On Sun, 2019-02-24 at 11:33 -0600, Patrick Kirchner wrote: > Hi, > > I have this warning, which is new for my system, this morning in the > rkhunter.log report. > > The contents of /var/run/udev.pid are just 3219, which matches the udevd > process: > > ps -ef |grep 3219 > root 3219 1 0 Feb23 ? 00:00:00 /sbin/udevd > > /sbin/udevd reports as an ELF binary: > > sudo file /sbin/udevd > /sbin/udevd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), > dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux > 3.2.0, stripped > > It looks to belong to the installed udevd package on my Gentoo system: > > equery b /sbin/udevd > * Searching for /sbin/udevd ... > sys-fs/eudev-3.2.5 (/sbin/udevd) > > Can I somehow safely whitelist this file in /etc/rkhunter.conf? I don't see > any other PID files whitelisted so I'm hesitant to do this. If so, is there > a special syntax for whitelisted a PID file as opposed to SCRIPTWHITELIST ? > Without installing gentoo, it is a bit difficult to see (using google) if udev creates a pid file in /run/udev. (My fedora system does not.) On the one hand if xorddos was present then I would have expected to have seen more than one warning (there are several checks for xorddos, so receiving just the one warning sways me towards a false-positive). On the other hand, why has this just started now? I assume you had udevd running before, and have run rkhunter on the system before. So why is the pid file only now created and detected? That seems suspicious.
In answer to your question though, take a look at the config option RTKT_FILE_WHITELIST. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users