[root@srv-rhsoft:~]$ rkhunter --check Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio [root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local ALLOWHIDDENDIR=/etc/.git ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore ALLOWDEVFILE="/dev/shm/sem.SWT_Window_Zend\ Studio" __________________________________ It does not matter if using quotes, backslash, i do simply not find a way to whitelist this file from my php-ide :-(
Does: ALLOWDEVFILE=/dev/shm/sem.SWT* work?
Not really, something must be really poor coded here if you look at the foldr-listing and what happens :-) [root@srv-rhsoft:~]$ rkhunter --check Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio Invalid ALLOWDEVFILE configuration option: Invalid pathname: Studio_Launcher [root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local MAIL-ON-WARNING="rhsoft" IP_CMD=DISABLED ALLOWPROMISCIF="eth0 eth1" ALLOWHIDDENDIR=/etc/.git ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend* [root@srv-rhsoft:~]$ /bin/ls -1 /dev/shm/ | grep -i Zend sem.SWT_Window_Zend Studio sem.SWT_Window_Zend Studio_Launcher
Right. So the problem here is that these parameters expect to be space delimited. ;( I'll talk with upstream about a fix. Can you get Zend to use a different filename in the mean time?
as far as i know them - no lucky that they released a x86_64 after long years of whineing.....
What happens if you use: ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio
Thank you for your help! No way, it does not stop directly after start with a config error, but the warnings will not go away - no idea what the upstream code does, but it is horrible to see that spaces are a problem like 20 years ago und taht a * uses both files the same way as write them unescaped in the config file is a real warning __________________________ Warning: Suspicious file types found in /dev: /dev/shm/sem.SWT_Window_Zend Studio_Launcher: data /dev/shm/sem.SWT_Window_Zend Studio: data __________________________ [root@srv-rhsoft:~]$ cat /etc/rkhunter.conf.local MAIL-ON-WARNING="rhsoft" IP_CMD=DISABLED ALLOWPROMISCIF="eth0 eth1" ALLOWHIDDENDIR=/etc/.git ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio ALLOWDEVFILE=/dev/shm/sem.SWT_Window_Zend%Studio_Launcher [root@srv-rhsoft:~]$
ok, talking with upstream folks, it seems there's not any way to currently do this. ;( I guess for now I would suggest disabling this check on those machines that have this file? Hopefully they will grow the ability to use "s or \ or even just line delimited, but it's not there yet. You can continue discussion of this on the upstream devel list.
Created attachment 477475 [details] modified rkhunter script
Someone sent me the above modified rkhunter script with support for %'s in ALLOWDEVFILE. I've not reviewed the changes or test it, so use at your own risk. It sounds like they plan to solve the spaces issue in the next upstream release...