On Tue, 2011-08-02 at 10:38 +0100, Arthur Dent wrote: > On Tue, 2011-08-02 at 00:46 +0100, Arthur Dent wrote: > > > OK - Thanks John, that works. > > Ooops. Spoke too soon.... > > From this morning's run: > > ---------------------- Start Rootkit Hunter Scan ---------------------- > Warning: The following processes are using deleted files: > Process: /bin/bash PID: 2954 File: /tmp/fileFYLlb4 > Process: /bin/gawk PID: 3419 File: /tmp/fileFYLlb4 > > > From /etc/rkhunter.conf.local: > > ALLOWPROCDELFILE="/bin/bash:/tmp/file*" > ALLOWPROCDELFILE="/bin/gawk:/tmp/file*" > > What gives? > Yeah, I noticed that yesterday, I'm not convinced that wildcarding works with that option. It is something that I need to look at. For the moment all I can suggest is either remove the wildcarding so that you just whitelist bash and gawk or specify the exact filenames. However, depending on how often the /tmp file change that may not work too well.
John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
