+++ This bug was initially created as a clone of Bug #857315 +++ Description of problem: rkhunter complains about the file /dev/md/autorebuild.pid. Version-Release number of selected component (if applicable): rkhunter-1.4.0-1.fc17.noarch How reproducible: Always on systems using md-raid Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Kevin Fenzi on 2012-09-16 19:25:27 EDT --- I assume this is when a raid rebuild is in progress? I'll look at an update to whitelist this. Thanks. --- Additional comment from Kevin Fenzi on 2012-09-29 15:21:14 EDT --- Hum. Whats the exact complaint here from rkhunter? Does the file always exist? Or only during rebuilds? --- Additional comment from on 2012-10-01 01:44:28 EDT --- The file always exists on my system, even when no raid rebuild is ongoing. The exact message from rkhunter is: Warning: Suspicious file types found in /dev: /dev/md/autorebuild.pid: ASCII text # date Mo 1. Okt 07:43:07 CEST 2012 # uptime 07:43:10 up 8 days, 15:05, 13 users, load average: 0.73, 1.09, 1.00 # ls -l /dev/md/autorebuild.pid -rw-r--r--. 1 root root 4 22. Sep 16:38 /dev/md/autorebuild.pid # cat /dev/md/autorebuild.pid 642 # ps -p 642 PID TTY TIME CMD 642 ? 00:00:00 mdadm --- Additional comment from Fedora Update System on 2012-10-06 16:22:28 EDT --- rkhunter-1.4.0-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc18 --- Additional comment from Fedora Update System on 2012-10-06 16:55:10 EDT --- rkhunter-1.4.0-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-5.fc17 --- Additional comment from Fedora Update System on 2012-10-06 23:45:58 EDT --- Package rkhunter-1.4.0-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rkhunter-1.4.0-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15573/rkhunter-1.4.0-5.fc18 then log in and leave karma (feedback). --- Additional comment from on 2012-10-17 14:35:53 EDT --- Thanks for the update, but this pointed out another problem with the package. If the package is updated, the inode of /usr/bin/rkhunter is not updated in the database resulting in another false positive: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The file properties have changed: File: /usr/bin/rkhunter Current inode: 403066 Stored inode: 399786 The postinstall script should update the database. --- Additional comment from Kevin Fenzi on 2012-10-17 16:10:46 EDT --- I disagree. Only the admin who is managing the machine can confirm that they feel the machine is clean and run 'rkhunter --propupd'. I will not run this in a post, as that might result in an update showing a machine is clean, when it is not. When you do updates, it's up to you as admin to check them and propupd. --- Additional comment from Fedora Update System on 2012-12-20 11:01:56 EST --- rkhunter-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from manuel wolfshant on 2013-03-30 07:04:14 EDT --- Just for the record: I've seen this problem on several fully updated servers running CentOS 6.4 and rkhunter-1.4.0-1.el6. I guess something changed because I have never seen that file while the servers were running CentOS 6.3
rkhunter-1.4.0-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/rkhunter-1.4.0-2.el6
Package rkhunter-1.4.0-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing rkhunter-1.4.0-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5873/rkhunter-1.4.0-2.el6 then log in and leave karma (feedback).
rkhunter-1.4.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.