-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: rkhunter Version: 1.4.2-0.4 Severity: normal
First, that bug is from a stable (jessie) box and I don't have any stable box with configured mail so no system information below. Beside others I have the following lines in rkhunter.conf: ALLOWPROCDELFILE="/bin/dash:/tmp/*" ALLOWPROCDELFILE="/bin/run-parts:/tmp/*" ALLOWPROCDELFILE="/usr/sbin/cron:/tmp/tmp*" That worked well in wheezy and matches the documentation of that parameter. Unfortunatelly since upgrading to jessie I get many false positives like this: Warning: The following processes are using deleted files: Process: /usr/sbin/cron PID: 2643 File: /tmp/tmpf1TLeZx Process: /bin/dash PID: 2644 File: /tmp/tmpf1TLeZx Process: /bin/run-parts PID: 2645 File: /tmp/tmpf1TLeZx On other servers I get complains about apache or dovecot or other server processes holding open caches, tmp files or similar. All are excluded like above with wildcards. That is pretty annoying and I even thought about raising the severity as all that false positives could hide really important and real security issues. - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJW0sKwAAoJEKZ8CrGAGfas0t4L/0wYEOxTVtaBlVJLv+P6cyPt 17j8eJAu8x0/ZWdcGjSkGiC7gs48C0AY0kUGZEEzUw1xRDpsYIbWUk/jdsRq9IYV l3GsEsVyjqCTeo5Scl8O4SUT59LFHTeKvZc9l8cBbEBC2wNNzvcw1aOB3ogyd8cE L2l3kc4Q25iL8YDZ+T8c4/PCplV8X/odsmTdJv+Sd6IZzzk/jO2v/q93aHml7rgp 8VhOQ2R90nCy+Z3K9bMqd7C9fWXXUgtxCjzYQO8P6aWYvFZaPqvrjk5V3xH6JDma 3AR+XMSnPPK4WVjLPMIQxtrVFKQzy8etD+Cm9ulwt5m4JKwHMIznBxcs66qeKvlE CJNvbwKZvsGFuEoJ6kxyIEc/kP8sPQziui0BDtFhu5+gnVgKP2kRjqiO8JAo/oyS pja5xCnnGEjr90oXXppaqx2IbGntBRx8m3VLr0UpQIVYMqpN6wFNav09kbXGBkgN 80UUqAapvNRBj+4sQdwngSK0q4tWTAGrzxNTTMP55Q== =uUnL -----END PGP SIGNATURE-----