Re: [Rkhunter-users] /dev/shm OR ignoring directories

[Adam W. <kad...@gm...>]

suspscan is disabled in the log, but it still finds and complains about 
all the directories and files in /dev/shm.  I've whitelisted them 
before, but that doesn't stop rkhunter from still looking at each one 
(which can literally take 24hrs or more).


On 04/16/2013 04:02 PM, John Horne wrote:
> On Tue, 2013-04-16 at 13:33 -0400, Adam Wolfe wrote:
>> Hello all.
>>
>> The hosting company I work for has recently undergone preparation for
>> PCI compliance.  In doing so, we must scan our servers' filesystems
>> regularly for intrusion, unexpected changes etc.  One of the tools we
>> are using for this is rkhunter.
>>
>> Everything works fine until we come to the directory /dev/shm.  We use
>> symfony as a php framework and over time it can amass several thousand
>> files and when we needed to clear out this symfony cache to apply a
>> change it could take hours.  To get around this, we symlinked the cache
>> directory to /dev/shm.  Now clearing cache takes only a few seconds.
>> The problem is that rkhunter wants to look at each and everyone of these
>> files, which makes the scan take hours upon hours and always seems to
>> generate a warning (even when whitelisted).
>>
>> My question is if there is a way to tell rkhunter to flat out ignore
>> these directories.  Not necessarily ignore all of /dev/shm, but only the
>> symfony related directories within.  Is this at all possible, or is this
>> just an idea contrary to using something like rkhunter?
>>
> Hello,
>
> This sounds similar to someone elses problem from a few months back. As
> far as I remember only the 'suspscan' test looks in /dev/shm, and by
> default that test is disabled. I would suggest checking your config file
> and ensure that the test is disabled. Or look in the rkhunter log file,
> it will say if it is running the suspscan test or not.
>
>
>
>
> John.
>