I'm getting a set of warnings via rkhunter that I can't seem to suppress using ALLOWDEVFILE. Here's a piece of what gets flagged:
Checking /dev for suspicious file types [ Warning ]
Warning: Suspicious file types found in /dev:
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty7: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty6: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty5: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty4: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty3: ASCII text
/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty2: ASCII text
I've tried all the following techniques (with and without quotes):
ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\x2ftty\x2ftty8"
ALLOWDEVFILE = "/dev/.udev/db/\\x2fdevices\\x2fvirtual\\x2ftty\\x2ftty8"
Wildcards don't seem to work, either:
ALLOWDEVFILE = "/dev/.udev/db/\x2fdevices\x2fvirtual\*"
There seems to be some issue with the backslashes in the filenames as even normal tab autocomplete of filenames won't work from the command line. Any ideas on how to get rkhunter to stop throwing warnings and constantly emailing me for this set of files?
Best Answer
Ditch the quotes: