Thursday, February 14, 2008

Ubuntu rkhunter configuration

I recently added rkhunter, a rootkit detection utility, to my Ubuntu installation. After doing so, I started picking up warnings from cron during its daily scan:
Warning: Found enabled inetd service: /usr/sbin/vmware-authd
Warning: Hidden directory found: /etc/.java
Warning: Hidden directory found: /dev/.static
Warning: Hidden directory found: /dev/.udev
Warning: Hidden directory found: /dev/.initramfs
Warning: Hidden file found: /dev/.tmp-2-0: block special (2/0)
Research indicates that these particular warnings are spurious--I know I have VMware running, and the others seem to be facets of the way Ubuntu is constructed. To suppress them, I added the following lines to /etc/rkhunter.conf:

ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENFILE=/dev/.tmp-2-0
INETD_ALLOWED_SVC=/usr/sbin/vmware-authd