit trying things while looking at the output of
sudo udevadm monitor --environment
and also
inotifywatch -v /dev/.tmp-11-1
and couldn't find anything. I rebooted and of course the darned file is
gone and I can't get it recreated :-/
I'll have to shelf this until I get any other bright ideas I guess.
Thanks for your suggestions.
Brian
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
