Re: [Rkhunter-users] Another Warnings question
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2007-09-27 17:02:47
|
On Thu, 2007-09-27 at 10:46 -0500, Mike Blezien wrote: > John, > > ----- Original Message ----- > From: "John Horne" <joh...@pl...> > To: "RkhunerList" <rkh...@li...> > Sent: Thursday, September 27, 2007 10:13 AM > Subject: Re: [Rkhunter-users] Another Warnings question > > > > On Thu, 2007-09-27 at 09:55 -0500, Mike Blezien wrote: > >> John, > >> > >> ----- Original Message ----- > >> From: "John Horne" <joh...@pl...> > >> To: "RkhunerList" <rkh...@li...> > >> Sent: Thursday, September 27, 2007 9:10 AM > >> Subject: Re: [Rkhunter-users] Another Warnings question > >> > >> > >> > On Thu, 2007-09-27 at 07:06 -0500, Mike Blezien wrote: > >> >> Warning: The following processes are using deleted files: > >> > [snipped] > >> >> Process: /usr/local/apache/bin/httpd PID: 12461 File: > >> >> /tmp/ZCUDfKYmV3 > >> >> Process: /usr/bin/perl PID: 29438 File: /tmp/ZCUDfKYmV3 > >> >> ============================================================================= > >> >> > >> >> what does this actual indicate and how can it be corrected or ignored? > >> >> > >> > This is from the 'deleted_files' test, which is disabled by default > >> > because it may give false-positive results. > >> > > >> > The result is saying that the system reports the > >> > processes, /usr/local/apache/bin/httpd and /usr/bin/perl, have file > >> > descriptors open for files which no longer exist, which is suspicious. > >> > > >> > Look for ALLOWPROCDELFILE in the config file to see about whitelisting. > >> > >> this is what is in the conf file: > >> > >> ENABLE_TESTS="all" > >> DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" > >> > >> the delete_files is disabled, but it's still being tested. do I need to > >> change > >> something else?? > >> > > Can you look in the log file for the lines containing: > > > > Info: Enabled tests are: > > Info: Disabled tests are: > > > > They will indicate which tests are enabled or disabled. > > this is what was in the current rkhunter.log > > Info: Enabled tests are: all > Info: Disabled tests are: apps suspscan deleted_files > Okay. Can you run RKH as you did initially when the deleted_files test ran, and then send me the whole log file please. Thanks, John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: Joh...@pl... Fax: +44 (0)1752 233839 |