On Sat, 2012-03-31 at 17:08 -0600, Kevin Fenzi wrote: > Greetings. > > With Fedora 17, Fedora is moving many top level dirs to their /usr > equivalent. This causes a rkhunter false positive. On a 32bit > install, /lib becomes a link to /usr/lib. There's a number of packages > that put files in /usr/lib/java, but due to the symlink, rkhunter sees > this as /lib/java/ which is a signature from some rootkit. ;( > > It would be nice if it could see if /lib is a link and bypass this > test? Or if there was a way to whitelist this in config (currently > there isn't). > Tis very late - gone 1am here - so off the top of my head...
It may be that only this one test is causing a problem, but I would rather not make any specific checks just for it but for all similar tests. In fact I'm a bit surprised if this is the only one that gets a warning :-) The current code lists it as a 'rootkit component', so there should be others parts of the rootkit tested too. Hence we could remove just this test, but I'll leave that to unSpawn to decide. I have F17 alpha installed, and will test with RKH. You can whitelist rootkit files (RTKT_FILE_WHITELIST), so doing that should work. It's is not, obviously, recommended though. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
