Sunday, July 23, 2017

Rkhunter Warnings Received and Investigated

I received my rkhunter warning email moments ago. Two in fact, namely, a
suspicious shared memory file and and suspicious hidden file. After
googling the subjects I'm convinced they are false positives. With a
name like /usr/lib/thunderbird/thunderbird it should be obvious that my
email program is sharing memory files with other processes for more
efficient use of memory. The other one is named /dev/shm/mono.xxxxx: data.

The two files I have to check out are /var/log/rkhunter.log, of course,
and /etc/rkhunter.conf.

In /etc/rkhunter.conf which I opened in vim, I added a line such as:
ALLOWIPCPROC=/usr/lib/thunderbird/thunderbird

and

ALLOWHIDDENFILE=/dev/shm/mono.*

This is to whitelist these file and process. I hope rkhunter won't freak
out if it encounters these anymore.
Post a Comment

Wisdom From Gandalf