Another rkhunter question
Gene Heskett
gene.heskett at verizon.net
Sun May 17 17:41:28 UTC 2009
On Sunday 17 May 2009, John Horne wrote:
>On Sun, 2009-05-17 at 09:35 -0400, Gene Heskett wrote:
>> Greetings all;
>>
>> What is /dev/shm?
>>
>> I've given up on rkhunter ever shutting up about the group and passwd
>> files,
>
>What is it saying about the files? If necessary disable the relevant
>passwd/group tests (use 'rkhunter --list test' to see the test names).
I would rather not, I would rather rkhunter's bug was fixed. I have also
copied those files manually into rkhunters db, but that made no diff.
>From an email from rkhunter:
Warning: Unable to check for passwd file differences: no copy of the passwd
file exists.
Warning: Unable to check for group file differences: no copy of the group file
exists.
-------------------
But they do exist:
[root at coyote ~]# locate group|grep rkhunter
/var/lib/rkhunter/db/group
/var/lib/rkhunter/tmp/group
/var/run/rkhunter/group
[root at coyote ~]# locate passwd|grep rkhunter
/var/lib/rkhunter/db/passwd
/var/lib/rkhunter/tmp/passwd
/var/run/rkhunter/passwd
I'd druther rkhunter was fixed. --propupd, which is supposed to record the
systems 'clean' state if I understand it correctly, doesn't fix this.
>> but fussing about this is new.
>> ---------------------- Start Rootkit Hunter Scan ----------------------
>> Warning: Suspicious file types found in /dev:
>> /dev/shm/sem.ADBE_REL_root: data
>> /dev/shm/sem.ADBE_WritePrefs_root: data
>> /dev/shm/sem.ADBE_ReadPrefs_root: data
>
>Items in /dev/shm that are genuine can be whitelisted in rkhunter.conf.
>There is an example of the pulse file whitelisted in the supplied
>rkhunter.conf file. It is easy enough to do the same for the ADBE files.
>No need to remove any packages.
I realize that John & thank you for the reply, but that doesn't tell me IF
they are _genuine_ or what the heck they are doing.
And considering that most files in /dev don't get out of the inode they were
created on, what the heck is a 67+ megabyte file full of $00 named pulse-some-
hash-number being used for? If there was data in it, I maybe could see it had
a use, but if I wanted 67+ megabytes of /dev/zero for something, I'd call dd
and make it. So would most programmers except I'd sure pick some place
besides /dev to store it.
I did find out who owns /dev/shm though, its kded4, and even with x stopped,
or a fresh reboot to runlevel 3, /dev/shm can be emptied, but cannot be
deleted as its 'busy'. So I suppose the other files will reappear at some
point in the course of my daily activities.
What are the ADBE files? They actually do contain data, but only in the first
2-3 bytes of the 16 they occupy, the rest are $00.
IMO this is stuff that probably belongs in /tmp, and it makes me nervous when
some app decides to use just any old location where a rootkit might hide, for
67+megabytes of /dev/zero. Boggles the mind. FWIW, Since I posted this
originally, I attempted to remove the shm stuff (crypto related?? damnifiknow)
from the kernel, and the boot locks up at the end of the drive scan.
Repeatedly.
Thanks John
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Sweater, n.:
A garment worn by a child when its mother feels chilly.
More information about the fedora-list
mailing list