Re: [Rkhunter-users] RKH Ignoring .conf.local?
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2011-08-02 09:51:27
|
On Tue, 2011-08-02 at 10:38 +0100, Arthur Dent wrote: > On Tue, 2011-08-02 at 00:46 +0100, Arthur Dent wrote: > > > OK - Thanks John, that works. > > Ooops. Spoke too soon.... > > From this morning's run: > > ---------------------- Start Rootkit Hunter Scan ---------------------- > Warning: The following processes are using deleted files: > Process: /bin/bash PID: 2954 File: /tmp/fileFYLlb4 > Process: /bin/gawk PID: 3419 File: /tmp/fileFYLlb4 > > > From /etc/rkhunter.conf.local: > > ALLOWPROCDELFILE="/bin/bash:/tmp/file*" > ALLOWPROCDELFILE="/bin/gawk:/tmp/file*" > > What gives? > Yeah, I noticed that yesterday, I'm not convinced that wildcarding works with that option. It is something that I need to look at. For the moment all I can suggest is either remove the wildcarding so that you just whitelist bash and gawk or specify the exact filenames. However, depending on how often the /tmp file change that may not work too well. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 |