Re: [Rkhunter-users] Another Warnings question
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2007-09-27 15:31:30
|
On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote: > John, > > ----- Original Message ----- > From: "John Horne" <joh...@pl...> > To: "RkhunerList" <rkh...@li...> > Sent: Thursday, September 27, 2007 9:10 AM > Subject: Re: [Rkhunter-users] Another Warnings question > > > > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote: > >> Warning: The following processes are using deleted files: > > [snipped] > >> Process: /usr/local/apache/bin/httpd PID: 12461 File: > >> /tmp/ZCUDfKYmV3 > >> Process: /usr/bin/perl PID: 29438 File: /tmp/ZCUDfKYmV3 > >> ============================================================================= > >> > >> what does this actual indicate and how can it be corrected or ignored? > >> > > This is from the 'deleted_files' test, which is disabled by default > > because it may give false-positive results. > > > > The result is saying that the system reports the > > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file > > descriptors open for files which no longer exist, which is suspicious. > > > > Look for ALLOWPROCDELFILE in the config file to see about whitelisting. > > this is what is in the conf file: > > ENABLE_TESTS="all" > DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" > > the delete_files is disabled, but it's still being tested. do I need to change > something else?? > Can you look in the log file for the lines containing: Info: Enabled tests are: Info: Disabled tests are: They will indicate which tests are enabled or disabled. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |