Skip to main content

Check rkhunter warnings For Deleted Files

logfile- /var/log/rkhunter.log starts
[partial starts]
[19:18:58] Info: Starting test name 'malware'
[19:18:58] Performing malware checks
[19:18:58]
[19:18:58] Info: Starting test name 'deleted_files'
[19:19:35]   Checking running processes for deleted files    [ Warning ]
[19:19:35] Warning: The following processes are using deleted files:
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
[19:19:35]          Process: /usr/bin/pulseaudio    PID: 1173    File: /memfd:pulseaudio
[19:19:35]          Process: /usr/lib/evolution-data-server/evolution-source-registry    PID: 1194    File: /home/donato/.local/share/gvfs-metadata/home
[19:19:35]          Process: /usr/bin/python2.7    PID: 1472    File: /tmp/vteZY4V4Y
[19:19:35]          Process: /usr/bin/megasync    PID: 1484    File: /run/user/1000/wayland-cursor-shared-t6KVCM
[19:19:35]          Process: /usr/lib/tracker/tracker-extract    PID: 1491    File: /home/donato/.local/share/gvfs-metadata/root
[19:19:35]          Process: /usr/lib/evolution/evolution-alarm-notify    PID: 1492    File: /run/user/1000/wayland-cursor-shared-3IXo1U
[19:19:35]          Process: /usr/bin/gnome-software    PID: 1499    File: /run/user/1000/wayland-cursor-shared-VWIXlt
[19:19:35]          Process: /usr/lib/libreoffice/program/soffice.bin    PID: 1538    File: /run/user/1000/wayland-cursor-shared-RA1mRd
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 17646    File: /dev/shm/org.chromium.woa2Ti
[19:19:36]          Process: /usr/bin/python3.6    PID: 17747    File: /dev/shm/org.chromium.OO0nrj
[19:19:36]          Process: /usr/bin/evolution    PID: 20854    File: /run/user/1000/wayland-cursor-shared-2ZlQUk
[19:19:36]          Process: /usr/lib/webkit2gtk-4.0/WebKitWebProcess    PID: 20894    File: /run/user/1000/wayland-cursor-shared-9nUAnZ
[19:19:36]          Process: /usr/lib/firefox/firefox    PID: 25985    File: /dev/shm/org.chromium.O45DxH
[19:19:36]          Process: /usr/bin/rhythmbox    PID: 30033    File: /run/user/1000/wayland-cursor-shared-DitbCG
[partial ends]
logfile-/var/log/rkhunter.log ends


I enabled ALLTEST in /etc/rkhunter.conf and put a # on the DISABLETEST list. I feel comfortable now that I have a handle on what I'm running on my system. I ran rkhunter and as I expected it gave me these warnings. All these processes are recognized and valid applications and presumably they are deleting these respective files because they don't need it anymore. There's nothing to see here. These aren't the droids I'm looking for.

I have to whitelist these processes. The basic syntax for that job is : ALLOWPROCDELFILE=/path/to/process. You can specify the specific file with : ALLOWPROCDELFILE=/path/to/process:/path/to/filename.xxx.

For example: [19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/pulseaudio

Another example: [19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y
append to /etc/rkhunter.conf
ALLOWPROCDELFILE=/usr/bin/gnome-shell:/tmp/mutter-shared-67ER4Y

You can also use * to represent any character.
Anytime you make changes to /etc/rkhunter.conf don't forget to run the command : #rkhunter -C #to check the config file


Comments

Post a Comment

Popular posts from this blog

Password Issues On Ubuntu Login

I found myself unable to enter my login credentials when prompted to do so in Ubuntu. I think I might have changed it then forget about it. I've been running the current session for more days than I should have. I forget. So what's the solution to my problem. How do I get in to my system now? It involved getting into the grub menu somehow. I am uncertain as to how to do that exactly in your system. So there's a couple of ways to do it (finger's crossed). When booting at system start, use the esc key or the shift key. The first one worked for me. The timing is key. Wait until the bios banner shows then hit the esc key once. I am using Ubuntu 22.04.4 here. I have a current version of grub. The grub menu will give you options and the one you want is: root. Yes you want root privileges to set the root password. It should give you a terminal access where you can issue commands. Type: #mount -rw -o -s remount / ==> this command mounts the filesyste...
Post a Comment
Read more

Reflections On My Blogging: Keeping It Honest

When you're facing a white, blank screen trying to decide what to write, it seemed hopeless and hopeful at the same time. It's like watching a boat with its sails unfurled but there's no wind, yet you wait and then see the tide turning. You have to stop the distractions. Shut the door. Wait until your breathing is regular and your mind relaxed, like your wrists on the table infront of you. I imagine me looking sideways but not hearing anything. The sounds come much later. I see the big mass of color first, the greens. Just the vegetation, moving, not even individual trees, not leaves, just the big green. Then behind it the blue sky, unfocused and floating. Do not concern your brain with the details. Forget the words and the punctuations. But be mindful of the flow, trace the outlines, hear the motions. Sometime these things don't have a name, give it a name. How do you give something a name and still be honest? How do you keep your writing honest? I...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more