Brian grabbed a keyboard and wrote: > On Sun 04 Aug 2013 at 09:25:18 -0700, David Guntner wrote: > >> And the saga continues! :-) >> >> In this morning's reports, I found the following notation from rkhunter: >> >>> Warning: Hidden processes found: >>> HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = 521 >> >> Is this anything I need to be worried about? And how do I go about >> finding the "hidden" process? Is this a false positive that I should be >> sticking something into the rkhunter.conf file to get it to ignore? > > Nobody should lose a moment's sleep over anything rkhunter reports. It > appears to be designed to produce false positives and alarm its users. > Best thing is to ignore anything it says. Purging it from the system > brings total peace of mind. lol - Don't sugar coat it, Brian; tell us how you *really* feel about rkhunter. :-) I've found in the past that it does have its uses once you tune the .conf file to filter out the things that you expect to be there (/etc/.java, etc.). As an example, it calls attention to new users and groups which have been created. Now, if I installed a new package that includes those users/groups, that's great. But if I *haven't* done something which would create a new user or group, I'm certainly going to want to know about it, since that could be pointing to a bigger problem... I see that I can turn off the hidden process check, but if possible, I'd prefer to find a way to whitelist something that's supposed to be hidden. Of course, if the silly thing isn't going to show me what the hidden process is, it's not as useful. :-) I'll have to look into it further before deciding if I want to turn that off (and for the record, it's off by default when installed; I turned it on back in the squeeze days (and didn't get it protesting about a hidden process then) because it "seemed like a good idea" - if that's no longer the case, then I'll turn that test back off). --Dave
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature