+++ This bug was initially created as a clone of Bug #857315 +++

Description of problem:
rkhunter complains about the file  /dev/md/autorebuild.pid.

Version-Release number of selected component (if applicable):
rkhunter-1.4.0-1.fc17.noarch

How reproducible:
Always on systems using md-raid

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

--- Additional comment from Kevin Fenzi on 2012-09-16 19:25:27 EDT ---

I assume this is when a raid rebuild is in progress?

I'll look at an update to whitelist this. Thanks.

--- Additional comment from Kevin Fenzi on 2012-09-29 15:21:14 EDT ---

Hum. Whats the exact complaint here from rkhunter? 

Does the file always exist? Or only during rebuilds?

--- Additional comment from  on 2012-10-01 01:44:28 EDT ---

The file always exists on my system, even when no raid rebuild is ongoing.

The exact message from rkhunter is:

Warning: Suspicious file types found in /dev:
         /dev/md/autorebuild.pid: ASCII text


# date
Mo 1. Okt 07:43:07 CEST 2012
# uptime
 07:43:10 up 8 days, 15:05, 13 users,  load average: 0.73, 1.09, 1.00
# ls -l /dev/md/autorebuild.pid
-rw-r--r--. 1 root root 4 22. Sep 16:38 /dev/md/autorebuild.pid
# cat /dev/md/autorebuild.pid
642
# ps -p 642
  PID TTY          TIME CMD
  642 ?        00:00:00 mdadm

--- Additional comment from Fedora Update System on 2012-10-06 16:22:28 EDT ---

rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18

--- Additional comment from Fedora Update System on 2012-10-06 16:55:10 EDT ---

rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17

--- Additional comment from Fedora Update System on 2012-10-06 23:45:58 EDT ---

Package rkhunter-1.4.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18
then log in and leave karma (feedback).

--- Additional comment from  on 2012-10-17 14:35:53 EDT ---

Thanks for the update, but this pointed out another problem with the package.
If the package is updated, the inode of /usr/bin/rkhunter is not updated in the database resulting in another false positive:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
         File: /usr/bin/rkhunter
         Current inode: 403066    Stored inode: 399786


The postinstall script should update the database.

--- Additional comment from Kevin Fenzi on 2012-10-17 16:10:46 EDT ---

I disagree. Only the admin who is managing the machine can confirm that they feel the machine is clean and run 'rkhunter --propupd'. I will not run this in a post, as that might result in an update showing a machine is clean, when it is not. 

When you do updates, it's up to you as admin to check them and propupd.

--- Additional comment from Fedora Update System on 2012-12-20 11:01:56 EST ---

rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from manuel wolfshant on 2013-03-30 07:04:14 EDT ---

Just for the record: I've seen this problem on several fully updated servers running CentOS 6.4 and rkhunter-1.4.0-1.el6. I guess something changed because I have never seen that file while the servers were running CentOS 6.3