Douglas Fraser wrote:
> Hi,
>
> Version 1.3.8, with SCAN_MODE_DEV=THOROUGH, was working fine (on a Debian
> Wheezy install). There were no whitelisted
> ALLOWDEVFILEs needed.
>
> when rkhunter was upgraded to 1.4.0-1, files in /dev/.udev/db/ started to get
> marked as suspicious. these files had
> simulated forward slashes in them - e.g. "\x2fclass\x2fvc\x2fvcs1". I traced
> the problem to line 15233 of the rkhunter
> script in the do_dev_whitelist_check() method
>
> FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\./\\\./g'`
>
> The grep expression below it was failing to deal with the "\x2f' etc parts of
> the filenames, turning that into "x2f" and
> so the match wasn't made. I changed the line to
>
> FNAMEGREP=`echo "${RKHTMPVAR}" | sed -e 's/\\\\/\\\\\\\\/g' | sed -e
> 's/\./\\\./g'`
>
> and added ALLOWDEVFILE="/dev/.udev/db/\\x2f*" to whitelist all the
> problematic files in that directory
>
> Not sure yet if the /dev/.udev/db/ directory / files on my system are
> actually incorrect, it certainly looks like it.
> But this may be a general issue for dealing with any files with "\" in the
> name
>
> I couldn't figure out how to avoid changing the rkhunter script (i.e. the
> right ALLOWDEVFILE expression) because the
> problem lies in grep treating \x2f as x2f and the input to grep is gotten
> from a listing of the files in /dev/.udev/db/
>
> I will let the list know if my /dev/.udev/db directory and those files are
> actually messed up (or if anyone could tell me?)
>
> doug
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Rkhunter-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
>
I don't know if this applies to the validity of the files which seem to
be labeled as "suspect" but it seems the files are created during the
initial boot process by udev as it wanders through the available but not
always used devices. I have a list of these files in text format, which
is different than the normal file type listed as broken links in the
/dev/udev/db folder. I found I could delete them without any ill effect.
There was also another file under /dev/udev and another under
/dev/intramfs, also text files. This with an uptodate version of Ubuntu
8.04 LTS which has been stripped of a number of IRC, media and other
softwares. It may be the removal or alteration of those softwares
contributes as much as the editing of rkhunter but this is just theory.
drohde
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
