[Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

Anthony Messina amessina at messinet.com
Fri Aug 17 19:59:35 UTC 2012 

On Friday, August 17, 2012 03:25:45 PM Stephen Gallagher wrote:
> On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote:
> > On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote:
> > > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running
> > > well.  I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA
> > > server and each morning I receive the following report from rkhunter.
> > >
> > > 
> > >
> > > I imagine/hope that these are not actual rootkits and was wondering if
> > > anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind"
> > > these as they seem like they would be a normal part of the IPA/CA
> > > process.
> > >
> > > 
> > >
> > > By the way, UID 995 is the pkiuser on my IPA system.
> > >
> > > 
> > >
> > > Thanks for any input. -A
> > >
> > > 
> > > 
> > >
> > > rkhunter warning output follows:
> > > 
> > >
> > > Warning: The following processes are using suspicious files:
> > >          Command: java
> > >            UID: 995    PID: 1513
> > >            Pathname: /var/log/pki-ca/system
> > >            Possible Rootkit: Unknown rootkit
> > >          Command: java
> > >            UID: 1518    PID: 1513
> > >            Pathname: 14287633
> > >            Possible Rootkit: Unknown rootkit
> >
> > 
> >
> > Is anyone able to offer some insight on this one?  Perhaps there is some
> > way  to undate the rkhunter configuration to 'allow' this behavior, if
> > it's intended.  Thanks.  -A
> 
> This looks to me like it's a false positive. Please file a bug against
> the rkhunter package at bugzilla.redhat.com

Thank you: https://bugzilla.redhat.com/show_bug.cgi?id=849251

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120817/d3137672/attachment.sig>

More information about the Freeipa-users mailing list