Thanks John. I stopped the udev service and the pid file disappeared so I'm confident that the /var/run/udev.pid file belongs to the udev service. I'm not sure why this would have just suddenly appears as I *think I had udev already installed and running.
For now I've added RTKT_FILE_WHITELIST=/var/run/udev.pid" to my /etc/rkhunter.conf file and a subsequent scan came back without any warnings. Thanks again for the assistance and insight. Patrick. On Sun, Feb 24, 2019 at 5:56 PM John Horne <john.ho...@plymouth.ac.uk> wrote: > On Sun, 2019-02-24 at 11:33 -0600, Patrick Kirchner wrote: > > Hi, > > > > I have this warning, which is new for my system, this morning in the > > rkhunter.log report. > > > > The contents of /var/run/udev.pid are just 3219, which matches the udevd > > process: > > > > ps -ef |grep 3219 > > root 3219 1 0 Feb23 ? 00:00:00 /sbin/udevd > > > > /sbin/udevd reports as an ELF binary: > > > > sudo file /sbin/udevd > > /sbin/udevd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), > > dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for > GNU/Linux > > 3.2.0, stripped > > > > It looks to belong to the installed udevd package on my Gentoo system: > > > > equery b /sbin/udevd > > * Searching for /sbin/udevd ... > > sys-fs/eudev-3.2.5 (/sbin/udevd) > > > > Can I somehow safely whitelist this file in /etc/rkhunter.conf? I don't > see > > any other PID files whitelisted so I'm hesitant to do this. If so, is > there > > a special syntax for whitelisted a PID file as opposed to > SCRIPTWHITELIST ? > > > Without installing gentoo, it is a bit difficult to see (using google) if > udev > creates a pid file in /run/udev. (My fedora system does not.) > On the one hand if xorddos was present then I would have expected to have > seen > more than one warning (there are several checks for xorddos, so receiving > just > the one warning sways me towards a false-positive). > On the other hand, why has this just started now? I assume you had udevd > running before, and have run rkhunter on the system before. So why is the > pid > file only now created and detected? That seems suspicious. > > In answer to your question though, take a look at the config option > RTKT_FILE_WHITELIST. > > > > John. > > -- > John Horne | Senior Operations Analyst | Technology and Information > Services > University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK > ________________________________ > [http://www.plymouth.ac.uk/images/email_footer.gif]< > http://www.plymouth.ac.uk/worldclass> > > This email and any files with it are confidential and intended solely for > the use of the recipient to whom it is addressed. If you are not the > intended recipient then copying, distribution or other use of the > information contained is strictly prohibited and you should not rely on it. > If you have received this email in error please let the sender know > immediately and delete it from your system(s). Internet emails are not > necessarily secure. While we take every care, University of Plymouth > accepts no responsibility for viruses and it is your responsibility to scan > emails and their attachments. University of Plymouth does not accept > responsibility for any changes made after it was sent. Nothing in this > email or its attachments constitutes an order for goods or services unless > accompanied by an official order form. > > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users >
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
