rkhunter - deleted files - whitelist issues

Question

I am working to secure a fresh Debian LAMP deployment and decided to include rkhunter (v1.4.2) in my security solution.
I have run it using the following options:
rkhunter -c --enable all --disable none --skip-keypress
All checks completed positive or skipped but for one, the deleted files check. After a quick look in the .log file I found the culprits to be:

[19:59:10] Info: Starting test name 'deleted_files'
[19:59:11] Checking running processes for deleted files [ Warning ]
[19:59:11] Warning: The following processes are using deleted files:
[19:59:11] Process: /usr/sbin/mysqld PID: 1480 File: /tmp/ib5VMAPQ
[19:59:11] Process: /usr/sbin/apache2 PID: 1792 File: /run/lock/apache2/ssl-cache.1247
[...] # a couple more repetitions here, with different PIDs
[19:59:11] Process: /usr/sbin/apache2 PID: 1813 File: /run/lock/apache2/ssl-cache.1247

I judged these to be harmless/legit and proceeded to whitelist these processes/files.
In /etc/rkhunter.conf I found the line #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* and un-commented it. I also added ALLOWPROCDELFILE=/usr/sbin/apache2:/run/lock/apache2/ssl-cache.* below the list of commented examples.
Unfortunately, when running rkhunter (with the same options) again I still receive the exact same warnings. Do I need to enable the whitelisting in general or do something else additionally?
Thank you in advance.

This was a known issue with RKH. Quote taken from my sourceforge ticket: `The CVS version has fixes in it for the ALLOWPROCDELFILE when using wildcards. (Bugs #114 and #129) The wildcard/globbing was being handled incorrectly.` — mti_, Apr 13 '16 at 14:51

wraptop · Answer 1 · 2016-03-30T07:46:18.123

ALLOWPROCDELFILE=/usr/sbin/mysqld
ALLOWPROCDELFILE=/usr/sbin/apache2

or

ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib5VMAPQ
ALLOWPROCDELFILE=/usr/sbin/apache2:/run/lock/apache2/ssl-cache.1247

The PID is different in case by case, so I think the second choice is not realistic. I'm not sure why RKH does not work correctly, but it does not been expanding regexes in $ALLOWPROCDELFILE(S).

or

If you can rewrite RKH script

--- rkhunter        2015-12-07 03:28:53.000000000 +0900
+++ rkhunter.neu    2016-03-30 13:33:19.328416849 +0900
@@ -13395,7 +13395,7 @@
FNAMEGREP=`echo "${RKHTMPVAR3}" | sed -e 's/\([.$*?\\]\)/\\\\\1/g; s/\[/\\\\[/g; s/\]/\\\\]/g'`
- if [ -n "`echo \"${FNAME}\" | grep \"^${FNAMEGREP}$\"`" ]; then
+ if [ -n "`echo \"${FNAME}\" | grep \"^${RKHTMPVAR3}$\"`" ]; then
   PROCWHITELISTED=1
  fi
 else

rkhunter - deleted files - whitelist issues

1 Answers1