Skip to main content

Check rkhunter warnings For Deleted Files

logfile- /var/log/rkhunter.log starts
[partial starts]
[19:18:58] Info: Starting test name 'malware'
[19:18:58] Performing malware checks
[19:18:58]
[19:18:58] Info: Starting test name 'deleted_files'
[19:19:35]   Checking running processes for deleted files    [ Warning ]
[19:19:35] Warning: The following processes are using deleted files:
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 1173    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/lib/evolution-data-server/evolution-source-registry    PID: 1194    File: /home/donato/.local/share/gvfs-metadata/home
[19:19:35]          Process: /usr/bin/python2.7    PID: 1472    File: /tmp/vteZY4V4Y
[19:19:35]          Process: /usr/bin/megasync    PID: 1484    File: /run/user/1000/wayland-cursor-shared-t6KVCM
[19:19:35]          Process: /usr/lib/tracker/tracker-extract    PID: 1491    File: /home/donato/.local/share/gvfs-metadata/root
[19:19:35]          Process: /usr/lib/evolution/evolution-alarm-notify    PID: 1492    File: /run/user/1000/wayland-cursor-shared-3IXo1U
[19:19:35]          Process: /usr/bin/gnome-software    PID: 1499    File: /run/user/1000/wayland-cursor-shared-VWIXlt
[19:19:35]          Process: /usr/lib/libreoffice/program/soffice.bin    PID: 1538    File: /run/user/1000/wayland-cursor-shared-RA1mRd
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 17646    File: /dev/shm/org.chromium.woa2Ti
[19:19:36]          Process: /usr/bin/python3.6    PID: 17747    File: /dev/shm/org.chromium.OO0nrj
[19:19:36]          Process: /usr/bin/evolution    PID: 20854    File: /run/user/1000/wayland-cursor-shared-2ZlQUk
[19:19:36]          Process: /usr/lib/webkit2gtk-4.0/WebKitWebProcess    PID: 20894    File: /run/user/1000/wayland-cursor-shared-9nUAnZ
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 25985    File: /dev/shm/org.chromium.O45DxH
[19:19:36]          Process: /usr/bin/rhythmbox    PID: 30033    File: /run/user/1000/wayland-cursor-shared-DitbCG
[partial ends]
logfile-/var/log/rkhunter.log ends


I enabled ALLTEST in /etc/rkhunter.conf and put a # on the DISABLETEST list. I feel comfortable now that I have a handle on what I'm running on my system. I ran rkhunter and as I expected it gave me these warnings. All these processes are recognized and valid applications and presumably they are deleting these respective files because they don't need it anymore. There's nothing to see here. These aren't the droids I'm looking for.

I have to whitelist these processes. The basic syntax for that job is : ALLOWPROCDELFILE=/path/to/process. You can specify the specific file with : ALLOWPROCDELFILE=/path/to/process:/path/to/filename.xxx.

For example: [19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/pulseaudio

Another example: [19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/gnome-shell:/tmp/mutter-shared-67ER4Y

You can also use * to represent any character.
Anytime you make changes to /etc/rkhunter.conf don't forget to run the command : #rkhunter -C #to check the config file


Comments

Post a Comment

Popular posts from this blog

Mailvelope, Encryption for Webmail

Encryption is the topic of week. I wrote about it in a related post here. While encryption is a very good idea, doing it and doing it every day as part of your work flow is another thing. My view is that if you're already using an email client then it is easier, simpler and more convenient to adopt encryption. That is not the case if you're using a webmail service. If you are using the browser to check, compose and send your email, what are your options? The answer is: it's complicated. Looking for a way to do encryption with Google Chrome and Gmail, I found this. I also read that Google just released code for email encryption as open source. But it's a long way to being used by end users. The extension for Google Chrome works fine if the recipient also uses Google Chrome. But I went ahead and check this on Evolution.
Post a Comment
Read more

Donald Trump Is The 45th President of the United States

     and he is preparing to move with his transition team into the Oval Office. His election is a shock to many political observers and the world in general. Donald Trump, the president-elect, ran against Hillary Clinton, former Secretary of State and for many the most qualified candidate for the presidency in many years. This has led to many post election analysis of how this upset happened. The numbers of votes for each candidate and the comparisons with previous presidential elections point to the fact that the white vote for Mr. Trump is solid all throughout but the minority and black votes did not come for Mrs. Clinton. This is what happened in crucial States like Michigan and Florida. The Republicans kept Congress and the Senate. It is quite notable that Russia and in particular, Vladimir Putin, is happy that they are going to talk to Mr. Trump rather than Mrs. Clinton. It is also a ...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more