Hello fellow hunters, We're running rkhunter on our machine and getting a "warnings found" message in our mailbox. Running rkhunter manually does not give any error. Combing through the logs shows:
Warning: The following processes are using deleted files: [06:31:31] Process: /usr/sbin/cron PID: 1413 File: /tmp/tmpfYcsrQi [06:31:31] Process: /bin/dash PID: 1420 File: /tmp/tmpfYcsrQi [06:31:31] Process: /bin/run-parts PID: 1422 File: /tmp/tmpfYcsrQi though. Which does not seem very suspicious to me. Especially because this page: http://www.synology-forum.de/archive/index.html/t-7234.html (in german) suggests deactivating the mail messages as there are false positives. I'd love to just add: ALLOWPROCDELFILE=/usr/sbin/cron ALLOWPROCDELFILE=/bin/dash ALLOWPROCDELFILE=/bin/run-parts to our rkhunter.config But I'm not sure if that's a security risk as all of these can be used to run other programs very easily, right? Also I didn't found someone else having this problem but I guess it should show up somewhere if it's OK to whitelist them, as these three are installed on quite a lot of machines, aren't they? So: Can I safely whitelist these processes? Is it the right way to silence the warnings? The problem might also be coming from another skript running at the same time. Does that seem likely to you? Bonus question: How and why is a process using a delted file anyway? Thanks for ANY thought and/or opinion on that, Andy ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
