On Sat, 2010-01-30 at 19:08 +0100, Christian Lauf wrote: > Hello, > > I want to integrate rkhunter via check_rootkit into my Nagios > installation. > But before I'll do this, I want rkhunter to not report any false > positives. > > I managed to eradicte most of them by setting PKGMGR and doing an > --propupd. > No all I have left is one warning about processes using deleted files. > > Checking running processes for deleted files [ Warning ] > > In the rkhunter.log the following entries are logged: > Warning: The following processes are using deleted files: > Process: /usr/sbin/mysqld PID: 2205 File: /tmp/ibExV5IK > Process: /usr/sbin/apache2 PID: 2855 File: > /var/run/apache2/ssl_mutex > Process: /home/teamspeak/tss2_rc2/server_linux PID: 16598 File: > /var/tmp/sqlite_dcQdgjGUDIDVnoh > > So I thought that setting the following ALLOWPROCDELFILE-Entries would > make the message vanish. > > ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ibExV5IK > ALLOWPROCDELFILE=/usr/sbin/apache2:/var/run/apache2/ssl_mutex > ALLOWPROCDELFILE=/home/teamspeak/tss2_rc2/server_linux:/var/tmp/sqlite_dcQdgjGUDIDVnoh > > But they keep showing up. (Name of the tmp-files didn't change.) > I know that listing the programs without the path works. > And gives me a: > Checking running processes for deleted files [ None found ] > > But due to security concerns this it not an option for me. > > Any hints for a solution with full pathnames? > Can you run 'rkhunter --enable deleted_files --debug' please. This will create a large output file in /tmp, can you email that to me (not the list) please.
John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
