Another rkhunter question

Gene Heskett gene.heskett at verizon.net
Sun May 17 17:41:28 UTC 2009 

On Sunday 17 May 2009, John Horne wrote:
>On Sun, 2009-05-17 at 09:35 -0400, Gene Heskett wrote:
>> Greetings all;
>>
>> What is /dev/shm?
>>
>> I've given up on rkhunter ever shutting up about the group and passwd
>> files,
>
>What is it saying about the files? If necessary disable the relevant
>passwd/group tests (use 'rkhunter --list test' to see the test names).

I would rather not, I would rather rkhunter's bug was fixed.  I have also 
copied those files manually into rkhunters db, but that made no diff.
>From an email from rkhunter:
Warning: Unable to check for passwd file differences: no copy of the passwd 
file exists.
Warning: Unable to check for group file differences: no copy of the group file 
exists.
-------------------
But they do exist:
[root at coyote ~]# locate group|grep rkhunter
/var/lib/rkhunter/db/group
/var/lib/rkhunter/tmp/group
/var/run/rkhunter/group
[root at coyote ~]# locate passwd|grep rkhunter
/var/lib/rkhunter/db/passwd
/var/lib/rkhunter/tmp/passwd
/var/run/rkhunter/passwd

I'd druther rkhunter was fixed.  --propupd, which is supposed to record the 
systems 'clean' state if I understand it correctly, doesn't fix this.

>> but fussing about this is new.
>> ---------------------- Start Rootkit Hunter Scan ----------------------
>> Warning: Suspicious file types found in /dev:
>>          /dev/shm/sem.ADBE_REL_root: data
>>          /dev/shm/sem.ADBE_WritePrefs_root: data
>>          /dev/shm/sem.ADBE_ReadPrefs_root: data
>
>Items in /dev/shm that are genuine can be whitelisted in rkhunter.conf.
>There is an example of the pulse file whitelisted in the supplied
>rkhunter.conf file. It is easy enough to do the same for the ADBE files.
>No need to remove any packages.

I realize that John & thank you for the reply, but that doesn't tell me IF 
they are _genuine_ or what the heck they are doing.

And considering that most files in /dev don't get out of the inode they were 
created on, what the heck is a 67+ megabyte file full of $00 named pulse-some-
hash-number being used for?  If there was data in it, I maybe could see it had 
a use, but if I wanted 67+ megabytes of /dev/zero for something, I'd call dd 
and make it.  So would most programmers except I'd sure pick some place 
besides /dev to store it.

I did find out who owns /dev/shm though, its kded4, and even with x stopped, 
or a fresh reboot to runlevel 3, /dev/shm can be emptied, but cannot be 
deleted as its 'busy'.  So I suppose the other files will reappear at some 
point in the course of my daily activities.

What are the ADBE files?  They actually do contain data, but only in the first 
2-3 bytes of the 16 they occupy, the rest are $00.

IMO this is stuff that probably belongs in /tmp, and it makes me nervous when 
some app decides to use just any old location where a rootkit might hide, for 
67+megabytes of /dev/zero.  Boggles the mind.  FWIW, Since I posted this 
originally, I attempted to remove the shm stuff (crypto related?? damnifiknow) 
from the kernel, and the boot locks up at the end of the drive scan.  
Repeatedly.

Thanks John

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Sweater, n.:
	A garment worn by a child when its mother feels chilly.

More information about the fedora-list mailing list