Hi,
Version 1.3.8, with SCAN_MODE_DEV=THOROUGH, was working fine (on a Debian
Wheezy install). There were no whitelisted
ALLOWDEVFILEs needed.
when rkhunter was upgraded to 1.4.0-1, files in /dev/.udev/db/ started to get
marked as suspicious. these files had
simulated forward slashes in them - e.g. "\x2fclass\x2fvc\x2fvcs1". I traced
the problem to line 15233 of the rkhunter
script in the do_dev_whitelist_check() method
FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`
The grep expression below it was failing to deal with the "\x2f' etc parts of
the filenames, turning that into "x2f" and
so the match wasn't made. I changed the line to
FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\\\\/\\\\\\\\/g' | sed -e
's/\./\\\./g'`
and added ALLOWDEVFILE="/dev/.udev/db/\\x2f*" to whitelist all the problematic
files in that directory
Not sure yet if the /dev/.udev/db/ directory / files on my system are actually
incorrect, it certainly looks like it.
But this may be a general issue for dealing with any files with "\" in the name
I couldn't figure out how to avoid changing the rkhunter script (i.e. the right
ALLOWDEVFILE expression) because the
problem lies in grep treating \x2f as x2f and the input to grep is gotten from
a listing of the files in /dev/.udev/db/
I will let the list know if my /dev/.udev/db directory and those files are
actually messed up (or if anyone could tell me?)
doug
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
