Re: [Rkhunter-users] Another Warnings question

[Mike B. <mi...@fr...>]

John,

----- Original Message ----- 
From: "John Horne" <joh...@pl...>
To: "RkhunerList" <rkh...@li...>
Sent: Thursday, September 27, 2007 10:13 AM
Subject: Re: [Rkhunter-users] Another Warnings question


> On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote:
>> John,
>>
>> ----- Original Message ----- 
>> From: "John Horne" <joh...@pl...>
>> To: "RkhunerList" <rkh...@li...>
>> Sent: Thursday, September 27, 2007 9:10 AM
>> Subject: Re: [Rkhunter-users] Another Warnings question
>>
>>
>> > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote:
>> >> Warning: The following processes are using deleted files:
>> > [snipped]
>> >>          Process: /usr/local/apache/bin/httpd    PID: 12461    File:
>> >> /tmp/ZCUDfKYmV3
>> >>          Process: /usr/bin/perl    PID: 29438    File: /tmp/ZCUDfKYmV3
>> >> =============================================================================
>> >>
>> >> what does this actual indicate and how can it be corrected or ignored?
>> >>
>> > This is from the 'deleted_files' test, which is disabled by default
>> > because it may give false-positive results.
>> >
>> > The result is saying that the system reports the
>> > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file
>> > descriptors open for files which no longer exist, which is suspicious.
>> >
>> > Look for ALLOWPROCDELFILE in the config file to see about whitelisting.
>>
>> this is what is in the conf file:
>>
>> ENABLE_TESTS="all"
>> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"
>>
>> the delete_files is disabled, but it's still being tested. do I need to 
>> change
>> something else??
>>
> Can you look in the log file for the lines containing:
>
>   Info: Enabled tests are:
>   Info: Disabled tests are:
>
> They will indicate which tests are enabled or disabled.

this is what was in the current rkhunter.log

Info: Enabled tests are: all
Info: Disabled tests are: apps suspscan deleted_files

Mike