Verde Denim grabbed a keyboard and wrote: > On 03/11/2013 09:19 PM, David Guntner wrote: >> That's actually a fairly well-known false positive. >> >> If you want to silence that message, search your /etc/rkhunter.conf file >> for the part which has RTKT_FILE_WHITELIST= in it, and then whitelist >> that particular file. My own rkhunter.conf file has this in it: >> >> RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot" >> >> That string typically shows up in those two files, so adding them to the >> whitelist gets rid of the message. It's a known problem with the >> rkhunter db. >> >> Search Google for "rkhunter hdparm" and you'll find all kinds of >> references to it. > > My guess is that that same idea may also apply to this? - > > [12:09:18] Warning: The command '/usr/bin/unhide.rb' has been replaced > by a script: /usr/bin/unhide.rb: Ruby script, ASCII text > > [12:09:18] Info: Found file '/usr/bin/lwp-request': it is whitelisted > for the 'script replacement' check. > > [12:10:48] Checking for hidden files and directories [ Warning ] > [12:10:48] Warning: Hidden directory found: '/etc/.java'
Yup. For an item that's whitelisted, it will show up in the log file, but not the main report itself. There are examples and so on in the /etc/rkhunter.conf file - it's well worth going through that file to get better ideas of how to configure it to your liking. --Dave
signature.asc
Description: OpenPGP digital signature