On Tue, 2013-04-16 at 13:33 -0400, Adam Wolfe wrote: > Hello all. > > The hosting company I work for has recently undergone preparation for > PCI compliance. In doing so, we must scan our servers' filesystems > regularly for intrusion, unexpected changes etc. One of the tools we > are using for this is rkhunter. > > Everything works fine until we come to the directory /dev/shm. We use > symfony as a php framework and over time it can amass several thousand > files and when we needed to clear out this symfony cache to apply a > change it could take hours. To get around this, we symlinked the cache > directory to /dev/shm. Now clearing cache takes only a few seconds. > The problem is that rkhunter wants to look at each and everyone of these > files, which makes the scan take hours upon hours and always seems to > generate a warning (even when whitelisted). > > My question is if there is a way to tell rkhunter to flat out ignore > these directories. Not necessarily ignore all of /dev/shm, but only the > symfony related directories within. Is this at all possible, or is this > just an idea contrary to using something like rkhunter? > Hello,
This sounds similar to someone elses problem from a few months back. As far as I remember only the 'suspscan' test looks in /dev/shm, and by default that test is disabled. I would suggest checking your config file and ensure that the test is disabled. Or look in the rkhunter log file, it will say if it is running the suspscan test or not. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
