Whitelist Known /dev device
Brought to you by:
dogsbody
John asked me to post this here....so here goes:
Kindly requesting a feature to explicitly whitelist a
know mount/device under /dev.
For example, we mount /tmp to /dev/tmpMnt via loop,
without exec permissions.
* Filesystem checks
Checking /dev for suspicious files... [ Warning!
(unusual files
found) ]
---------------------------------------------
Unusual files:
/dev/tmpMnt: Linux rev 1.0 ext2 filesystem data
(mounted or
unclean) (large files)
This gets a little annoying after a while, as rkhunter
1.2.8 reports:
Please inspect this machine, because it can be infected.
Any possible chance of being able to whitelist such
mounts/devices in future versions of rkhunter?
Thanks,
Jon
Logged In: YES
user_id=600864
Hello Jon,
> Any possible chance of being able to whitelist such
mounts/devices in future versions of rkhunter?
Sure. I'll add it to the TODO list. When it's fixed in CVS
I'll let you know and I hope you would be able to test RKH CVS.
Regards, unSpawn
Logged In: YES
user_id=600864
Originator: NO
Sorry for the late reply,
Isn't this managable with rkhunter.conf's ALLOWHIDDENDIR or ALLOWHIDDENFILE?
Cheers, unSpawn
Logged In: YES
user_id=661684
Originator: YES
Hi their,
As I recall I tried both ALLOWHIDDENDIR and ALLOWHIDDENFILE with no success awhile back. The only thing I don't recall is if I used the device name itself or the pointing point. I'll try ways later today and let you know.
Regards,
Jon
Logged In: YES
user_id=661684
Originator: YES
Ok...gave them a try and just as I had feared...it was a no go. Same /dev suspicious files warning.
Tried each seperately:
ALLOWHIDDENDIR=/dev/tmpMnt
ALLOWHIDDENDIR=/tmp
ALLOWHIDDENFILE=/dev/tmpMnt
ALLOWHIDDENFILE=/tmp
Reagards,
Jon
Logged In: YES
user_id=665381
Originator: NO
Fixed in CVS. Look in the CVS rkhunter.conf for ALLOWDEVFILE entries.
John.