On Tue, 2012-04-17 at 10:40 +0200, Ernest Beinrohr wrote: > Hi, my rkhunter 1.3.8 (fc14,x86_64) ignores ALLOWDEVFILE with a "*" in > it. > > this is part of my config: > ALLOWDEVFILE=/dev/md/md-device-map > ALLOWDEVFILE=/dev/shm/pulse-shm-* > > The first file gets nicely whitelisted, but 2 files are being reported > as supicious. They > change during the runtime of rkhunter quite a lot. > > $ rkhunter --nomow --checkall --rwo > Warning: Suspicious file types found in /dev: > /dev/shm/pulse-shm-1823465415: data > /dev/shm/pulse-shm-2880195206: data > Hello,
It is possible that you are hitting a race-condition. RKH will determine what files in /dev/ are to be whitelisted when it starts. However, by the time the test runs there may be more files in /dev. In your case there are more files, and they should have been whitelisted but weren't because they weren't present when RKH started. (Follow that? :-) ) I had the same problem many times at work. This has been fixed for the next release. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
