[SOLVED] rkhunter and /dev/.initramfs [Archive]

View Full Version : [SOLVED] rkhunter and /dev/.initramfs

funkyhead

November 22nd, 2012, 12:25 PM

Problem :
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

Solution :
On Unbuntu 12.04 with Rootkit Hunter 1.3.8 :
Edit : /etc/rkhunter.conf
Add : ALLOWHIDDENFILE=/dev/.initramfs
Edit : /usr/bin/rkhunter
Add before line 847 between [then] and [case "${OPT_NAME}" in] : test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

Execute : rkhunter --propupd

Result :
No false positive on the next run.

storm-coder

October 1st, 2013, 03:55 PM

Thanks, it works fine !

But knowing a few things about scripting I still dont really understand the :
test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

Could you please explain a little more ?

Edit :

Sorry, with a "man test" it's ok :s

Let's explain for other peopple :
-a is for both conditions true
1st one is the option is "ALLOWHIDDENFILE"
2nd one, -h = the filename exists an is a symbolic link (same as -L)