I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. The temporary solution was to add the following to rkhunter.conf: # FreeIPA Certificate Authority RTKT_FILE_WHITELIST="/var/log/pki-ca/system" E-mail thread here: https://www.redhat.com/archives/freeipa-users/2012-July/msg00183.html https://www.redhat.com/archives/freeipa-users/2012-August/msg00146.html rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995 PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1523 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1524 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1525 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1526 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1527 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1528 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1529 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1530 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1531 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1540 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1541 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1557 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1558 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1559 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1560 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1561 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1628 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1629 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1636 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1638 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1641 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1643 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1646 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1648 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1651 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1653 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1654 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1655 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1658 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1660 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1662 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1663 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1664 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1665 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1666 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1667 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1668 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1670 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1671 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1672 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1673 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1674 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1675 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1676 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1677 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1678 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1679 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1680 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2254 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2255 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2256 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2257 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2418 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2419 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2420 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2421 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit
/var/log/pki-ca/system seems like a kinda a poor name for logs, but ok. I can add the whitelist and ask upstream about merging it in. Thanks for the report.
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18
rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17
Package rkhunter-1.4.0-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18 then log in and leave karma (feedback).
I confirm this is fixed and can be closed.