On Wed, 2011-10-19 at 09:46 -0700, Wayne Brown wrote: > I have been running RKHunter 1.3.8 under Ubuntu 11.04 for some time > now without any issues. In order to avoid false positives I have > ALLOWHIDDENDIR="/dev/.initramfs" defined in rkhunter.conf. However, > after upgrading to Ubuntu 11.10 this no longer works. > The /dev/.initramfs directory has been replaced by a symbolic link > to /run/initramfs. So now RKHunter gives me this warning > in /var/log/rkhunter.log: > > Warning: Hidden file found: /dev/.initramfs: symbolic link to > `/run/initramfs' > > I tried whitelisting it as a file instead of a directory by defining > ALLOWHIDDENFILE="/dev/.initramfs" but it didn't work. When I start > RKHunter it says: > > Invalid ALLOWHIDDENFILE configuration option: Not a > file: /dev/.initramfs > > So far I have not been able to find any reference in the documentation > to whitelisting symbolic links to directories. Is this even possible? > Hi,
It is a bug. The code for ALLOWHIDDENFILE allows most things except directories, basically because you should use ALLOWHIDDENDIR for that (and vice-versa). However, neither cater for a symbolic link to a directory. I have put a fix into the CVS code so that ALLOWHIDDENFILE should work correctly. I will email you (off list) a fixed 'rkhunter' program with this fix, which you should be able to just use as a drop-in replacement. In your RKH config file you should use 'ALLOWHIDDENFILE=/dev/.initramfs'. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
