It was usually rather simple to silence these warnings from the rkhunter configuration file /etc/rkhunter.conf - most of the time it was just a matter of un-commenting one or more lines, and occasionally updating rkhunter:
rkhunter --propupd(say, for instance, after upgrading packages).
One false positive that was somewhat more complicated to disable was a warning about the Xzibit Rootkit. This warning is triggered by files containing the string hdparm - it's a known bug (see Debian bug #576680), and the workaround is to "use the RTKT_FILE_WHITELIST option to whitelist initscripts stating this string" - e.g. /etc/init.d/hdparm ...
The comments in the configuration file, suggest that the proper method of whitelisting a file is to also add it to USER_FILEPROP_FILES_DIRS and then update rkhunter. But this makes rkhunter complain that /etc/init.d/hdparm is an executable script, so I had to also add it to SCRIPTWHITELIST.
Bottom line - add the following lines to /etc/rkhunter.conf:
USER_FILEPROP_FILES_DIRS="/etc/init.d/hdparm /etc/init.d/.depend.boot" SCRIPTWHITELIST=/etc/init.d/hdparm RTKT_FILE_WHITELIST="/etc/init.d/hdparm /etc/init.d/.depend.boot"and the run
rkhunter --propupdVerify by running:
rkhunter --checkI can only hope that I won't hit any false negatives...