[Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"
Mark St. Laurent
mstlaure at redhat.com
Fri Aug 17 18:59:31 UTC 2012
Hi Anthony,
I would start off by seeing what files the PID is opening to make sure it is truly being good:
#lsof -p 1513
To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file:
vi /etc/rkhunter.conf.
RTKT_FILE_WHITELIST=" /var/log/pki-ca/system "
Hope this helps.
Norman "Mark" St. Laurent
Federal Team: Senior Solutions Architect
Red Hat
8260 Greensboro Drive, Suite 300
McLean VA, 22102
Email: msl at redhat.com
Cell: 703.772.1434
Check this Link out!!! Cool Stuff: http://mil-oss.org/
----- Original Message -----
From: "Anthony Messina" <amessina at messinet.com>
To: freeipa-users at redhat.com
Sent: Friday, August 17, 2012 2:42:07 PM
Subject: Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"
On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote:
> I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running
> well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA
> server and each morning I receive the following report from rkhunter.
>
> I imagine/hope that these are not actual rootkits and was wondering if
> anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind"
> these as they seem like they would be a normal part of the IPA/CA process.
>
> By the way, UID 995 is the pkiuser on my IPA system.
>
> Thanks for any input. -A
>
>
> rkhunter warning output follows:
>
> Warning: The following processes are using suspicious files:
> Command: java
> UID: 995 PID: 1513
> Pathname: /var/log/pki-ca/system
> Possible Rootkit: Unknown rootkit
> Command: java
> UID: 1518 PID: 1513
> Pathname: 14287633
> Possible Rootkit: Unknown rootkit
Is anyone able to offer some insight on this one? Perhaps there is some way
to undate the rkhunter configuration to 'allow' this behavior, if it's
intended. Thanks. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120817/05ed7ff8/attachment.htm>
More information about the Freeipa-users
mailing list