Re: [Rkhunter-users] Another Warnings question
Brought to you by:
dogsbody
From: Mike B. <mi...@fr...> - 2007-09-27 15:47:19
|
John, ----- Original Message ----- From: "John Horne" <joh...@pl...> To: "RkhunerList" <rkh...@li...> Sent: Thursday, September 27, 2007 10:13 AM Subject: Re: [Rkhunter-users] Another Warnings question > On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote: >> John, >> >> ----- Original Message ----- >> From: "John Horne" <joh...@pl...> >> To: "RkhunerList" <rkh...@li...> >> Sent: Thursday, September 27, 2007 9:10 AM >> Subject: Re: [Rkhunter-users] Another Warnings question >> >> >> > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote: >> >> Warning: The following processes are using deleted files: >> > [snipped] >> >> Process: /usr/local/apache/bin/httpd PID: 12461 File: >> >> /tmp/ZCUDfKYmV3 >> >> Process: /usr/bin/perl PID: 29438 File: /tmp/ZCUDfKYmV3 >> >> ============================================================================= >> >> >> >> what does this actual indicate and how can it be corrected or ignored? >> >> >> > This is from the 'deleted_files' test, which is disabled by default >> > because it may give false-positive results. >> > >> > The result is saying that the system reports the >> > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file >> > descriptors open for files which no longer exist, which is suspicious. >> > >> > Look for ALLOWPROCDELFILE in the config file to see about whitelisting. >> >> this is what is in the conf file: >> >> ENABLE_TESTS="all" >> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" >> >> the delete_files is disabled, but it's still being tested. do I need to >> change >> something else?? >> > Can you look in the log file for the lines containing: > > Info: Enabled tests are: > Info: Disabled tests are: > > They will indicate which tests are enabled or disabled. this is what was in the current rkhunter.log Info: Enabled tests are: all Info: Disabled tests are: apps suspscan deleted_files Mike |