# rkhunter & Gentoo

## hujuice

While checking my system(s) with rkhunter, I should modify the default configuration file as follow.

I believe that my configuration is due to "tipical" Gentoo customizations (amd64).

Please, help me (us) to verify / improve this list with a community purpose:

```

# Allow the specified commands to be scripts.

SCRIPTWHITELIST=/usr/bin/ldd

SCRIPTWHITELIST=/usr/bin/whatis

SCRIPTWHITELIST=/usr/bin/lwp-request

# Allow the specified hidden directories.

ALLOWHIDDENDIR=/dev/.udev

ALLOWHIDDENDIR=/dev/.lvm

```

The last line, obviously, make sense (?) if you have lvm installed.

Do you think that this list is correct?

What Gentoo users should add in different situations?

Regards,

HUjuice

----------

## Jimmy Jazz

 *hujuice wrote:*   

> While checking my system(s) with rkhunter, I should modify the default configuration file as follow.
> 
> I believe that my configuration is due to "tipical" Gentoo customizations (amd64).
> 
> Please, help me (us) to verify / improve this list with a community purpose:
> ...

 

Here a more complete one,

```

AUTO_X_DETECT=1

ALLOW_SSH_ROOT_USER=no

ALLOW_SSH_PROT_V1=0

ENABLE_TESTS="all"

DISABLE_TESTS="suspscan"

PKGMGR=NONE

USER_FILEPROP_FILES_DIRS="!/etc/init.d/hdparm"

USER_FILEPROP_FILES_DIRS="!/etc/init.d/pciparm"

SCRIPTWHITELIST=/usr/bin/ldd

SCRIPTWHITELIST=/usr/bin/lwp-request

ALLOWHIDDENDIR=/etc/.git

ALLOWHIDDENDIR=/etc/.pamauth.otp

ALLOWHIDDENDIR=/dev/.udev

ALLOWHIDDENDIR=/dev/.lvm

ALLOWHIDDENFILE=/dev/.mdadm.map

ALLOWHIDDENFILE=/etc/.gitignore

ALLOWPROCDELFILE=/usr/libexec/dovecot/imap

ALLOWPROCDELFILE=/usr/sbin/fcron

ALLOWPROCDELFILE=/usr/bin/gnome-terminal

ALLOWPROCDELFILE=/usr/bin/nautilus

ALLOWPROCDELFILE=/usr/sbin/apache2

ALLOWPROCDELFILE=/usr/sbin/mysqld

ALLOWPROCDELFILE=/bin/bash

ALLOWPROMISCIF="eth0"

PHALANX2_DIRTEST=0

ALLOWDEVFILE=/dev/shm/pulse-shm-*

ALLOWDEVFILE=/dev/shm/suspscan.*.strings

XINETD_ALLOWED_SVC=/etc/xinetd.d/echo-stream

XINETD_ALLOWED_SVC=/etc/xinetd.d/echo-dgram

XINETD_ALLOWED_SVC=/etc/xinetd.d/saned

XINETD_ALLOWED_SVC=/etc/xinetd.d/chargen-dgram

XINETD_ALLOWED_SVC=/etc/xinetd.d/chargen-stream

XINETD_ALLOWED_SVC=/etc/xinetd.d/daytime-dgram

XINETD_ALLOWED_SVC=/etc/xinetd.d/daytime-stream

XINETD_ALLOWED_SVC=/etc/xinetd.d/git-daemon

XINETD_ALLOWED_SVC=/etc/xinetd.d/rsyncd

STARTUP_PATHS="/etc/init.d"

PASSWORD_FILE=/etc/shadow

SYSLOG_CONFIG_FILE=/etc/syslog-ng/syslog-ng.conf

ALLOW_SYSLOG_REMOTE_LOGGING=1

APP_WHITELIST="openssl:0.9.8l gpg apache:2.2.14"

SUSPSCAN_DIRS="/tmp /var/tmp /var/www /var/log/apache2"

SUSPSCAN_TEMP=/dev/shm

PORT_WHITELIST="TCP:25 /usr/sbin/squid"

RTKT_FILE_WHITELIST="/etc/init.d/pciparm /etc/init.d/hdparm"

WARN_ON_OS_CHANGE=1

SHOW_LOCK_MSGS=1

```

don't forget to update the database as well,

```
rkhunter --propupd
```

----------

## noclear2000

Hi there!

I know this is an age-old post however let me revive it. 

I stumbled across this post when configuring rkhunter for my new gentoo installation. After some tweaking it looks just fine with one exception:

```

[18:32:01] Info: SCAN_MODE_DEV set to 'THOROUGH'

[18:32:01]   Checking /dev for suspicious file types         [ Warning ]

[18:32:01] Warning: Suspicious file types found in /dev:

[18:32:02]          /dev/.mdadm/map: ASCII text

[18:32:02] Info: Found hidden directory '/dev/.mdadm': it is whitelisted.

[18:32:02]   Checking for hidden files and directories       [ None found ]

[18:32:04]

```

My config for that part is:

```

ALLOWHIDDENDIR=/dev/.mdadm

ALLOWHIDDENFILE="/dev/.mdadm/map"

```

As you see ALLOWHIDDENDIR directive results in this DIR being whitelisted as expected but ALLOWHIDDENFILE for /dev/.mdadm/map is not. I also made sure to run:

```

rkhunter --propupd

```

Any ideas?

Cheers

----------

## noclear2000

Hi,

Just today I finally solved the problem with /dev/.mdadm/map. Maybe it helps s/o else if I post it here.

Only ALLOWHIDDENFILE or only ALLOWDEVFILE in /etc/rkhunter.conf is not working. Adding both works out:

```

ALLOWHIDDENFILE=/dev/.mdadm/map

ALLOWDEVFILE=/dev/.mdadm/map

```

Cheers

----------

## ShadowCat8

Okay.

I agree with many of those... Especially /usr/bin/lwp-request which is required by git.

How about adding these?    :Smile: 

```
[10:56:16]   Checking system startup files for malware       [ Warning ]

[10:56:16] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Knark Rootkit

...<snip>...

[10:56:17]   Checking /dev for suspicious file types         [ Warning ]

[10:56:17] Warning: Suspicious file types found in /dev:

[10:56:17]          /dev/mdev.seq: ASCII text, with no line terminators
```

As a note, the Knark false-positive is discussed in this thread.   And, I know that the /dev/mdev.seq is a legacy, orphaned file on my system because I am currently running udev-204, but those that do run mdev might appreciate it being whitelisted.

HTH.  Let us know.

----------

