Check rkhunter warnings For Deleted Files
logfile- /var/log/rkhunter.log starts
[19:18:58] Info: Starting test name 'malware'
[19:18:58] Performing malware checks
[19:18:58] Info: Starting test name 'deleted_files'
[19:19:35] Checking running processes for deleted files [ Warning ]
[19:19:35] Warning: The following processes are using deleted files:
[19:19:35] Process: /usr/bin/pulseaudio PID: 784 File: /memfd:pulseaudio
[19:19:35] Process: /usr/bin/gnome-shell PID: 1151 File: /tmp/mutter-shared-67ER4Y
[19:19:35] Process: /usr/bin/pulseaudio PID: 1173 File: /memfd:pulseaudio
[19:19:35] Process: /usr/lib/evolution-data-server/evolution-source-registry PID: 1194 File: /home/donato/.local/share/gvfs-metadata/home
[19:19:35] Process: /usr/bin/python2.7 PID: 1472 File: /tmp/vteZY4V4Y
[19:19:35] Process: /usr/bin/megasync PID: 1484 File: /run/user/1000/wayland-cursor-shared-t6KVCM
[19:19:35] Process: /usr/lib/tracker/tracker-extract PID: 1491 File: /home/donato/.local/share/gvfs-metadata/root
[19:19:35] Process: /usr/lib/evolution/evolution-alarm-notify PID: 1492 File: /run/user/1000/wayland-cursor-shared-3IXo1U
[19:19:35] Process: /usr/bin/gnome-software PID: 1499 File: /run/user/1000/wayland-cursor-shared-VWIXlt
[19:19:35] Process: /usr/lib/libreoffice/program/soffice.bin PID: 1538 File: /run/user/1000/wayland-cursor-shared-RA1mRd
[19:19:36] Process: /usr/lib/firefox/firefox PID: 17646 File: /dev/shm/org.chromium.woa2Ti
[19:19:36] Process: /usr/bin/python3.6 PID: 17747 File: /dev/shm/org.chromium.OO0nrj
[19:19:36] Process: /usr/bin/evolution PID: 20854 File: /run/user/1000/wayland-cursor-shared-2ZlQUk
[19:19:36] Process: /usr/lib/webkit2gtk-4.0/WebKitWebProcess PID: 20894 File: /run/user/1000/wayland-cursor-shared-9nUAnZ
[19:19:36] Process: /usr/lib/firefox/firefox PID: 25985 File: /dev/shm/org.chromium.O45DxH
[19:19:36] Process: /usr/bin/rhythmbox PID: 30033 File: /run/user/1000/wayland-cursor-shared-DitbCG
I enabled ALLTEST in /etc/rkhunter.conf and put a # on the DISABLETEST list. I feel comfortable now that I have a handle on what I'm running on my system. I ran rkhunter and as I expected it gave me these warnings. All these processes are recognized and valid applications and presumably they are deleting these respective files because they don't need it anymore. There's nothing to see here. These aren't the droids I'm looking for.
I have to whitelist these processes. The basic syntax for that job is : ALLOWPROCDELFILE=/path/to/process. You can specify the specific file with : ALLOWPROCDELFILE=/path/to/process:/path/to/filename.xxx.
For example: [19:19:35] Process: /usr/bin/pulseaudio PID: 784 File: /memfd:pulseaudio
append to /etc/rkhunter.conf
Another example: [19:19:35] Process: /usr/bin/gnome-shell PID: 1151 File: /tmp/mutter-shared-67ER4Y
append to /etc/rkhunter.conf
You can also use * to represent any character.
Anytime you make changes to /etc/rkhunter.conf don't forget to run the command : #rkhunter -C #to check the config file