On 5/31/05, Stuart Lowe <stuart@xxxxxxxxxxxx> wrote: > On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote: > > On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote: > > > | Checking `chkutmp'... The tty of the following user process(es) were > > > not found > > > | in /var/run/utmp ! > > > | ! RUID PID TTY CMD > > > | ! root 4674 tty1 /sbin/mingetty tty1 This warning from chkrootkit can be ignored for getty-type processes, such as /sbin/mingetty. It is normal behvior for a getty process to be attached to a tty device, yet not have an audit entry recorded in the utmp file. In fact, it is getty in combination with login that creates those utmp entries. But while getty is sitting on a tty device waiting for a user to login, the state that chkutmp reports is normal. It is proper though that chkrootkit detects this sort of condition though, because it could indicate a process trying to "hide". However it should have the getty processes as an explicit exception to the rule. But non-getty processes should be reported. -- Deron Meranda
