Bug 857315
| Summary: | rkhunter complains about /dev/md/autorebuild.pid | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | redhat | |
| Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | low | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 17 | CC: | kevin | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | i686 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 962809 (view as bug list) | Environment: | ||
| Last Closed: | 2012-12-20 16:01:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
redhat
2012-09-14 05:48:03 UTC
I assume this is when a raid rebuild is in progress? I'll look at an update to whitelist this. Thanks. Hum. Whats the exact complaint here from rkhunter? Does the file always exist? Or only during rebuilds? The file always exists on my system, even when no raid rebuild is ongoing.
The exact message from rkhunter is:
Warning: Suspicious file types found in /dev:
/dev/md/autorebuild.pid: ASCII text
# date
Mo 1. Okt 07:43:07 CEST 2012
# uptime
07:43:10 up 8 days, 15:05, 13 users, load average: 0.73, 1.09, 1.00
# ls -l /dev/md/autorebuild.pid
-rw-r--r--. 1 root root 4 22. Sep 16:38 /dev/md/autorebuild.pid
# cat /dev/md/autorebuild.pid
642
# ps -p 642
PID TTY TIME CMD
642 ? 00:00:00 mdadm
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18 rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17 Package rkhunter-1.4.0-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18 then log in and leave karma (feedback). Thanks for the update, but this pointed out another problem with the package.
If the package is updated, the inode of /usr/bin/rkhunter is not updated in the database resulting in another false positive:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
File: /usr/bin/rkhunter
Current inode: 403066 Stored inode: 399786
The postinstall script should update the database.
I disagree. Only the admin who is managing the machine can confirm that they feel the machine is clean and run 'rkhunter --propupd'. I will not run this in a post, as that might result in an update showing a machine is clean, when it is not. When you do updates, it's up to you as admin to check them and propupd. rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Just for the record: I've seen this problem on several fully updated servers running CentOS 6.4 and rkhunter-1.4.0-1.el6. I guess something changed because I have never seen that file while the servers were running CentOS 6.3 |