I was able to solve the issue I was seeing here by changing the rkhunter configuration to include the following lines:
ALLOWDEVFILE=/dev/shm/byobu-*-????????/.last.tmux/* ALLOWDEVFILE=/dev/shm/byobu-*-????????/*/* ALLOWDEVFILE=/dev/shm/byobu-*-????????/* ALLOWDEVFILE=/dev/shm/sem.* There are two things at play here: 1.) As Roger Binns pointed out, the asterisk at the end of the line is only good for a single directory level of wildcard match, so to match all the levels, multiple lines must be added, one for each level. 2.) The wildcard match does not appear to be working correctly for directories that start with a period (such as .last.tmux), which I do believe to actually be a bug. By manually specifying ".last.tmux" instead of an asterisk for that level, the ALLOWDEVFILE declaration will then function correctly. In my case, I used the question marks to limit what is to be whitelisted since the string here will always be exactly 8 characters. For extra security, if you have very few users that login (or only a single user), rather than using an asterisk after the "byobu-", you could manually specify the allowed user here to narrow down the whitelist even further. I will update the title on this bug to reflect the issue of the wildcard not matching directories that begin with a period. ** Summary changed: - Wildcards in "ALLOWDEVFILE" Not Working + Wildcards in Whitelists Do Not Function Correctly on Hidden Directories (Begin with a Period) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1453952 Title: Wildcards in Whitelists Do Not Function Correctly on Hidden Directories (Begin with a Period) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/1453952/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
