Bug#626643: rkhunter: Multiple ALLOWPROCDELFILE options not working anymore

Francois Marier francois at debian.org
Fri May 13 22:54:10 UTC 2011 

Package: rkhunter
Version: 1.3.8-4
Severity: normal

Among other things, when the daily cronjob runs, I get the following
processes with open deleted files:

  Process: /usr/bin/kdeinit4    PID: 599    File: /dev/pts/2
  Process: /usr/bin/gnome-terminal    PID: 4971    File: /tmp/vteLAK4UV

If I put this in my /etc/rkhunter.conf.local:

  ALLOWPROCDELFILE="/usr/bin/kdeinit4"

then the first one disappears and I'm left with:

  Process: /usr/bin/gnome-terminal    PID: 4971    File: /tmp/vteLAK4UV

However, if I put this in my /etc/rkhunter.conf.local:

  ALLOWPROCDELFILE="/usr/bin/kdeinit4"
  ALLOWPROCDELFILE="/usr/bin/gnome-terminal"

then none of them are filtered and I'm left with the original two:

  Process: /usr/bin/kdeinit4    PID: 599    File: /dev/pts/2
  Process: /usr/bin/gnome-terminal    PID: 4971    File: /tmp/vteLAK4UV

the same problem exists if I merge the two options into a single option:

  ALLOWPROCDELFILE="/usr/bin/kdeinit4 /usr/bin/gnome-terminal"

Cheers,
Francois

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.6-grsec+ (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils              2.21.51.20110421-3 The GNU assembler, linker and bina
ii  debconf [debconf-2.0] 1.5.39             Debian configuration management sy
ii  file                  5.04-5+b1          Determines file type using "magic"
ii  net-tools             1.60-23            The NET-3 networking toolkit
ii  perl                  5.10.1-20          Larry Wall's Practical Extraction 
ii  ucf                   3.0025+nmu2        Update Configuration File: preserv

Versions of packages rkhunter recommends:
ii  curl                       7.21.6-1      Get a file from an HTTP, HTTPS or 
ii  iproute                    20110315-1    networking and traffic control too
ii  lsof                       4.81.dfsg.1-1 List open files
ii  postfix [mail-transport-ag 2.8.3-1       High-performance mail transport ag
pn  unhide                     <none>        (no description available)
pn  unhide.rb                  <none>        (no description available)
ii  wget                       1.12-3.1      retrieves files from the web

Versions of packages rkhunter suggests:
ii  libdigest-sha1-perl     2.13-1           NIST SHA-1 message digest algorith
pn  libdigest-whirlpool-per <none>           (no description available)
ii  liburi-perl             1.58-1           module to manipulate and access UR
ii  libwww-perl             6.01-3           simple and consistent interface to
ii  mailutils [mailx]       1:2.2+dfsg1-3+b1 GNU mailutils utilities for handli
ii  powermgmt-base          1.31             Common utils and configs for power
pn  tripwire                <none>           (no description available)

-- Configuration Files:
/etc/cron.daily/rkhunter changed [not included]
/etc/default/rkhunter changed [not included]

-- debconf information:
* rkhunter/apt_autogen: yes
* rkhunter/cron_daily_run: yes
* rkhunter/cron_db_update: yes

More information about the forensics-devel mailing list