Bug 962809 - rkhunter complains about /dev/md/autorebuild.pid
rkhunter complains about /dev/md/autorebuild.pid
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: rkhunter (Show other bugs)
el6
i686 Linux
unspecified Severity low
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-14 09:24 EDT by Nerijus Baliūnas
Modified: 2013-06-04 20:48 EDT (History)
3 users (show)

See Also:
Fixed In Version: rkhunter-1.4.0-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 857315
Environment:
Last Closed: 2013-06-04 20:48:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nerijus Baliūnas 2013-05-14 09:24:16 EDT
+++ This bug was initially created as a clone of Bug #857315 +++

Description of problem:
rkhunter complains about the file  /dev/md/autorebuild.pid.

Version-Release number of selected component (if applicable):
rkhunter-1.4.0-1.fc17.noarch

How reproducible:
Always on systems using md-raid

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

--- Additional comment from Kevin Fenzi on 2012-09-16 19:25:27 EDT ---

I assume this is when a raid rebuild is in progress?

I'll look at an update to whitelist this. Thanks.

--- Additional comment from Kevin Fenzi on 2012-09-29 15:21:14 EDT ---

Hum. Whats the exact complaint here from rkhunter? 

Does the file always exist? Or only during rebuilds?

--- Additional comment from  on 2012-10-01 01:44:28 EDT ---

The file always exists on my system, even when no raid rebuild is ongoing.

The exact message from rkhunter is:

Warning: Suspicious file types found in /dev:
         /dev/md/autorebuild.pid: ASCII text


# date
Mo 1. Okt 07:43:07 CEST 2012
# uptime
 07:43:10 up 8 days, 15:05, 13 users,  load average: 0.73, 1.09, 1.00
# ls -l /dev/md/autorebuild.pid
-rw-r--r--. 1 root root 4 22. Sep 16:38 /dev/md/autorebuild.pid
# cat /dev/md/autorebuild.pid
642
# ps -p 642
  PID TTY          TIME CMD
  642 ?        00:00:00 mdadm

--- Additional comment from Fedora Update System on 2012-10-06 16:22:28 EDT ---

rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18

--- Additional comment from Fedora Update System on 2012-10-06 16:55:10 EDT ---

rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17

--- Additional comment from Fedora Update System on 2012-10-06 23:45:58 EDT ---

Package rkhunter-1.4.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18
then log in and leave karma (feedback).

--- Additional comment from  on 2012-10-17 14:35:53 EDT ---

Thanks for the update, but this pointed out another problem with the package.
If the package is updated, the inode of /usr/bin/rkhunter is not updated in the database resulting in another false positive:

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
         File: /usr/bin/rkhunter
         Current inode: 403066    Stored inode: 399786


The postinstall script should update the database.

--- Additional comment from Kevin Fenzi on 2012-10-17 16:10:46 EDT ---

I disagree. Only the admin who is managing the machine can confirm that they feel the machine is clean and run 'rkhunter --propupd'. I will not run this in a post, as that might result in an update showing a machine is clean, when it is not. 

When you do updates, it's up to you as admin to check them and propupd.

--- Additional comment from Fedora Update System on 2012-12-20 11:01:56 EST ---

rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from manuel wolfshant on 2013-03-30 07:04:14 EDT ---

Just for the record: I've seen this problem on several fully updated servers running CentOS 6.4 and rkhunter-1.4.0-1.el6. I guess something changed because I have never seen that file while the servers were running CentOS 6.3
Comment 1 Fedora Update System 2013-05-20 18:45:24 EDT
rkhunter-1.4.0-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rkhunter-1.4.0-2.el6
Comment 2 Fedora Update System 2013-05-20 21:45:41 EDT
Package rkhunter-1.4.0-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing rkhunter-1.4.0-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5873/rkhunter-1.4.0-2.el6
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2013-06-04 20:48:18 EDT
rkhunter-1.4.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.