Re: [Rkhunter-users] /dev/shm OR ignoring directories
Brought to you by:
dogsbody
From: Adam W. <kad...@gm...> - 2013-04-16 22:24:51
|
suspscan is disabled in the log, but it still finds and complains about all the directories and files in /dev/shm. I've whitelisted them before, but that doesn't stop rkhunter from still looking at each one (which can literally take 24hrs or more). On 04/16/2013 04:02 PM, John Horne wrote: > On Tue, 2013-04-16 at 13:33 -0400, Adam Wolfe wrote: >> Hello all. >> >> The hosting company I work for has recently undergone preparation for >> PCI compliance. In doing so, we must scan our servers' filesystems >> regularly for intrusion, unexpected changes etc. One of the tools we >> are using for this is rkhunter. >> >> Everything works fine until we come to the directory /dev/shm. We use >> symfony as a php framework and over time it can amass several thousand >> files and when we needed to clear out this symfony cache to apply a >> change it could take hours. To get around this, we symlinked the cache >> directory to /dev/shm. Now clearing cache takes only a few seconds. >> The problem is that rkhunter wants to look at each and everyone of these >> files, which makes the scan take hours upon hours and always seems to >> generate a warning (even when whitelisted). >> >> My question is if there is a way to tell rkhunter to flat out ignore >> these directories. Not necessarily ignore all of /dev/shm, but only the >> symfony related directories within. Is this at all possible, or is this >> just an idea contrary to using something like rkhunter? >> > Hello, > > This sounds similar to someone elses problem from a few months back. As > far as I remember only the 'suspscan' test looks in /dev/shm, and by > default that test is disabled. I would suggest checking your config file > and ensure that the test is disabled. Or look in the rkhunter log file, > it will say if it is running the suspscan test or not. > > > > > John. > |