I have been running RKHunter 1.3.8 under Ubuntu 11.04 for some time now without
any issues. In order to avoid false positives I have
ALLOWHIDDENDIR="/dev/.initramfs" defined in rkhunter.conf. However, after
upgrading to Ubuntu 11.10 this no longer works. The /dev/.initramfs directory
has been replaced by a symbolic link to /run/initramfs. So now RKHunter gives
me this warning in /var/log/rkhunter.log:
Warning: Hidden file found: /dev/.initramfs: symbolic link to
`/run/initramfs'
I tried whitelisting it as a file instead of a directory by defining
ALLOWHIDDENFILE="/dev/.initramfs" but it didn't work. When I start RKHunter it
says:
Invalid ALLOWHIDDENFILE configuration option: Not a file: /dev/.initramfs
So far I have not been able to find any reference in the documentation to
whitelisting symbolic links to directories. Is this even possible?
--
F. Wayne Brown <fwbr...@bellsouth.net>
Þæs ofereode, ðisses swa mæg. ("That passed away, this also can.")
from "Deor," in the Exeter Book (folios 100r-100v)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
