Results 1 to 7 of 7

Thread: [SOLVED] Rkhunter issued some warnings... what to do?

  1. #1
    Join Date
    Mar 2007
    Location
    Villenave d'Ornon, France
    Beans
    1,016

    [SOLVED] Rkhunter issued some warnings... what to do?

    Hello,

    I just ran rkhunter -c with the latest update and it returned some warnings:

    [17:13:09] Checking /dev for suspicious file types [ Warning ]
    [17:13:09] Warning: Suspicious file types found in /dev:
    [17:13:09] /dev/shm/pulse-shm-431927995: data
    [17:13:09] Checking for hidden files and directories [ Warning ]
    [17:13:09] Warning: Hidden directory found: /etc/.java
    [17:13:09] Warning: Hidden directory found: /dev/.static
    [17:13:09] Warning: Hidden directory found: /dev/.udev
    [17:13:09] Warning: Hidden directory found: /dev/.initramfs
    My question is: what can I do from there to set the system straight?
    Desktop : iMac 21.5" (2011) Core i5 Sandy Bridge - AMD Radeon HD 6750M - 8Gb RAM - OS X 10.8.3 Mountain Lion
    Laptop : EasyNote TS 44HR (2012) - Core i3 Sandy Bridge - Intel HD3000 - 4Gb RAM - elementary OS 0.2 + Windows 7 Home Premium SP1

  2. #2
    Join Date
    Nov 2005
    Location
    NEK Vermont
    Beans
    Hidden!
    Distro
    Ubuntu UNR

    Re: Rkhunter issued some warnings... what to do?

    Doesn't appear to be a problem Just Rkhunter unaware of certain files in Ubuntu.

    https://lists.sourceforge.net/lists/...rkhunter-users
    * If you get warnings about hidden files or applications you have verified are trusted: please check rkhunter.conf for whitelisting options.
    Last edited by spiderbatdad; April 29th, 2008 at 10:30 PM.

  3. #3
    Join Date
    Mar 2007
    Location
    Villenave d'Ornon, France
    Beans
    1,016
    Thank you spiderbatdad. From the website you gave me:

    If you get warnings about hidden files or applications you have verified are trusted: please check rkhunter.conf for whitelisting options.
    My problem is that I don't know if I can "trust" the apps with the warning flags. And I don't want to white-list some potential danger. How would I know???
    Last edited by the8thstar; April 29th, 2008 at 10:48 PM.

  4. #4
    Join Date
    Sep 2007
    Location
    EU
    Beans
    224
    Distro
    Ubuntu Development Release

    Re: Rkhunter issued some warnings... what to do?

    Quote Originally Posted by the8thstar View Post
    Thank you spiderbatdad. From the website you gave me:



    My problem is that I don't know if I can "trust" the apps with the warning flags. And I don't want to white-list some potential danger. How would I know???
    I use ubuntu for more then a year and I never had a single problem even that I've white-listed

    /etc/.java
    /dev/.static
    /dev/.udev
    /dev/.initramfs

    But this time it comes to me another warning and it comes after the fresh install of hardy.

    /dev/shm/pulse-shm-3801237314

    I don't know what it is exactly but as it comes from the fresh install, before even first connect to the internet, I thought it is problem with rkhunter database. So I've tried to clean that warning with command

    $sudo rkhunter --propupdate

    It doesn't work and it steel come back, again and again. Don't know what to do. It comes to me ones idea to reinstall 7.10 but then, I don't have really important things to hide on my computer and I love new features in hardy. Some day, somebody will surely fix this. It's up to you now, if you have really important things on your computer or if what you do with it is top secret don't install any non open source package and try debian. Otherwise kip ubuntu hardy for great multimedia features, reasonable security, easy of use and learn how to secure it.
    Cheers man.

  5. #5
    Join Date
    Sep 2007
    Location
    EU
    Beans
    224
    Distro
    Ubuntu Development Release

    Re: Rkhunter issued some warnings... what to do?

    Now first!

    What is /dev/shm and its practical usage

    /dev/shm is nothing but implementation of traditional shared memory concept. It is an efficient means of passing data between programs. One program will create a memory portion, which other processes (if permitted) can access. This will result into speeding up things on Linux.

    shm / shmfs is also known as tmpfs, which is a common name for a temporary file storage facility on many Unix-like operating systems. It is intended to appear as a mounted file system, but one which uses virtual memory instead of a persistent storage device.

    If you type mount command you will see /dev/shm as a tempfs file system. Therefore, it is a file system, which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost. By default almost all Linux distros configured to use /dev/shm.

    Nevertheless, where can I use /dev/shm?

    You can use /dev/shm to improve the performance of application software or overall Linux system performance. On heavily loaded system, it can make tons of difference. For example VMware workstation/server can be optimized to improve your Linux host's performance (i.e. improve the performance of your virtual machines).

    Rkhunter warning

    It seems to me, /dev/shm/pulse-shm-0123456789 or whatever number is not dangerous for the system. Contrary, it's advantageous and I suppose that's the reason why it comes in default installation of Ubuntu (hardy).

    How to configure rkhunter to avoid that warning?

    I don't know as the /dev/shm/pulse-shm-0123456789 file change on every reboot. One could say to rkhunter config file that /dev/shm/pulse-shm-0123456789 is not dangerous for the system adding this line:

    # Allow the specified files to be present in the /dev directory and not
    # regarded as a suspicious file. One file per line (use multiple
    # ALLOWDEVFILE lines), wildcards accepted.
    #
    #ALLOWDEVFILE=/dev/abc
    ALLOWDEVFILE=/dev/shm/pulse-shm-2964075512

    But this will stop warning just until reboot of system. The number in the end of pulse-shm file change on every start and is unpredictable.

    Conclusion

    Actually, I don't see how to disable definitely rkhunter warning for /dev/shm/pulse-shm and I hope people who work on rkhunter development will fix this soon. Also I presume gutsy Ubuntu need this and that's way it comes by default on fresh install. So don't unmount it and don't touch it at all.

    Warning

    I am not security expert and you should considering this explanation at your own risk. In any way I'll not be responsible for data loss or security holes in your system because of this post!!!
    Last edited by pedja_portugalac; May 8th, 2008 at 05:56 AM.

  6. #6
    Join Date
    Jun 2006
    Beans
    156
    Distro
    Kubuntu 8.10 Intrepid Ibex

    Re: Rkhunter issued some warnings... what to do?

    Quote Originally Posted by pedja_portugalac View Post
    But this will stop warning just until reboot of system. The number in the end of pulse-shm file change on every start and is unpredictable.
    If I understand the config file correctly, it says you're allowed to use wildcard characters. So you could add /dev/pulse-shm-* I assume.

  7. #7
    Join Date
    Jun 2008
    Beans
    11

    Re: Rkhunter issued some warnings... what to do?

    Quote Originally Posted by kwilliam View Post
    If I understand the config file correctly, it says you're allowed to use wildcard characters. So you could add /dev/pulse-shm-* I assume.
    I just tested this, and it works indeed like a charm.

    Thanks to everyone for the info.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •