On Wed, 31 Mar 2010 15:33:18 +0200 Muskoka Auto Parts Limited <m...@map-heb.com> wrote: >rkhunter has warned me about /dev/.tmp-11-1 > >It's a block special file, and judging by creation date and what I know of that system, I have an idea where it came from.
Udev (say 'scsi_id')? The problem is I'm stumped how to 'prove' that. Googling about didn't find anything >useful. lsof doesn't show it (but also doesn't show any block special files, so I'm not surprised) If it's created after boot then you could use file-system notification to try an catch file creation. For kernel 2.4 that'll be dnotify (eliott, dirwatch) and for 2.6 inotify (see example http://www.ibm.com/developerworks/linux/library/l-inotify.html, you only need IN_CREATE_FILE) or use inotifywatch. If it's created on boot then you need to get in before the service or application starts. Then you could use Auditd with a watch rule on /dev/ ('auditctl -w /dev/ -k watch-dev'). OTOH if it's Udev then maybe it has some debug or verbosity switches that enhance reporting. Regards, unSpawn --- ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
