On Sun, 01 Apr 2012 02:15:49 +0200 John Horne <john.ho...@plymouth.ac.uk> wrote: >On Sat, 2012-03-31 at 17:08 -0600, Kevin Fenzi wrote: >> It would be nice if it could see if /lib is a link and bypass this >> test? Or if there was a way to whitelist this in config (currently >> there isn't). >> >Tis very late - gone 1am here - so off the top of my head... > >It may be that only this one test is causing a problem, but I would >rather not make any specific checks just for it but for all similar >tests. In fact I'm a bit surprised if this is the only one that gets a >warning :-) The current code lists it as a 'rootkit component', so there >should be others parts of the rootkit tested too. Hence we could remove >just this test, but I'll leave that to unSpawn to decide.
Sorry, bit slow here. Indeed it's a decidedly weak check on its own. I agree it would be better to test for symlinks before running other checks. I'll have a go at it. Cheers, unSpawn --- ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users