1

I'm getting a set of warnings via rkhunter that I can't seem to suppress using ALLOWDEVFILE. Here's a piece of what gets flagged:

Checking /dev for suspicious file types         [ Warning ]
Warning: Suspicious file types found in /dev:
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty7: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty6: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty5: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty4: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty3: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty2: ASCII text

I've tried all the following techniques (with and without quotes):

ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8"

ALLOWDEVFILE = "/dev/.udev/db/\\x2fdevices\\x2fvirtual\\x2ftty\\x2ftty8"

Wildcards don't seem to work, either:

ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\*"

There seems to be some issue with the backslashes in the filenames as even normal tab autocomplete of filenames won't work from the command line. Any ideas on how to get rkhunter to stop throwing warnings and constantly emailing me for this set of files?

AvatarKava
  • 101
  • 2
  • 8
  • 2
    What version of rkhunter are you using? Make sure you do not have multiple copies of rkhunter installed. I've seen issues when you install from RPM and source and you end up with different configuration files. Check /usr/local/etc and /etc/ for config files. – jeffatrackaid Jun 25 '14 at 19:15
  • Nothing in /usr/local/etc. I'm using 1.4.0, which is the most recent package in ubuntu trusty 14.04 right now. It's possible I could find a PPA to grab, but I didn't see anything in 1.4.2 (can't find 1.4.1 release notes) that would solve the issue, either. – AvatarKava Jun 25 '14 at 21:14
  • Have a look into rkhunter.log, if you find "Info: Using configuration file '/path/to/rkhunter.conf'" to assure that you are editing the active config file. – hellcode Jul 01 '14 at 08:44
  • Yes, path is correct - the rest of the config parameters work, just not the ignore for these weirdly-escaped filenames. – AvatarKava Jul 02 '14 at 13:08

4 Answers4

2

Ditch the quotes:

ALLOWDEVFILE = /dev/.udev/db/*
phoops
  • 2,073
  • 4
  • 18
  • 23
1

To suppress the rkhunter warning, you can add a whitelist rule to /etc/rkhunter.conf.local:

ALLOWDEVFILE=/dev/.udev/rules.d/root.rules

TBI Infotech
  • 1,536
  • 9
  • 15
0

rkhunter is still around, but whitelist is not working as expected.
With version 1.4.6, I needed to put explicitly each device to be ignored, wildcard is not working.
In the /etc/rkhunter.conf is example:
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
but this is not working.

I had to use command like:

 grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' /var/log/rkhunter.log |\
      awk '{print "ALLOWDEVFILE="$2}' | sed -e "s/:$//g | tee tmp-whitelist"

in order to get a clean output for every existed file like:
ALLOWDEVFILE=/dev/shm/qb-15527-19288-18-fDXy5h/qb-event-pve2-data
Then copy every single line into /etc/rkhunter.conf.

This is doable when it is only one server, not nice when there are many servers.

frank_108
  • 101
  • 1
0

Tested on Rootkit Hunter 1.4.6 on Ubuntu 18.04.6 LTS

ALLOWDEVFILE with wildcards works as advertised on the help.

In my case, setting:

ALLOWDEVFILE=/dev/shm/sem.netdata*
ALLOWDEVFILE=/dev/shm/netdata_shm*

on /etc/rkhunter.log effectively whitelists the files as the log generated shows:

[17:21:25] Info: SCAN_MODE_DEV set to 'THOROUGH'

[17:21:25] Info: Found file '/dev/shm/sem.netdata_sem_cgroup_ebpf': it is whitelisted.

[17:21:25] Info: Found file '/dev/shm/netdata_shm_cgroup_ebpf': it is whitelisted.
jmcollantes
  • 1
  • 3