Whitelisting session files with rkhunter

Question

I am running a webserver and am saving PHP sessions to /dev/shm -- rkhunter is flagging the session files:

Warning: Suspicious file types found in /dev:

/dev/shm/sess_eir6fi80ld0bs3ejsjvgkjiuc4: ASCII text, with no line terminators /dev/shm/sess_73v97tg98bd9jckbiovruclhb5: ASCII text, with no line terminators /dev/shm/sess_f1aglts90oqksrc82eg4lc5i27: ASCII text, with no line terminators /dev/shm/sess_a5hot1l1eehonnqa5i025mtu10: ASCII text, with no line terminators

I have tried the following ALLOWDEVFILE directives in /etc/rkhunter.conf, but none of them seem to work:

ALLOWDEVFILE=/dev/shm/sess_*

ALLOWDEVFILE="/dev/shm/sess_*"

rkhunter still flags all sess_* files. Anyone know a solution?

score 0 · Answer 1 · answered Oct 02 '13 at 07:27

0

You must use the EXISTWHITELIST directive rather than ALLOWDEVFILE, which is for whitelisting files in /dev.

answered Oct 02 '13 at 07:27

Roman

3,825
3
20
33

Using EXISTWHITELIST=/dev/shm/sess_* did not help and also not with quotes. I have rkhunter v1.3.6 on a Debian Squeeze box. – Schmoove Oct 04 '13 at 10:41

Whitelisting session files with rkhunter

1 Answers1