#5 Whitelist Known /dev device

main
closed-fixed
unSpawn
Rkhunter (37)
5
2007-04-12
2006-10-27
Jon
No

John asked me to post this here....so here goes:

Kindly requesting a feature to explicitly whitelist a
know mount/device under /dev.

For example, we mount /tmp to /dev/tmpMnt via loop,
without exec permissions.

* Filesystem checks
Checking /dev for suspicious files... [ Warning!
(unusual files
found) ]
---------------------------------------------
Unusual files:
/dev/tmpMnt: Linux rev 1.0 ext2 filesystem data
(mounted or
unclean) (large files)

This gets a little annoying after a while, as rkhunter
1.2.8 reports:
Please inspect this machine, because it can be infected.

Any possible chance of being able to whitelist such
mounts/devices in future versions of rkhunter?

Thanks,
Jon

Discussion

  • unSpawn
    unSpawn
    2006-10-31

    • assigned_to: nobody --> unspawn
     
  • unSpawn
    unSpawn
    2006-10-31

    Logged In: YES
    user_id=600864

    Hello Jon,

    > Any possible chance of being able to whitelist such
    mounts/devices in future versions of rkhunter?
    Sure. I'll add it to the TODO list. When it's fixed in CVS
    I'll let you know and I hope you would be able to test RKH CVS.

    Regards, unSpawn

     
  • unSpawn
    unSpawn
    2006-11-19

    Logged In: YES
    user_id=600864
    Originator: NO

    Sorry for the late reply,

    Isn't this managable with rkhunter.conf's ALLOWHIDDENDIR or ALLOWHIDDENFILE?

    Cheers, unSpawn

     
  • Jon
    Jon
    2006-11-24

    Logged In: YES
    user_id=661684
    Originator: YES

    Hi their,

    As I recall I tried both ALLOWHIDDENDIR and ALLOWHIDDENFILE with no success awhile back. The only thing I don't recall is if I used the device name itself or the pointing point. I'll try ways later today and let you know.

    Regards,
    Jon

     
  • Jon
    Jon
    2006-11-24

    Logged In: YES
    user_id=661684
    Originator: YES

    Ok...gave them a try and just as I had feared...it was a no go. Same /dev suspicious files warning.

    Tried each seperately:

    ALLOWHIDDENDIR=/dev/tmpMnt
    ALLOWHIDDENDIR=/tmp
    ALLOWHIDDENFILE=/dev/tmpMnt
    ALLOWHIDDENFILE=/tmp

    Reagards,
    Jon

     
  • John Horne
    John Horne
    2007-04-12

    • status: open --> closed-fixed
     
  • John Horne
    John Horne
    2007-04-12

    Logged In: YES
    user_id=665381
    Originator: NO

    Fixed in CVS. Look in the CVS rkhunter.conf for ALLOWDEVFILE entries.

    John.