I am working to secure a fresh Debian LAMP deployment and decided to include rkhunter (v1.4.2) in my security solution.
I have run it using the following options:
rkhunter -c --enable all --disable none --skip-keypress
All checks completed positive or skipped but for one, the deleted files check.
After a quick look in the .log file I found the culprits to be:
[19:59:10] Info: Starting test name 'deleted_files'
[19:59:11] Checking running processes for deleted files [ Warning ]
[19:59:11] Warning: The following processes are using deleted files:
[19:59:11] Process: /usr/sbin/mysqld PID: 1480 File: /tmp/ib5VMAPQ
[19:59:11] Process: /usr/sbin/apache2 PID: 1792 File: /run/lock/apache2/ssl-cache.1247
[…] # a couple more repetitions here, with different PIDs
[19:59:11] Process: /usr/sbin/apache2 PID: 1813 File: /run/lock/apache2/ssl-cache.1247
I judged these to be harmless/legit and proceeded to whitelist these processes/files.
In /etc/rkhunter.conf
I found the line
#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
and un-commented it. I also added ALLOWPROCDELFILE=/usr/sbin/apache2:/run/lock/apache2/ssl-cache.*
below the list of commented examples.
Unfortunately, when running rkhunter (with the same options) again I still receive the exact same warnings.
Do I need to enable the whitelisting in general or do something else additionally?
Thank you in advance.
Best Answer
or
The PID is different in case by case, so I think the second choice is not realistic. I'm not sure why RKH does not work correctly, but it does not been expanding regexes in $ALLOWPROCDELFILE(S).
or
If you can rewrite RKH script