Results 1 to 2 of 2

Thread: rkhunter and /dev/.initramfs

  1. #1
    Join Date
    Jun 2007

    rkhunter and /dev/.initramfs

    Problem :
    Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

    Solution :
    On Unbuntu 12.04 with Rootkit Hunter 1.3.8 :
    Edit : /etc/rkhunter.conf
    Add : ALLOWHIDDENFILE=/dev/.initramfs
    Edit : /usr/bin/rkhunter
    Add before line 847 between [then] and [case "${OPT_NAME}" in] : test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

    Execute : rkhunter --propupd

    Result :
    No false positive on the next run.
    Last edited by funkyhead; November 22nd, 2012 at 12:28 PM.

  2. #2
    Join Date
    Oct 2013

    Re: rkhunter and /dev/.initramfs

    Thanks, it works fine !

    But knowing a few things about scripting I still dont really understand the :
    test "${OPT_NAME}" = "ALLOWHIDDENFILE" -a -h "${FNAME}" && continue

    Could you please explain a little more ?

    Edit :

    Sorry, with a "man test" it's ok :s

    Let's explain for other peopple :
    -a is for both conditions true
    1st one is the option is "ALLOWHIDDENFILE"
    2nd one, -h = the filename exists an is a symbolic link (same as -L)
    Last edited by storm-coder; October 1st, 2013 at 04:29 PM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts