Whitelisting devices and files for RKhunter

Posted on 14-04-2017 by Nadir Latif


Source: https://mmcgrath.fedorapeople.org/rkhunter.conf

Some programs like postgresql create virtual memory devices under /dev/. RKhunter may raise warnings for these devices. To whitelist a device under dev the ALLOWDEVFILE directive can be used. Ths value of this directive is a single device path. Wildcard (*) may be used inside the device path. Multiple instances of the ALLOWDEVFILE directive are allowed.

Some programs such as Odoo ERP can update your /etc/passwd and /etc/group files. RKhunter may report a warning for these file changes. To whitelist the file the RTKT_FILE_WHITELIST directive can be used. The value of this directive is the full path to the file to be whitelisted. If certain strings within the file need to be whitelisted, then the string name can be appended to the file path, with a colon before the string. e.g RTKT_FILE_WHITELIST=/etc/passwd:postgres will whitelist the postgres user entry inside /etc/passwd file