Re: chkrootkit output
From: Deron Meranda (deron.meranda_at_gmail.com)
Date: 05/31/05
- Previous message: Paul Howarth: "Re: inputrc command"
- In reply to: Stuart Lowe: "Re: chkrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 31 May 2005 13:09:43 -0400 To: For users of Fedora Core releases <fedora-list@redhat.com>
On 5/31/05, Stuart Lowe <stuart@teksavvy.com> wrote:
> On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote:
> > On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
> > > | Checking `chkutmp'... The tty of the following user process(es) were
> > > not found
> > > | in /var/run/utmp !
> > > | ! RUID PID TTY CMD
> > > | ! root 4674 tty1 /sbin/mingetty tty1
This warning from chkrootkit can be ignored for getty-type
processes, such as /sbin/mingetty. It is normal behvior for a
getty process to be attached to a tty device, yet not have an
audit entry recorded in the utmp file. In fact, it is getty in
combination with login that creates those utmp entries. But
while getty is sitting on a tty device waiting for a user to login,
the state that chkutmp reports is normal.
It is proper though that chkrootkit detects this sort of condition
though, because it could indicate a process trying to "hide".
However it should have the getty processes as an explicit
exception to the rule. But non-getty processes should be
reported.
-- Deron Meranda -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Paul Howarth: "Re: inputrc command"
- In reply to: Stuart Lowe: "Re: chkrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
