I know you are probably going to (gently) remind me that this is probably an issue for the Fedora list, but following Kevin Fenzi's reply to my previous thread, in which he said that the the latest updates were shortly about to go into the Fedora stable repository, I decided to to a yum update. Whilst I am not afraid of installing packages from source, where possible I prefer to keep to Fedora packages.
Anyway, the latest Fedora RKH does indeed deal with the "not a script"
problem, but now I get this on every run:
Warning: The following processes are using deleted files:
Process: /usr/sbin/dovecot PID: 709 File:
/run/dovecot/login-master-notifyb6a920783290559f
Process: /usr/bin/python PID: 743 File: /tmp/ffixWTeCg
Process: /usr/libexec/mysqld PID: 1278 File: /tmp/ibNuqKo8
Process: /usr/bin/pulseaudio PID: 1738 File: /usr/bin/pulseaudio
Process: /usr/sbin/anacron PID: 27592 File: /tmp/fileqBEyva
Process: /bin/bash PID: 27935 File: /tmp/fileqBEyva
Process: /usr/libexec/dovecot/imap-login PID: 29074 File:
/run/dovecot/login-master-notifyf79914a30abb39fe
Process: /bin/gawk PID: 29155 File: /tmp/fileqBEyva
Not in itself a problem, except when you look at my (unchanged for
months) /etc/rkhunter.conf.local file which is displayed in full below.
Note that almost all of the above should be allowed.
Have I messed something up, or is this version of RKH simply not
reading .conf.local ?
Thanks
Mark
# cat /etc/rkhunter.conf.local
======================8<=======================================================
#DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files
packet_cap_apps"
DISABLE_TESTS="apps"
PKGMGR=RPM
ALLOWHIDDENDIR="/etc/.java"
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENDIR="/dev/.mdadm"
ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
ALLOWPROCDELFILE="/usr/libexec/mysqld"
ALLOWPROCDELFILE="/bin/mailx"
ALLOWPROCDELFILE="/usr/bin/mlogc"
ALLOWPROCDELFILE="/usr/bin/python"
ALLOWPROCDELFILE="/usr/sbin/dovecot"
ALLOWPROCDELFILE="/usr/libexec/dovecot/imap-login"
ALLOWPROCDELFILE="/usr/sbin/anacron"
ALLOWPROCDELFILE="/bin/bash /tmp/file*"
ALLOWPROCDELFILE="/bin/gawk /tmp/file*"
ALLOWDEVFILE="/dev/shm/pulse-shm-*"
SUSPSCAN_DIRS="/tmp /var/tmp"
======================8<=======================================================
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
