Re: [Rkhunter-users] whitelisting "/dev/ida"
Brought to you by:
dogsbody
From: Helmut H. <Hu...@t-...> - 2010-02-08 08:02:33
|
Hallo, John, Du meintest am 07.02.10 zum Thema Re: [Rkhunter-users] whitelisting "/dev/ida": >> I can put a line >> >> RTKIT_DIR_WHITELIST=/dev/ida > That should be 'RTKT_DIR_WHITELIST'. Was a typo in my mail, not in "rkhunter.conf" - sorry. >> into "/etc/rkhunter.conf", but then I see two problems: >> >> 1) "rkhunter" finds no entries like "/dev/ida/.inet/logclear" >> > Seems to work fine for me. From my log file: > [20:58:11] Checking for directory '/dev/ida/.inet' [ Found ] > [20:58:11] Warning: Xzibit Rootkit [ Warning > ] [20:58:11] File '/dev/ida/.inet/logclear' found > [20:58:11] Directory '/dev/ida/.inet' found You're right - I hadn't tested this behaviour (with a handmade "/dev/ ida/.inet/logclear") but only assumed. The main problem (in my installations, with hard coded "/dev/ida", without "udev") therefore doesn't exist - ok. >> 2) a comment in "rkhunter.conf" says the directory must exist - if >> "udev" is running and no "ida" device exists then "udev" doesn't >> produce a "/dev/ida" directory. >> >> Any solution? > I'm currently thinking, but have not discussed this with the > developers yet, that maybe we can relax RKH from being so strict, but > provide a 'consistency' option by which RKH will check that all > configured/whitelisted files/dirs/pathnames do exist. [...] Sounds good - thank you! Viele Gruesse! Helmut |