Description of problem: rkhunter complains about the file /dev/md/autorebuild.pid. Version-Release number of selected component (if applicable): rkhunter-1.4.0-1.fc17.noarch How reproducible: Always on systems using md-raid Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I assume this is when a raid rebuild is in progress? I'll look at an update to whitelist this. Thanks.
Hum. Whats the exact complaint here from rkhunter? Does the file always exist? Or only during rebuilds?
The file always exists on my system, even when no raid rebuild is ongoing. The exact message from rkhunter is: Warning: Suspicious file types found in /dev: /dev/md/autorebuild.pid: ASCII text # date Mo 1. Okt 07:43:07 CEST 2012 # uptime 07:43:10 up 8 days, 15:05, 13 users, load average: 0.73, 1.09, 1.00 # ls -l /dev/md/autorebuild.pid -rw-r--r--. 1 root root 4 22. Sep 16:38 /dev/md/autorebuild.pid # cat /dev/md/autorebuild.pid 642 # ps -p 642 PID TTY TIME CMD 642 ? 00:00:00 mdadm
rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18
rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17
Package rkhunter-1.4.0-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18 then log in and leave karma (feedback).
Thanks for the update, but this pointed out another problem with the package. If the package is updated, the inode of /usr/bin/rkhunter is not updated in the database resulting in another false positive: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The file properties have changed: File: /usr/bin/rkhunter Current inode: 403066 Stored inode: 399786 The postinstall script should update the database.
I disagree. Only the admin who is managing the machine can confirm that they feel the machine is clean and run 'rkhunter --propupd'. I will not run this in a post, as that might result in an update showing a machine is clean, when it is not. When you do updates, it's up to you as admin to check them and propupd.
rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Just for the record: I've seen this problem on several fully updated servers running CentOS 6.4 and rkhunter-1.4.0-1.el6. I guess something changed because I have never seen that file while the servers were running CentOS 6.3