rkhunter warnings - whitelisting

Question

I'm getting a set of warnings via rkhunter that I can't seem to suppress using ALLOWDEVFILE. Here's a piece of what gets flagged:

Checking /dev for suspicious file types         [ Warning ]
Warning: Suspicious file types found in /dev:
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty7: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty6: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty5: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty4: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty3: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty2: ASCII text

I've tried all the following techniques (with and without quotes):

ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8"

ALLOWDEVFILE = "/dev/.udev/db/\\x2fdevices\\x2fvirtual\\x2ftty\\x2ftty8"

Wildcards don't seem to work, either:

ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\*"

There seems to be some issue with the backslashes in the filenames as even normal tab autocomplete of filenames won't work from the command line. Any ideas on how to get rkhunter to stop throwing warnings and constantly emailing me for this set of files?

score 2 · Answer 1 · answered May 20 '14 at 18:27

2

Ditch the quotes:

ALLOWDEVFILE = /dev/.udev/db/*

answered May 20 '14 at 18:27

ek9

2,131

score 1 · Answer 2 · answered Jun 25 '14 at 13:19

1

To suppress the rkhunter warning, you can add a whitelist rule to /etc/rkhunter.conf.local:

ALLOWDEVFILE=/dev/.udev/rules.d/root.rules

answered Jun 25 '14 at 13:19

TBI Infotech

1,594

score 0 · Answer 3 · answered Oct 29 '20 at 10:49

rkhunter is still around, but whitelist is not working as expected.
With version 1.4.6, I needed to put explicitly each device to be ignored, wildcard is not working.
In the /etc/rkhunter.conf is example:
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
but this is not working.

I had to use command like:

 grep '^\[..:..:..\][[:blank:]]\{6\}.*/dev/shm/.*:' /var/log/rkhunter.log |\
      awk '{print "ALLOWDEVFILE="$2}' | sed -e "s/:$//g | tee tmp-whitelist"

in order to get a clean output for every existed file like:
ALLOWDEVFILE=/dev/shm/qb-15527-19288-18-fDXy5h/qb-event-pve2-data
Then copy every single line into /etc/rkhunter.conf.

This is doable when it is only one server, not nice when there are many servers.

score 0 · Answer 4 · answered Mar 01 '22 at 17:31

Tested on Rootkit Hunter 1.4.6 on Ubuntu 18.04.6 LTS

ALLOWDEVFILE with wildcards works as advertised on the help.

In my case, setting:

ALLOWDEVFILE=/dev/shm/sem.netdata*
ALLOWDEVFILE=/dev/shm/netdata_shm*

on /etc/rkhunter.log effectively whitelists the files as the log generated shows:

[17:21:25] Info: SCAN_MODE_DEV set to 'THOROUGH'
[17:21:25] Info: Found file '/dev/shm/sem.netdata_sem_cgroup_ebpf': it is whitelisted.
[17:21:25] Info: Found file '/dev/shm/netdata_shm_cgroup_ebpf': it is whitelisted.

score 0 · Answer 5 · answered Nov 16 '23 at 06:52

0

ALLOWDEVFILE=/dev/shm/zm.mmap*

/etc/rkhunter.conf does not like spaces, wildcards works though.

answered Nov 16 '23 at 06:52

Silky Sandpaper

1

rkhunter warnings - whitelisting

5 Answers5