Hi Anthony, 

I would start off by seeing what files the PID is opening to make sure it is 
truly being good: 

#lsof -p 1513 

To avoid these warnings, you can reconfigure rkhunter to ignore these false 
positives by editing the rkhunter.conf file: 
vi /etc/rkhunter.conf. 
RTKT_FILE_WHITELIST=" /var/log/pki-ca/system " 

Hope this helps. 

Norman "Mark" St. Laurent 
Federal Team: Senior Solutions Architect 
Red Hat 
8260 Greensboro Drive, Suite 300 
McLean VA, 22102 
Email: m...@redhat.com 
Cell: 703.772.1434 

Check this Link out!!! Cool Stuff: http://mil-oss.org/ 

----- Original Message -----

From: "Anthony Messina" <amess...@messinet.com> 
To: freeipa-users@redhat.com 
Sent: Friday, August 17, 2012 2:42:07 PM 
Subject: Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" 

On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: 
> I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running 
> well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA 
> server and each morning I receive the following report from rkhunter. 
> I imagine/hope that these are not actual rootkits and was wondering if 
> anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" 
> these as they seem like they would be a normal part of the IPA/CA process. 
> By the way, UID 995 is the pkiuser on my IPA system. 
> Thanks for any input. -A 
> rkhunter warning output follows: 
> Warning: The following processes are using suspicious files: 
> Command: java 
> UID: 995 PID: 1513 
> Pathname: /var/log/pki-ca/system 
> Possible Rootkit: Unknown rootkit 
> Command: java 
> UID: 1518 PID: 1513 
> Pathname: 14287633 
> Possible Rootkit: Unknown rootkit 

Is anyone able to offer some insight on this one? Perhaps there is some way 
to undate the rkhunter configuration to 'allow' this behavior, if it's 
intended. Thanks. -A 

Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E 

Freeipa-users mailing list 
Freeipa-users mailing list

Reply via email to