On Sun, 2010-05-09 at 20:59 +0200, Helmut Hullen wrote: > Hallo, John, > > Du meintest am 09.05.10: > > >>> Why are you whitelisting this file? It is not checked for as a > >>> rootkit file. > >> > >> You can see the reason in the remark line: "rkhunter" guessed there > >> might be a "xzibit" virus. Together with "/etc/init.d/boot.local". > > > Ah, okay. I assume the file (boot.local) contains 'hdparm' in it? > > You're right - for forced setting DMA. And there are still machines who > need that way. > Yes, 'hdparm' is a valid command that might be used in a startup script. I think checking for that is a bit risky and, as in this case, could lead to false-positives.
The trouble is that although you could whitelist the startup script, it would then be skipped for several rootkit checks rather than just this one. I'm more inclined to remove the testing of hdparm in the startup scripts. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
