Thanks, John. This solves my issue and I gained a knew knowledge about rkhunter. :) ________________________________ From: John Horne <john.ho...@plymouth.ac.uk> Sent: Wednesday, 30 October 2019 7:09 PM To: rkhunter-users@lists.sourceforge.net <rkhunter-users@lists.sourceforge.net> Subject: Re: [Rkhunter-users] How to whitelist a path in rkhunter 'running_procs' test?
On Wed, 2019-10-30 at 10:44 +0000, Finn Fausto wrote: > Hi! > > I have rootkit hunter running on one of my virtual machines. I'm getting a > result of: > > Info: Starting test name 'running_procs' > Checking running processes for suspicious files [ Warning ] > Warning: The following processes are using suspicious files: > Command: httpd.bin > UID: 0 PID: 1899 > Pathname: /opt/redmine/apache2/bin/httpd.bin > Possible Rootkit: IRC bot > > Yes, I'm using Redmine also for testing. And this is a false positive > detection by rkhunter, right? Since it is being used by Redmine. > I want rkhunter to skip the path of /opt/redmine/apache2/bin/httpd.bin when > my rkhunter script runs. > I already edit my rkhunter.conf and tried to put the path on EXISTWHITELIST, > SCRIPTWHITELIST, and ALLOWIPCPROC sections but I still get the warning. > > Cant find a reference on whitelisting a path that is located on /opt > directory. What variable in the rkhunter.conf should I use for whitelisting > the said path? > Use: RTKT_FILE_WHITELIST=/opt/redmine/apache2/bin/httpd.bin As the config file says though you may also want to ensure that the file is checked in the file properties check. For that add: USER_FILEPROP_FILES_DIRS=/opt/redmine/apache2/bin/httpd.bin John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
