Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit
On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to never mind these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. Thanks for any input. -A rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit
On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to never mind these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. Thanks for any input. -A rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A This looks to me like it's a false positive. Please file a bug against the rkhunter package at bugzilla.redhat.com signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit
Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file: vi /etc/rkhunter.conf. RTKT_FILE_WHITELIST= /var/log/pki-ca/system Hope this helps. Norman Mark St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ - Original Message - From: Anthony Messina amess...@messinet.com To: freeipa-users@redhat.com Sent: Friday, August 17, 2012 2:42:07 PM Subject: Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to never mind these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. Thanks for any input. -A rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995 PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit
On Friday, August 17, 2012 02:59:31 PM Mark St. Laurent wrote: Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file: vi /etc/rkhunter.conf. RTKT_FILE_WHITELIST=/var/log/pki-ca/system Hope this helps. Norman Mark St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ Thank you very much. The process looks that it is truly being good. And your solution worked perfectly. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA, rkhunter unknown rootkit
On Friday, August 17, 2012 03:25:45 PM Stephen Gallagher wrote: On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to never mind these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. Thanks for any input. -A rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Is anyone able to offer some insight on this one? Perhaps there is some way to undate the rkhunter configuration to 'allow' this behavior, if it's intended. Thanks. -A This looks to me like it's a false positive. Please file a bug against the rkhunter package at bugzilla.redhat.com Thank you: https://bugzilla.redhat.com/show_bug.cgi?id=849251 -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
