Brian grabbed a keyboard and wrote:
> On Sun 04 Aug 2013 at 09:25:18 -0700, David Guntner wrote:
>
>> And the saga continues! :-)
>>
>> In this morning's reports, I found the following notation from rkhunter:
>>
>>> Warning: Hidden processes found:
>>> HIDDEN Processes Found: 1 sysinfo.procs = 519 ps_count = 521
>>
>> Is this anything I need to be worried about? And how do I go about
>> finding the "hidden" process? Is this a false positive that I should be
>> sticking something into the rkhunter.conf file to get it to ignore?
>
> Nobody should lose a moment's sleep over anything rkhunter reports. It
> appears to be designed to produce false positives and alarm its users.
> Best thing is to ignore anything it says. Purging it from the system
> brings total peace of mind.
lol - Don't sugar coat it, Brian; tell us how you *really* feel about
rkhunter. :-)
I've found in the past that it does have its uses once you tune the
.conf file to filter out the things that you expect to be there
(/etc/.java, etc.).
As an example, it calls attention to new users and groups which have
been created. Now, if I installed a new package that includes those
users/groups, that's great. But if I *haven't* done something which
would create a new user or group, I'm certainly going to want to know
about it, since that could be pointing to a bigger problem...
I see that I can turn off the hidden process check, but if possible, I'd
prefer to find a way to whitelist something that's supposed to be
hidden. Of course, if the silly thing isn't going to show me what the
hidden process is, it's not as useful. :-) I'll have to look into it
further before deciding if I want to turn that off (and for the record,
it's off by default when installed; I turned it on back in the squeeze
days (and didn't get it protesting about a hidden process then) because
it "seemed like a good idea" - if that's no longer the case, then I'll
turn that test back off).
--Dave
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature