Skip to main content

Check rkhunter warnings For Deleted Files

logfile- /var/log/rkhunter.log starts
[partial starts]
[19:18:58] Info: Starting test name 'malware'
[19:18:58] Performing malware checks
[19:18:58]
[19:18:58] Info: Starting test name 'deleted_files'
[19:19:35]   Checking running processes for deleted files    [ Warning ]
[19:19:35] Warning: The following processes are using deleted files:
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 1173    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/lib/evolution-data-server/evolution-source-registry    PID: 1194    File: /home/donato/.local/share/gvfs-metadata/home
[19:19:35]          Process: /usr/bin/python2.7    PID: 1472    File: /tmp/vteZY4V4Y
[19:19:35]          Process: /usr/bin/megasync    PID: 1484    File: /run/user/1000/wayland-cursor-shared-t6KVCM
[19:19:35]          Process: /usr/lib/tracker/tracker-extract    PID: 1491    File: /home/donato/.local/share/gvfs-metadata/root
[19:19:35]          Process: /usr/lib/evolution/evolution-alarm-notify    PID: 1492    File: /run/user/1000/wayland-cursor-shared-3IXo1U
[19:19:35]          Process: /usr/bin/gnome-software    PID: 1499    File: /run/user/1000/wayland-cursor-shared-VWIXlt
[19:19:35]          Process: /usr/lib/libreoffice/program/soffice.bin    PID: 1538    File: /run/user/1000/wayland-cursor-shared-RA1mRd
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 17646    File: /dev/shm/org.chromium.woa2Ti
[19:19:36]          Process: /usr/bin/python3.6    PID: 17747    File: /dev/shm/org.chromium.OO0nrj
[19:19:36]          Process: /usr/bin/evolution    PID: 20854    File: /run/user/1000/wayland-cursor-shared-2ZlQUk
[19:19:36]          Process: /usr/lib/webkit2gtk-4.0/WebKitWebProcess    PID: 20894    File: /run/user/1000/wayland-cursor-shared-9nUAnZ
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 25985    File: /dev/shm/org.chromium.O45DxH
[19:19:36]          Process: /usr/bin/rhythmbox    PID: 30033    File: /run/user/1000/wayland-cursor-shared-DitbCG
[partial ends]
logfile-/var/log/rkhunter.log ends


I enabled ALLTEST in /etc/rkhunter.conf and put a # on the DISABLETEST list. I feel comfortable now that I have a handle on what I'm running on my system. I ran rkhunter and as I expected it gave me these warnings. All these processes are recognized and valid applications and presumably they are deleting these respective files because they don't need it anymore. There's nothing to see here. These aren't the droids I'm looking for.

I have to whitelist these processes. The basic syntax for that job is : ALLOWPROCDELFILE=/path/to/process. You can specify the specific file with : ALLOWPROCDELFILE=/path/to/process:/path/to/filename.xxx.

For example: [19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/pulseaudio

Another example: [19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/gnome-shell:/tmp/mutter-shared-67ER4Y

You can also use * to represent any character.
Anytime you make changes to /etc/rkhunter.conf don't forget to run the command : #rkhunter -C #to check the config file


Comments

Post a Comment

Popular posts from this blog

ZFS Unable to System Snapshot, bpool is Full?

I first encountered the problem after a routine update / upgrade of the system. Well there was a kernel upgrade and I have not checked how many old kernels are still left for backups in /boot. Apparently, there was a few and the partition is 85% full. Every software update included a warning because of the restriction in disk space. Also, zfs could not create snapshots. It is also full. This is not very clear to me. Snapshots were suppose to be diff copies so why would it take up a large space. Most of the snapshots are less than 2MB. Or 0MB. Another problem that popped up is the constant freezing of Rhythmbox. I don't know if the config files are corrupted. The CPU cycles from one to the next. Peaks for 5-6 seconds then on to the next CPU. This forced me to download Clementine and Audacious. But both applications do not find the zfs pool or don't show the zfs structure. Why not? My final solution is to reinstall Rhythmbox via snaps. I re-scanned the music libr
Post a Comment
Read more

Renter's ID and Business Licensing 2023

Last year's business permit application involved an undertaking of submitting lessee list to the Barangay in order to get them ID's including one for the lessor himself. I received a letter of notification just before New Year's Day. It informed me that I might be denied renewal of permits because I did not comply with this undertaking. So the Renter's ID is a serious thing now. When I went ahead and applied for a business permit renewal at the local government office everything went well except they want my list of lessee. So I had to backtrack and go to the Barangay and submit the list. They produced the ID's and I provided the photo ID's and of course have it signed by the lessee. After that, they pointed me to the cashier to pay the taxes and permit fees which totaled php15,305.00 ($280.33) During the payment of Fire and Safety department, they reminded me to bring my fire extinguisher official receipts of payment. I can pick up my new pe
Post a Comment
Read more

How To Verify iso Image After Download In Linux

I assume that you have downloaded the image / iso file in a folder. Navigate to the folder where the iso is. You have to get the public gpg key for fedora downloads. [ donato@archdesktop Downloads]$ ls builds  debian-live--9.0.0-amd64-gnome  Fedora-Workstation-Live-x86_64-25  Fedora-Workstation-Live-x86_64-26 [ donato@archdesktop Downloads]$ cd Fedora-Workstation-Live-x86_64-26 [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ gpg --verify Fedora-Workstation-Live-x86_64-26-1.5.iso gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. [ donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso
Post a Comment
Read more