Bug#816170: False positive deleted files after upgrade from wheezy to jessie

Klaus Ethgen Klaus at Ethgen.de
Sun Feb 28 09:49:47 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: rkhunter
Version: 1.4.2-0.4
Severity: normal

First, that bug is from a stable (jessie) box and I don't have any
stable box with configured mail so no system information below.

Beside others I have the following lines in rkhunter.conf:
   ALLOWPROCDELFILE="/bin/dash:/tmp/*"
   ALLOWPROCDELFILE="/bin/run-parts:/tmp/*"
   ALLOWPROCDELFILE="/usr/sbin/cron:/tmp/tmp*"

That worked well in wheezy and matches the documentation of that
parameter. Unfortunatelly since upgrading to jessie I get many false
positives like this:
   Warning: The following processes are using deleted files:
	    Process: /usr/sbin/cron    PID: 2643    File: /tmp/tmpf1TLeZx
	    Process: /bin/dash    PID: 2644    File: /tmp/tmpf1TLeZx
	    Process: /bin/run-parts    PID: 2645    File: /tmp/tmpf1TLeZx

On other servers I get complains about apache or dovecot or other server
processes holding open caches, tmp files or similar. All are excluded
like above with wildcards.

That is pretty annoying and I even thought about raising the severity as
all that false positives could hide really important and real security
issues.
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJW0sKwAAoJEKZ8CrGAGfas0t4L/0wYEOxTVtaBlVJLv+P6cyPt
17j8eJAu8x0/ZWdcGjSkGiC7gs48C0AY0kUGZEEzUw1xRDpsYIbWUk/jdsRq9IYV
l3GsEsVyjqCTeo5Scl8O4SUT59LFHTeKvZc9l8cBbEBC2wNNzvcw1aOB3ogyd8cE
L2l3kc4Q25iL8YDZ+T8c4/PCplV8X/odsmTdJv+Sd6IZzzk/jO2v/q93aHml7rgp
8VhOQ2R90nCy+Z3K9bMqd7C9fWXXUgtxCjzYQO8P6aWYvFZaPqvrjk5V3xH6JDma
3AR+XMSnPPK4WVjLPMIQxtrVFKQzy8etD+Cm9ulwt5m4JKwHMIznBxcs66qeKvlE
CJNvbwKZvsGFuEoJ6kxyIEc/kP8sPQziui0BDtFhu5+gnVgKP2kRjqiO8JAo/oyS
pja5xCnnGEjr90oXXppaqx2IbGntBRx8m3VLr0UpQIVYMqpN6wFNav09kbXGBkgN
80UUqAapvNRBj+4sQdwngSK0q4tWTAGrzxNTTMP55Q==
=uUnL
-----END PGP SIGNATURE-----

More information about the forensics-devel mailing list