Results 1 to 5 of 5

Thread: rkhunter : false positives??

  1. #1

    Default rkhunter : false positives??

    Dear Forum

    - i have just updated to openSuSE 11.4 [64 bit] ;

    rkhunter is giving these Warnings :

    Warning: User 'rtkit' has been added to the passwd file.
    Warning: User 'pulse' has been added to the passwd file.
    Warning: User 'statd' has been added to the passwd file.
    Warning: Changes found in the group file for group 'audio':
    User 'pulse' has been added to the group
    Warning: Group 'rtkit' has been added to the group file.
    Warning: Group 'pulse' has been added to the group file.
    Warning: Group 'pulse-access' has been added to the group file.
    Warning: Suspicious file types found in /dev:
    /dev/shm/initrd_exports.sh: ASCII text
    Warning: Hidden directory found: /dev/.sysconfig
    Warning: Hidden directory found: /dev/.mount

    ...................................................

    Do these look Normal, Are these False-Positives??

    or

    Is there a Problem ??

    thanks
    best regards
    Anna

  2. #2

    Default Re: rkhunter : false positives??

    since rkhunter is merely comparing previous system values to current, from your post it appears that packages related to pulseaudio were installed during update and the appropriate changes made to your system (pulseaudio, rtkit, etc).

    if you agree, and feel comfortable that these changes are legitimate (i believe they are) in a terminal:

    #su root
    *password*
    #rkhunter --propupd

    wait till it completes gathering the new values, then exit.

    this should eliminate all the warnings except the hidden files related to the /dev folder. This is a bit harder to advise about, some programs will temporarily create files there so they only show up occassionally and disappear with the next reboot.

    So, reboot your machine, run rkhunter from the command line as root and if some hidden files still show up as warnings you should post back here, if they are now part of your system you will have to make the appropriate entries in /etc/rkhunter.config.local to suppress the warnings.

    hope this helps

  3. #3

    Default Re: rkhunter : false positives??

    Dear j_xavier

    - very many thanks

    best regards
    Anna

  4. #4
    Join Date
    Jun 2009
    Location
    Berlin
    Posts
    158

    Default Re: rkhunter : false positives??

    just one question:

    why is the file in /dev and what does it do here anyway?

  5. #5
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,857
    Blog Entries
    15

    Default Re: rkhunter : false positives??

    Quote Originally Posted by l1zard View Post
    just one question:
    why is the file in /dev and what does it do here anyway?
    Hi
    See here Commit in sysconfig in openSUSE - Gitorious and here
    https://bugzilla.novell.com/show_bug.cgi?id=335486
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •